Share This Article
As a business owner, one of the critical things you must never compromise is data security. Sensitive information must be adequately protected to avoid the costs of a data breach and mitigate risk. If you are a macOS user, how do you protect your system and ensure data privacy? Although there are several ways to achieve seamless data protection on macOS, full disk encryption is a powerful and highly efficient method.
In this tutorial, we will take you through the process of encrypting your disk.
What Is Full Disk Encryption?
Full disk encryption (FDE) is a cryptographic method that converts all the data on a disk to unreadable code. Such code can only be read by someone with the decryption key. For example, to protect your home, an efficient way is to lock your main entrances and internal doors. Similarly, FDE secures all the content on your disk including files, the underlying operating system, or any other form of data. These days, it’s quite easy to achieve full disk encryption as many device manufacturers have created specialized software for encryption. Apple, for instance, offers a built-in encryption tool for macOS called FileVault2.
Inside FileVault2
FileVault2 uses XTS-AES-128 encryption with a 256-bit key and it is available in macOS X 10.7.5 or later. It provides strong encryption for the files and data in a drive. When you enable FileVault2, encryption happens in the background without causing any disruptions to your ability to work. Once FileVault2 is enabled, it always generates a recovery key. The difference is that you can store it locally (not using iCloud) or you can store it with Apple (and answer security questions to receive it); the latter is the safer key storage option. Also, it’s important to note that the key is generated for the computer, not the user, to be used for the disk itself. This key is the only way to decrypt the Mac if the user is locked out for any reason including forgotten password, loss of device, or hacking.
Enabling Full Disk Encryption on macOS Using FileVault2
With the following simple steps, you can effectively enable full disk encryption on macOS.
Turn on and set up FileVault2
To turn on FileVault, choose the Apple icon on the top left side of your Mac, click on System Preferences, then click Security & Privacy. Select FileVault as shown in Figure 1 below.
Authenticate to FileVault
Click the lock symbol shown in Figure 1 to input admin username and password (Figure 2).
Note: If your Mac has more than one user, you might see a message that requests you to input the password for each user.
Create a Recovery Key
Now, click Turn On FileVault. The page shown in Figure 3 will pop up with specific instructions depending on your OS version. The page will allow you to make a choice on how you want to unlock your disk and reset your password in case you forget the password.
- If you are using macOS X Yosemite or later, you can use your iCloud account to unlock your disk and/or reset your password. You can also create a local recovery key if you choose not to use your iCloud account. However, you need to keep the generated key in a safe place, apart from your encrypted disk.
- If you are using macOS X Mavericks, you can store a recovery key with Apple by providing answers to three security questions.
Note that if you forget your password and lose the recovery key, you won’t be able to access or recover any data on your disk.
Make Note of Your Recovery Key
If you choose to create a recovery key, the key will be displayed to you as shown in Figure 4, you need to copy it and keep it in a safe place.
As you click Continue, the encryption will be done in the background while you continue using your Mac. However, when your Mac is in sleep mode, the encryption will be paused. You can always check the progress of the encryption in the FileVault tab under Security & Privacy. Any new files you create will be automatically encrypted, obviously because they are saved to the disk.
Once FileVault is fully enabled, you need to use your password to unlock the disk every time you start your Mac.
Turn off FileVault
If you change your mind at any time and decide to turn off FileVault, you can go through the same process again.
Choose the Apple icon on the top left side of your Mac, click on System Preferences, then click Security & Privacy. Select FileVault.
Click the lock symbol shown in Figure 1 to input admin username and password. Then, click Turn Off FileVault.
The decryption of the disk will be done in the background and you can continue using your Mac. However, note that the decryption happens only while your Mac is awake and plugged into AC power. As in the case of encryption, you can also check the progress of decryption in the FileVault tab under Security & Privacy.
Conclusion
There you have it, a simple and straightforward method of enabling full disk encryption on macOS. With this encryption, you can rest assured that your data is safe and secure. The only thing left is to ensure you do not forget your password. Also, make sure you save your recovery key in a safe place in case you “mistakenly” forget your password. For ease of use and safety, your best bet is to choose to store your key in iCloud.
If you’re an IT admin managing an entire fleet of Macs, did you know you can leverage the JumpCloud Directory Platform as a unified FDE tool to implement full disk encryption? You can test out the full functionality of our platform for free by starting a trial. Using the cloud-based console, you simply need to add FileVault2 to Mac’s policies, make custom configurations, and apply it across the entire device group.
