What Is FileVault Disk Encryption & How Does it Work?

  • Last updated
What is Filevault disk encryption & how does it work blog banner image
  • Last updated

FileVault disk encryption is the macOS feature that encrypts data on Mac computers. Encrypting the data on your devices means that your password is required to read it, so if the device is lost or stolen, it is protected. This is vital for protecting the privacy of individuals and the operational data of businesses and organizations.

This article explains FileVault, the importance of disk encryption for individuals and organizations, and how to enable FileVault. It also explains how you can manage FileVault across multiple devices in an enterprise environment.

What is FileVault Disk Encryption?

FileVault is the name of the macOS functionality that encrypts whole disks. Encryption scrambles data in a way that it cannot be read without a key to decrypt it so that if your device is lost or stolen, the contents cannot be read (even if the person who has it physically removes the hard disk to try to read it, they won’t be able to). As the entire system disk is encrypted, the device is effectively unusable without it first being unlocked.

FileVault is now enabled by default for the system drive on all Apple Mac devices (MacBook, iMacs, Mac Mini, and Mac Pro). Apple’s iOS and iPadOS devices are also fully encrypted by default using a feature called Data Protection which serves the same role as FileVault, with slightly different behavior to account for the mobile and embedded nature of iPhones and iPads.

How FileVault works

FileVault uses the AES encryption standard (specifically AES-XTS) to protect data. Data in an encrypted volume goes through multiple rounds of encryption to ensure that it cannot be read without the key (a sequence of numbers and letters) used to encrypt it.

When FileVault is used to encrypt the system drive in a Mac, the key used to encrypt and decrypt data is not the password you use to log in. If this were the case, multiple users would not be able to share a computer (or they’d all have to have the same password). Instead, the encryption key for the volume is itself encrypted and stored on the device and unlocked using user passwords in combination with a hardware key specific to that device. This means that when an encrypted Mac starts up, any authorized user can unlock FileVault and boot from the encrypted volume.

In the event you forget your password, you can also retrieve a recovery key for an encrypted volume that should be stored separately to your device (in a separate and safe location), or stored in your iCloud Keychain.

Benefits of using FileVault data encryption in macOS

Disk encryption for laptops and desktops and encrypting mobile devices has become standard practice. In addition to Apple products, most Windows and Android devices now ship with full encryption enabled by default, bringing the following benefits to users:

  • Enhanced data security: When FileVault is enabled, data on your devices is protected by industry-standard encryption technologies. This includes your sensitive banking information and personally identifiable information that could be used to scam, extort, impersonate, or otherwise harm you if it is leaked.
  • Protection against unauthorized access: The data stored on FileVault-protected devices cannot be used, even when the attacker has physical access to your devices.
  • Compliance with data protection regulations: Enabling disk encryption is a key requirement if you handle any customer information that is covered by GDPR, CCPA, and other international data regulations.

FileVault setup guide

FileVault may already be enabled on your Mac. You can check this by following these steps:

  • Open System Settings from the Apple menu in the top-left corner of the screen.
  • Click on Privacy & Security in the left panel.
  • Scroll down to FileVault in the right panel.
  • You will be able to see if FileVault is set to On or Off.

If FileVault is off, and you want to enable it, continue with these steps:

  • Click on FileVault in the right panel.
  • Click Turn On and then enter an Administrator’s username and password for your Mac to enable FileVault.
  • You will then have the option to set a recovery key, or use your iCloud account to unlock your disk.
  • If you elect to use a recovery key, write it down and keep a copy in a safe place. If you use an iCloud account, ensure you have recovery options set up for the account.
  • The FileVault encryption process will begin, and you can resume using your (now more secure) Mac as usual. The process will continue in the background until it has completed.

Remember, if you lose access to your user accounts on your device (by forgetting the password), and lose your recovery key or recovery iCloud account, you will lose all of your data. Keep your recovery information safe to avoid data loss.

How to use FileVault

Once Apple FileVault is enabled, all existing and new data on your Mac is encrypted — you don’t have to do anything further, other than making sure that your iCloud account or recovery keys are secure.

Performance impact of data encryption in macOS

Encryption has been around for a while, but it wasn’t widely adopted due to the additional processing required for it to work, which made devices run slower and shortened battery life. This is no longer an issue: modern devices have powerful processors and lots of memory, and storage itself is faster and more efficient. Specialized hardware is also included in most devices to assist with encryption, so the impact on performance and battery life is negligible.

Should you encrypt your devices?

You should encrypt your mobile devices. Thieves target mobile devices not just for the value of the hardware, but the wealth of personal information that is on them. They use that information to access bank accounts and cause other damage, so you want to be sure that if a device goes missing, you don’t have to worry about it being used against you.

Recovering FileVault data

The biggest potential headache with encrypting all of your devices is losing all of your data if you lose access to your accounts or recovery keys — encrypted data cannot be recovered if the recovery method is lost.

The most effective way to protect against this is to keep an unencrypted backup of your files in a physically secure place (like a safe). This way, the data on your devices is protected if they are lost or stolen, but you have an unencrypted copy that is also physically secure that you don’t carry around with you. You can then periodically update your unencrypted backup when important data changes.

Regular backups are an essential part of IT security best practices for both individuals and businesses.

Apple FileVault alternatives

  • Windows: Windows also has device encryption, implemented with BitLocker.
  • Linux: Mainstream Linux distributions like Ubuntu give you the option to fully encrypt the disk it is being installed on during setup.
  • iOS/iPadOS: All iPhones and iPads are encrypted by default using the Data Protection feature.
  • Android: Newer Android devices are also encrypted by default.
  • External storage: You can encrypt portable devices (like USB sticks and external hard drives) using BitLocker on Windows, Disk Utility on macOS, and VeraCrypt on Linux/cross-platform.

Encryption is a modern requirement for all enterprise deployments

Now that FileVault data encryption in macOS is enabled by default, there’s no real reason for home users to turn it off and lose the protection it offers.

Businesses are encouraged to ensure that FileVault is enabled on all of their new and legacy macOS devices. Modern businesses are powered by valuable customer data that is protected by regulations like GDPR and CCPA that mandate encryption, and non-compliance comes with fines and reputational damage.

Managing encrypted devices at scale can be challenging, however. Recovery keys must be centrally managed so that employees are not burdened with managing and securely storing them, and risking the exposure or complete loss of valuable company data. NinjaOne provides an endpoint management solution that allows you to monitor and secure all of your devices, as well as centrally record and manage FileVault and BitLocker recovery keys.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.
Learn more about NinjaOne Protect, check out a live tour, or start your free trial of the NinjaOne platform.
Start your Free Trial

You might also like

NIS2 Compliance Guide blog banner

The Requirements for NIS2 Compliance: An Overview

What Is IT Technical Debt & How Does it Relate to Cybersecurity

What is AES Encryption blog banner image

What Is AES Encryption: Advanced Encryption Standard Explained

What Is a TLS Handshake & How Does It Work blog banner image

What Is a TLS Handshake & How Does It Work?

What Is PGP Encryption? Meaning, Uses, & Examples blog banner image

What Is PGP Encryption? Meaning, Uses, & Examples

Penetration Testing vs Vulnerability Scanning blog banner image

Penetration Testing vs Vulnerability Scanning

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

Start a Free Trial
Get a demo
Watch Demo×
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Start your 14-day trial

No credit card required, full access to all features

Start my free trial now

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept