Apple's FileVault encryption program was initially introduced with OS X 10.3 (Panther), and it allowed for the encryption of a user's home folder only. Beginning with OS X 10.7 (Lion), Apple redesigned the encryption scheme and released it as FileVault 2—the program offers whole-disk encryption alongside newer, stronger encryption standards. FileVault 2 has been available to each version of OS X/macOS since 10.7; the legacy FileVault is still available in earlier versions of OS X.
This comprehensive guide about Apple's FileVault 2 covers features, system requirements, and more. We will update this article if there's new information about FileVault 2.
Note: This article is included in the free PDF download Apple FileVault 2: Tips for IT pros.
- What is FileVault 2, and how does it encrypt data? FileVault 2 is a whole-disk encryption program that encrypts data on a Mac to prevent unauthorized access from anyone that does not have the decryption key or user's account credentials.
- Why does FileVault 2 matter? Encryption of data at rest or stored on a disk is often the last resort to ensuring that data is protected against unauthorized access. The recent high-profile security breaches make it even more important to know about encryption programs such as FileVault 2.
- Is FileVault 2 available to all macOS users? All macOS users can enable FileVault 2 to protect their data. Some users running more recent versions of OS X can also enable disk encryption, while others using older versions of OS X will only be able to utilize legacy FileVault, which encrypts just their home folder.
- What are the pros and cons to using FileVault 2? Some of the pros include it supports legacy hardware, and deployment may be locally or centrally managed by users or the IT department. One con is enabling FileVault 2 can have a negative impact on I/O performance of approximately 20-30% of modern CPUs. More pros and cons are detailed in this article.
- What are alternatives to FileVault 2? The main competitors are VeraCrypt, BitLocker, GnuPG, LibreCrypt, and EncFS.
- How can I get FileVault 2? FileVault 2 is baked in to all versions of macOS and supported versions of OS X. The encryption program is turned off by default, though it's easy to enable.
- How to protect Macs from malware threats (TechRepublic)
- 7 ways to protect your Apple computers against ransomware (TechRepublic)
- 4 steps all Mac users should take to secure their data (TechRepublic)
What is FileVault 2, and how does it encrypt the startup disk on Macs?
FileVault 2 is an encryption program created by Apple that provides full-disk encryption of the startup disk on a Mac computer. By utilizing the latest encryption algorithms and leveraging the power and efficiency of modern CPUs, the entire contents of the startup disk are encrypted, preventing all unauthorized access to the data stored on the disk; the only people that can access the data have the account credentials that enabled FileVault on the disk, or possess the master recovery key.
By enabling FileVault 2's whole-disk encryption, data is secured from prying eyes and all attempts to access this data (physically or over the network) will be met with prompts to authenticate or error messages stating the data cannot be accessed—even when attempting to access data backups, which FileVault 2 encrypts as well.
SEE: Encryption Policy (Tech Pro Research)
- Secure data with FileVault 2 on a Mac (TechRepublic)
- Protect data easily with FileVault 2 disk encryption (TechRepublic)
- Use FileVault to encrypt the startup disk on your Mac (Apple)
- Encrypt the contents of your Mac with FileVault (Apple)
Why does FileVault 2 matter?
FileVault 2, in and of itself, cannot prevent users from attacking your system or otherwise exfiltrating the encrypted data. The encryption program is not a substitute for proper physical, logical, and data security standards, but rather a part of the overall puzzle that makes up your device's security.
Data encryption is often seen as the last resort because, if all other security features in place are compromised, encrypted data will still be unreadable by everyone except people that have the decryption key, or those that can brute-force their way past the algorithm, which is easier said than done.
If the encryption standard in place is properly implemented and uses a strong, modern algorithm, and the recovery keys are not accessible or consist of a long, random key space, the attackers will have their work cut out for them. If the attackers gain access to the data sitting on the disk, they may be able to copy it, take it off your network, and even attack it directly, but they'll still be at an impasse if they cannot crack the encryption. And if the attackers cannot crack the encryption, your data will remain unreadable, and subsequently, of little to no real use or value.
- Encrypting communication: Why it's critical to do it well (TechRepublic)
- Why citizens need encryption as a fundamental human right (TechRepublic)
- Reducing the risks of BYOD in the enterprise (PDF download) (TechRepublic)
- BYOD policy (Tech Pro Research)
- Lunch and learn: BYOD rules and responsibilities (Tech Pro Research)
Is FileVault 2 available to all macOS users?
Users running OS X 10.7 (Lion) or later, all the way through the current version of macOS 10.13 (High Sierra), may enable and fully utilize the full-disk encryption capabilities of FileVault 2 on their desktop or laptop Mac computers.
By default, the feature is disabled; however, it only takes accessing the System Preferences and clicking the Turn On FileVault 2 button to enable the feature and encrypt your whole disk. Encryption may be enabled by the user or managed by the administrators for company-owned devices. Administrators have set policies via Profile Manager and/or scripts that will enable FileVault 2 during deployment and implement institutional recovery keys that the company manages in order to recover encrypted data per device, if needed.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Once FileVault 2 is enabled, only the user with administrative privileges that enabled FileVault 2 with their account may decrypt the drive's contents. Additionally, a master recovery key is created during the initial process; users with either of those keys may be the only ones to decrypt the volume and read the contents of the drive.
- FileVault 2 transition considerations (ZDNet)
- OS X FileVault questions answered (CNET)
- Fine-tune OS X security and privacy settings (TechRepublic)
- Apple macOS High Sierra: The smart person's guide (TechRepublic)
- APFS up close: What Mac users need to know about Apple's new file system (ZDNet)
- HFS+ v. APFS: Which Apple file system is better? (TechRepublic)
What are the pros and cons to using FileVault 2?
The pros to using FileVault 2
- It's a native Apple solution that is designed by Apple for Apple computers.
- FileVault 2 supports legacy hardware, even for devices that are no longer officially supported by Apple.
- Deployment of FileVault 2 may be locally or centrally managed by users or the IT department.
- Whole-disk encryption works to safeguard all data stored on disk now and in the future.
- Backup of encrypted data works seamlessly with Time Machine to create automated backup sets.
- Disks encrypted with FileVault 2 must first be unlocked by user accounts that are "unlocked enabled"; these are typically accounts with administrative privilege, preventing non-admin accounts from accessing the disk's contents, regardless of the ACL permissions configured.
- FileVault 2 uses a strong form of block-cipher chain mode, XTS, based off the AES algorithm using 128-bit blocks and a 256-bit key.
The cons to using FileVault 2
- Legacy FileVault (or FileVault 1) does not encrypt the whole-disk—only the contents of a user's home folder. This affects legacy hardware that do not support the features in FileVault 2.
- Backing up encrypted data with Time Machine can only be done when a user is logged off of the session. For on-the-fly backups, the destination path must be a Time Machine Server, which requires macOS Server to perform online backups.
- The encryption passphrase used to encrypt the disk is the same as the end-user's password that enabled FileVault 2. If the password becomes compromised, the disk may be encrypted and data may be compromised.
- Enabling FileVault 2 can have a negative impact on I/O performance of approximately 20-30% of modern CPUs, and it noticeably worsens performance on older processor hardware.
- If the passphrase or recovery key must be changed, the entire volume will need to be decrypted and have the encryption process run again with the new key.
- Any device with FileVault 2 enabled must be unlocked by an admin credentialed account prior to being accessed or used by a non-admin account. If the device is not unlocked, non-admin accounts will not be able to use the computer until it is first successfully unlocked.
- Individual files, folders, or any other kind of data cannot be encrypted on the fly. Only data that resides on the local disk or FileVault 2-encrypted volumes may be encrypted in their entirety.
- Advantages vs disadvantages with using FileVault (Apple)
- Downsides of encrypting disk with FileVault (AskDifferent)
- Mac FileVault 2's full disk encryption can be bypassed in less than 40 minutes (Sophos)
What are some of the alternatives to FileVault 2?
VeraCrypt is a free, open source disk encryption software that provides cross-platform support for Windows, Linux, and macOS. It was derived from TrueCrypt, which was a full-disk encryption application that discontinued support by its creators after a security audit revealed several vulnerabilities in the software.
Having acquired the use of TrueCrypt, VeraCrypt forked the former app and corrected the vulnerabilities, while adding some changes to strengthen the way in which the files are stored. VeraCrypt creates a virtually encrypted disk within a file and mounts it as a disk that can be read by the OS. It can encrypt the entire disk, a partition, or storage devices, such as USB flash drives and provides real-time on the fly encryption, which can be hardware-accelerated for better performance. It also supports TrueCrypt's hidden volume and hidden operating system features.
BitLocker is Microsoft's full-disk encryption featured in supported versions of Windows Vista and later. Using default settings, BitLocker uses AES encryption with XTS mode in conjunction with 128-bit or 256-bit keys for maximum protection, especially when leveraged with a TPM module to ensure integrity of the trusted boot path, which prevents many physical attacks and boot sector malware from compromising your data.
When used on a computer in an Active Directory environment, BitLocker supports key escrow, which allows the Active Directory account to store a copy of the recovery key. In the event that data needs to be recovered, administrators may retrieve the key.
GnuPG is based on the PGP encryption program created by Phil Zimmermann, and later bought by Symantec. Unlike Symantec's offering, GnuPG is completely free software and part of the GNU Project. The software is command-line based and offers hybrid encryption by use of symmetric-key cryptography for performance, and public-key cryptography for the ease of exchanging secure keys.
While the lack of GUI may not be for everyone, the program's flexibility allows for signed communications, file encryption, and, with some configuration, disk encryption to protect data. Dubbed the universal crypto engine, GnuPG can run directly from the CLI, shell scripts, or from other programs, often serving as a backend for other applications.
LibreCrypt is a transparent full-disk encryption program that fully supports Windows and contains partial support for Linux distributions. It is open source and has an online community of users that are committed to resolving issues and introducing new features. Often cited as the most easy to use encryption program for Windows, it can create encrypted containers as well, mounting them as removable disks in Windows Explorer for easy access.
It addition to the multitude of supported encryption and hashing standards and modes, it also supports smart cards and security tokens to authenticate users, and decrypts data at the file level, partition, or for the entire disk.
EncFS is an encrypted filesystem that runs in the user-space, using the FUSE library. The FUSE library acts as an interface for filesystems in user-space that allows users to mount and use filesystems not natively supported by the host OS. FUSE/EncFS are open source releases and support Linux, BSD, Windows, Android devices, and macOS. It is also available in a number of languages, as it has been translated by community members.
With active community support on GitHub and regular updates, EncFS offers users the ability to create a filesystem that can be mounted and used to store secure data files, and then it may be unmounted to protect against offline attacks and unauthorized user access.
- How to encrypt a USB flash drive with VeraCrypt (TechRepublic)
- How to digitally sign a LibreOffice 6 document with GnuPG (TechRepublic)
How can I get FileVault 2?
FileVault 2 is in all versions of OS X from 10.7 through macOS 10.13—it just needs to be enabled, as the service is turned off by default to allow end users to perform the initial setup process, which allows them to create a master recovery key. This key will act as a backup in the event that they become locked out of their account and must recover data via an alternate path.
Users of OS X prior to 10.7 may use Legacy FileVault, or FileVault 1 (the initial offering of the encryption application), which only encrypts a user's home folder and not the entire disk. This must be enabled per user on that device and will still leave any data not stored within an encrypted home folder available to unauthorized access.
The good news is that as long as your Apple computer supports a recent version of OS X or the modern releases of macOS, you can upgrade your Mac's operating system at anytime to a newer version to enjoy the benefits of FileVault 2's enhanced security.
- Setting up and configuring FileVault 2 (TechRepublic)
- Secure data with FileVault 2 on a Mac (TechRepublic)
- Protect data easily with FileVault 2 disk encryption (TechRepublic)
- How to enable FileVault remotely in OS X (CNET)
- How to restart a FileVault-protected Mac remotely (CNET)
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.