May 22nd 2020
Hands-On Mac 10
Using FileVault to Secure Your Data
- Filevault is Apple's proprietary full-disk encryption technology. It uses XTS-AES encryption, the industry-standard used by Microsoft's BitLocker, and the open-source Veracrypt among many others. It's fast, secure, and thanks to hardware support built-into all Macs with the T2 chip, it protects you without impacting efficiency or performance. Filevault is so efficient that it's on by default on all Macs sold today.
- Why would you want to turn on Filevault on an older Mac? Suppose you lose your Mac. Anyone who has it could bypass your account login and access the disk directly. Which means anything your store on your hard drive would be vulnerable. Modern smartphones are encrypted, so should be the drive on your Mac.
- Macs shipped with OS X Lion and later offer Filevault 2 - and that's the version we're referring to here. The original version was fairly limited. Filevault 2 is a great choice for all Mac users.
- When FileVault is enabled the system invites the user to create a master password for the computer. If a user password is forgotten, the master password or recovery key may be used to decrypt the files instead.
- Launch **System Preferences**.
- Select **Security & Privacy**.
- Click the **Lock** icon to enable changes.
- Read the **WARNING**.
- Click **Turn On FileVault**.
- You must make a choice on whether you want to use your iCloud account as a key to unlock your encrypted disk or to create a recovery key. If you plan on having highly sensitive data that you want to ensure that no one but you can get access to, the select to create a recovery key. Otherwise choose to **Allow my iCloud Account to unlock my disk**.
- If you've chosen to create a recovery key you must **store it in a safe place** not on your hard drive where you'll be able to retrieve it for recovery purposes. Otherwise your data will be unrecoverable.
- Instead of using FileVault to encrypt a user's home directory, using Disk Utility a user can create an encrypted disk image themselves and store any subset of their home directory in there (for example, ~/Documents/private). This encrypted image behaves similar to a Filevault encrypted home directory but is under the user's maintenance.
- Users who use FileVault 2 in OS X 10.9 and above can validate their key correctly works after encryption by running sudo fdesetup validaterecovery in Terminal after encryption has finished. The key must be in form xxxx-xxxx-xxxx-xxxx-xxxx-xxxx and will return true if correct.
Leo Laporte gives you helpful tips to get the most from your Mac every week on Hands-On Mac
Download or subscribe to this show at https://twit.tv/shows/hands-on-mac
Discuss episodes in the TWiT Community.