Key Points
- FileVault is enabled by default on the system drive of all modern Apple Mac devices, including MacBook, iMac, Mac Mini, and Mac Pro.
- FileVault enhances data security and prevents unauthorized access, helping organizations comply with data protection regulations such as GDPR and CCPA.
- Encryption ensures that data cannot be read without the decryption key, protecting sensitive information like banking details and personally identifiable information (PII).
FileVault disk encryption is the native macOS feature that encrypts data on macOS. This guide explains the importance of disk encryption for data management and how FileVault can be configured for an enterprise or managed environment.
Take a look at the video guide on “What Is FileVault Disk Encryption & How Does it Work?” for an additional overview.
Safeguard sensitive data on your devices with NinjaOne’s macOS and FileVault management.
What is FileVault Disk Encryption?
Encryption scrambles data in a way that it cannot be read without a dedicated key to decrypt it, safeguarding user data even in lost or stolen devices. FileVault functions the same, encrypting the entire system disk and rendering the device unusable without it first being unlocked.
Who has access to FileVault?
FileVault is now enabled by default for the system drive on all Apple macOS devices (MacBook, iMacs, Mac Mini, and Mac Pro). Apple’s iOS and iPadOS devices are also fully encrypted by default using a feature called Data Protection, which serves the same role as FileVault, with slightly different behavior to account for the mobile and embedded nature of iPhones and iPads.
Once Apple FileVault is activated, all existing and new data on your device is encrypted. There will be no further actions needed, other than making sure that your iCloud account or recovery keys are secure.
How does FileVault encryption work?
FileVault uses the AES encryption standard, specifically AES-XTS. Data in an encrypted volume goes through multiple rounds of encryption to ensure that it cannot be read without the key (a sequence of numbers and letters) used to encrypt it.
When FileVault is used to encrypt the system drive, the key used to encrypt and decrypt data is not the password you use to log in. If this were the case, multiple users would not be able to share a computer (or they’d all have to have the same password).
Instead, the encryption key for the volume is itself encrypted and stored on the device and unlocked using user passwords in combination with a hardware key specific to that device. This means that when an encrypted Mac starts up, any authorized user can unlock FileVault and boot from the encrypted volume.
In the event you forget your password, you can also retrieve a recovery key for an encrypted volume that should be stored separately from your device (in a separate and safe location), or stored in your iCloud Keychain.
FileVault setup guide
FileVault may already be enabled on your Mac. You can check this by following these steps:
- Open System Settings from the Apple menu in the top-left corner of the screen.
- Click on Privacy & Security in the left panel.
- Scroll down to FileVault in the right panel.
- You will be able to see if FileVault is set to On or Off.
If FileVault is off, and you want to enable it, continue with these steps:
- Click on FileVault in the right panel.
- Click Turn On and then enter an Administrator’s username and password for your Mac to enable FileVault.
- You will then have the option to set a recovery key or use your iCloud account to unlock your disk.
- If you elect to use a recovery key, write it down and keep a copy in a safe place. If you use an iCloud account, ensure you have recovery options set up for the account.
- The FileVault encryption process will begin, and you can resume using your (now more secure) Mac as usual. The process will continue in the background until it is completed.
Remember, if you lose access to your user accounts on your device (by forgetting the password), and lose your recovery key or recovery iCloud account, you will lose all of your data. Keep your recovery information safe to avoid data loss.
Performance impact of data encryption in macOS
Encryption has been around for a while, but it wasn’t widely adopted due to the additional processing required to sustain it, which made devices run slower and shortened battery life.
This is no longer an issue: modern devices have powerful processors and lots of memory, and storage itself is faster and more efficient. Specialized hardware is also included in most devices to aid encryption, so the impact on performance and battery life is negligible.
Recovering FileVault data
The biggest potential headache with encrypting all of your devices is losing all of your data if you lose access to your accounts or recovery keys; encrypted data cannot be recovered if the recovery method is lost.
The most effective way to protect against this is to keep an unencrypted backup of your files in a physically secure place (like a safe). This way, the data on your devices is protected if they are lost or stolen, but you have an unencrypted copy that is also physically secure, which you don’t carry around with you. You can then periodically update your unencrypted backup when important data changes.
Regular backups are an essential part of IT security best practices for both individuals and businesses.
Benefits of using FileVault data encryption in macOS
Disk encryption for computers and mobile devices has become standard practice, bringing the following benefits to users:
Enhanced data security
When FileVault is active, device data is protected by industry-standard encryption technologies. This includes your sensitive banking information and personally identifiable information that could be used to scam, extort, impersonate, or otherwise harm you if it is leaked.
Protection against unauthorized access
The data stored on FileVault-protected devices cannot be accessed or used, even if an attacker gains physical control of the device or removes the storage drive.
Compliance with data protection regulations
Enabling disk encryption is a key prerequisite for organizations handling customer information that is covered by GDPR, CCPA, and other international data regulations, ensuring sensitive user data remains secure and inaccessible to unauthorized parties.
In addition to Apple products, Windows and Android devices mostly ship with full encryption enabled by default. Read this guide on “What Is File Encryption?” to learn more.
Monitor and encrypt drives for FileVault with NinjaOne Endpoint Security.
Explore what else NinjaOne endpoint security has to offer.
Encryption is a modern requirement for all enterprise deployments
Now that FileVault data encryption in macOS is enabled by default, there’s no real reason for home users to turn it off and lose the protection it offers.
Businesses are encouraged to ensure that FileVault is enabled on all of their new and legacy macOS devices. Modern businesses are powered by valuable customer data that is protected by regulations like GDPR and CCPA that mandate encryption, and non-compliance comes with fines and reputational damage.
Managing encrypted devices at scale can be challenging, however. Recovery keys must be centrally managed so that employees are not burdened with managing and securely storing them, and risking the exposure or complete loss of valuable company data. NinjaOne provides an endpoint management solution that allows you to monitor and secure all of your devices, as well as centrally record and manage FileVault and BitLocker recovery keys.
Related topics:
