Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Nov 26, 2021
8 min read
FileVault is Apple’s disk encryption system and it is responsible for securing Mac’s HDDs and SSDs. FileVault encryption uses an XTS-AES 128-bit block cipher technology and a 256-bit key. Once enabled, FileVault encrypts all the existing data on the disk. Along with the existing data, any new or changed data will also be automatically encrypted.
FileVault was originally introduced to macOS in 2003, along with macOS x 10.3 Panther. But the feature was not a huge hit back then. The main reason was its poor functionality and disastrous implementation. Only the home directory could be encrypted using the FileVault then and that was not enough for users who were concerned about data security.
In 2011, along with macOS X 10.7 Lion, Apple introduced a new and more efficient disk encryption system and named it FileVault 2. It was with this update that Apple introduced some new features like full-disk encryption and the ability to use Find My Mac to remotely wipe device drives in case the device is stolen or it fell into the wrong hands.
Imagine your office Mac containing a lot of sensitive information and having only basic password protection gets into the hands of the wrong guys. The results would be catastrophic.
This is where FileVault can help you and your organization.
FileVault encryption can act as a damage control measure in these situations, ensuring that no useful information is recovered from the compromised device. As mentioned earlier, once the FileVault is enabled, the whole disk gets encrypted. Enabling FileVault also makes device password a necessity.
While FileVault encryption is enabled in a device, a Recover Key is generated, which has to be stored carefully anywhere other than the device itself. Apple gives another option of authentication for the FileVault through iCloud ID.
FileVault enabled devices/disks can be accessed only using the device password or using the recovery key or using the iCloud ID. Therefore, even if an unauthorized person gets hold of your device, they can’t get anything out of the device. Even if they manage to access any data, it will be scrambled as it is encrypted. To decrypt the data, either the password or the recovery key is an absolute necessity. Decrypting the encrypted data without the key is virtually an impossible task.
Another exciting feature of FileVault is the remote wipe of devices/disks using Find My Mac. You can now remotely wipe FileVault-enabled devices using the Find My Mac feature to ensure that no data is available to be stolen even if the device is lost or stolen.
Along with the macOS X 10.13 High Sierra release, Apple unveiled lots of new security and privacy features, and the secure token was one of them. Secure token is similar to an account attribute that is required to use critical features like FileVault.
On older devices that ran on CoreStorage volumes, the device encryption key was generated only when the user enabled FileVault. But in newer devices that run on Apple File System (APFS) volumes, the encryption keys are generated in one of three ways:
This is considered more secure than the first process because keys aren’t generated for every account created. Only accounts that meet certain standards set by Apple would be provided the encryption key. This whole process of the key being generated during the user creation/login and how they are stored are all a part of the Mac secure token feature.
Using FileVault encryption has a lot of benefits and is considered the primary step towards data security while using macOS devices. Everyone who knows about FileVault would always advocate using it and would not recommend disabling it. Keeping everything in mind, FileVault still has a few drawbacks. But these drawbacks are outweighed by the benefits.
So, keep in mind these small details before you enable FileVault.
In newer devices, the devices may be already FileVault enabled and here is how you can check it out:
In case the FileVault is not enabled and you need to enable it manually, you need to follow these steps:
Once the device restarts, the FileVault encryption starts. The encryption can’t be paused once it is started so, make sure the power supply is proper because the process might be a bit time-consuming depending on the amount of data there is in the disk.
Configuring the FileVault encryption settings for each and every device in an organization might be a very tiring task. With the help of a UEM like Hexnode, it is possible to configure the FileVault settings for all the devices in an organization remotely, with a single click.
Hexnode not only allows you to remotely enable or disable FileVault on devices but also configure FileVault settings like the type of key used to encrypt the disk, whether the users can change the FileVault settings, escrow the personal recovery key and so on.
Hexnode offers mainly 3 methods of encrypting disks: 1) Institutional Recovery Key 2) Personal Recovery Key or 3) Both Institutional and Personal Recovery Keys.
Hexnode also allows IT teams to escrow Personal Recovery Keys. This means that when the PRK is generated during the encryption process, it is stored in the Hexnode UEM console so that it can be retrieved even if the user loses the PRK.
Using the Hexnode policy, it is also possible to make sure that the end-users can’t Turn off or even Turn on FileVault from the device.
Sign up for a 30-day free trial with Hexnode and find out how Hexnode can help configure FileVault settings for Macs.Sign up