How and why to use FileVault encryption on Mac?

Brendon Baxter

Nov 26, 2021

8 min read

What is FileVault?

FileVault is Apple’s disk encryption system and it is responsible for securing Mac’s HDDs and SSDs. FileVault encryption uses an XTS-AES 128-bit block cipher technology and a 256-bit key. Once enabled, FileVault encrypts all the existing data on the disk. Along with the existing data, any new or changed data will also be automatically encrypted.

Manage FileVault settings with Hexnode UEM

A brief history of FileVault

FileVault was originally introduced to macOS in 2003, along with macOS x 10.3 Panther. But the feature was not a huge hit back then. The main reason was its poor functionality and disastrous implementation. Only the home directory could be encrypted using the FileVault then and that was not enough for users who were concerned about data security.

In 2011, along with macOS X 10.7 Lion, Apple introduced a new and more efficient disk encryption system and named it FileVault 2. It was with this update that Apple introduced some new features like full-disk encryption and the ability to use Find My Mac to remotely wipe device drives in case the device is stolen or it fell into the wrong hands.

Why use FileVault encryption?

Imagine your office Mac containing a lot of sensitive information and having only basic password protection gets into the hands of the wrong guys. The results would be catastrophic.

This is where FileVault can help you and your organization.

FileVault encryption can act as a damage control measure in these situations, ensuring that no useful information is recovered from the compromised device. As mentioned earlier, once the FileVault is enabled, the whole disk gets encrypted. Enabling FileVault also makes device password a necessity.

While FileVault encryption is enabled in a device, a Recover Key is generated, which has to be stored carefully anywhere other than the device itself. Apple gives another option of authentication for the FileVault through iCloud ID.

FileVault enabled devices/disks can be accessed only using the device password or using the recovery key or using the iCloud ID. Therefore, even if an unauthorized person gets hold of your device, they can’t get anything out of the device. Even if they manage to access any data, it will be scrambled as it is encrypted. To decrypt the data, either the password or the recovery key is an absolute necessity. Decrypting the encrypted data without the key is virtually an impossible task.

Another exciting feature of FileVault is the remote wipe of devices/disks using Find My Mac. You can now remotely wipe FileVault-enabled devices using the Find My Mac feature to ensure that no data is available to be stolen even if the device is lost or stolen.

Secure token and FileVault encryption

Along with the macOS X 10.13 High Sierra release, Apple unveiled lots of new security and privacy features, and the secure token was one of them. Secure token is similar to an account attribute that is required to use critical features like FileVault.

On older devices that ran on CoreStorage volumes, the device encryption key was generated only when the user enabled FileVault. But in newer devices that run on Apple File System (APFS) volumes, the encryption keys are generated in one of three ways:

  • when the user account is created,
  • when the first user password is set,
  • when the user logs in to the device for the first time.

This is considered more secure than the first process because keys aren’t generated for every account created. Only accounts that meet certain standards set by Apple would be provided the encryption key. This whole process of the key being generated during the user creation/login and how they are stored are all a part of the Mac secure token feature.

The cons of using FileVault

Using FileVault encryption has a lot of benefits and is considered the primary step towards data security while using macOS devices. Everyone who knows about FileVault would always advocate using it and would not recommend disabling it. Keeping everything in mind, FileVault still has a few drawbacks. But these drawbacks are outweighed by the benefits.

  • One of the main things about FileVault is that password protection is made compulsory in devices by FileVault. So, people who are not fans of passwords or tend to forget them rather easily might find FileVault more annoying than helpful.
  • Another drawback is that the initial encryption may take a lot of time and it cannot be paused. The process happens in the background and users can use the device for other purposes. But the process still takes a toll on the device resources. This can cause older devices running on HDDs to slow down considerably.
  • Another major drawback is that once the device password and the Recovery Key are both lost, there is absolutely no way of recovering the device data. In such a case, the device has to be reset to be used again.

So, keep in mind these small details before you enable FileVault.

How to check the FileVault setting on your Mac?

In newer devices, the devices may be already FileVault enabled and here is how you can check it out:

  1. Go to Apple Menu.
  2. Select System Preferences.
  3. In the System Preferences, navigate to Security & Privacy.
  4. Select the FileVault tab.
  5. At the right top of the window, there will be a button, if the text in it is “Turn off FileVault” then FileVault is enabled and if the text is “Turn on FileVault” then FileVault is disabled.

How to enable FileVault encryption on Mac?

In case the FileVault is not enabled and you need to enable it manually, you need to follow these steps:

  1. Go to Apple Menu –> System Preferences –> Security & Privacy.
  2. Select the FileVault tab in that window.
  3. Click on the lock icon on the bottom left of the window.
  4. Provide the administrator credentials to unlock the settings.
  5. Now click on the “Turn on FileVault” button.
  6. Choose a method to unlock the disk from the new window: either iCloud or Recovery Key.
  7. Click on the restart button on the next window and the device restarts.

Once the device restarts, the FileVault encryption starts. The encryption can’t be paused once it is started so, make sure the power supply is proper because the process might be a bit time-consuming depending on the amount of data there is in the disk.

FileVault configuration using Hexnode

Configuring the FileVault encryption settings for each and every device in an organization might be a very tiring task. With the help of a UEM like Hexnode, it is possible to configure the FileVault settings for all the devices in an organization remotely, with a single click.

Featured Resource

A complete guide to Mac device management

Organizations can use UEMs to configure and manage endpoints while increasing staff productivity. Learn how to leverage Hexnode's Mac management features to make the most out of your Mac endpoints.

Download White paper

Hexnode not only allows you to remotely enable or disable FileVault on devices but also configure FileVault settings like the type of key used to encrypt the disk, whether the users can change the FileVault settings, escrow the personal recovery key and so on.

Hexnode offers mainly 3 methods of encrypting disks: 1) Institutional Recovery Key 2) Personal Recovery Key or 3) Both Institutional and Personal Recovery Keys.

Institutional Recovery Key (IRK)

Institutional Recovery Keys are used by businesses that require a single key to encrypt and decrypt all of their devices. IRK is a certificate that can be in any of the following formats: .cer, .crt, .pem, .der, .p7b, or .p12. If the password is forgotten, the IRK certificate must be downloaded anew and protected with a new password. The fundamental benefit of IRK is that a new key may be obtained from the portal itself if the old one is lost or broken.

Personal Recovery Key (PRK)

Personal Recovery Keys are strings containing alphanumeric characters and are created during the encryption process. These keys are automatically generated and sent to the user before the encryption process. The key is machine-specific, that is, each is key is meant for a specific device PRK generated during encryption can be used only on that specific device. The key must be noted down by the user somewhere as it is not automatically stored anywhere.

Institutional and Personal Recovery Keys

This method is the Hexnode recommended method of device encryption. Here both an Institutional as well as a Personal Recovery key is generated. The key benefit of this point is that even if the Personal Recovery Key is lost, the Institutional Recovery Key can be used to decrypt the device.

Hexnode also allows IT teams to escrow Personal Recovery Keys. This means that when the PRK is generated during the encryption process, it is stored in the Hexnode UEM console so that it can be retrieved even if the user loses the PRK.

Using the Hexnode policy, it is also possible to make sure that the end-users can’t Turn off or even Turn on FileVault from the device.


Brendon Baxter

Product Evangelist@Hexnode. Read. Write. Sleep. Repeat.

Share your thoughts