One of the most serious things Apple takes about its devices is security. The company has always stood out from its competitors in this area, and continues to do so today. This does not mean that their software is perfect in this area, of course not, but they do their best to make it as secure as possible.
Among the security measures that Apple has included in every Mac is one that has gone unnoticed by many, but which can be a turning point, especially for laptops. Its name is FileVault .
What is FileVault in MacOS?
FileVault is a feature built into MacOS, the operating system of Macs, that allows to automatically encrypt all files stored on the computer’s hard drive or SSD.
FileVault uses XTS-AES-128 256-bit encryption to prevent unauthorized access to data. One of the highest level of encryption technology and makes it unfeasible for anyone to access data stored on the computer without authorization. In the case of macOS, without knowing the login password of any computer user or without the encryption key.
How FileVault works on your Mac
Basically FileVault takes care of encrypting all files you store on your computer with the 256-bit XTS-AES-128 encryption I mentioned in the previous point.
This service can be activated when the computer is first started or after it has been in use for some time. If you do this when you activate your computer, all files you save on the storage system will be automatically encrypted.
However, if you turn it on after you’ve been using your computer for a while, encryption will be progressively applied to existing files as long as your Mac is connected to power (a measure to prevent a drop in battery life), while new files will be encrypted when you create them (whether or not your computer is connected to power). During the process, you’ll still be able to use your computer, although you may notice a drop in performance because the process can be quite resource-intensive and time-consuming if you have a lot of files stored.
How to activate FileVault in macOS
The process of activating FileVault is very simple and will only take a few seconds. It is true that once activated it can take several hours to be fully applied to the entire disk or SSD, but the activation process is fast.
Basically you have to follow these steps:
- Open System Preferences from the menu with the Apple icon in the upper left corner of the screen.
- Select the Security and Privacy option.
- Click on the FileVault tab.
- Click on the lock icon in the lower left corner of the screen and enter the computer’s administrator password.
- Click the Activate FileVault button.
Once this is done, you will only have to follow the instructions on screen to activate the service for all users and also to establish a method to recover the password in case it is forgotten.
For the first step you will have to know the password of each user or, at least, ask the users to enter the password. If you cannot contact all users at that time, the service will be activated the first time they log on to the computer.
As for the second step, setting a password recovery method, there are three different options :
- Use your iCloud account to unlock the disk and reset the password.
- Create a local recovery key.
- Store a recovery key in Apple and set three security questions and their answers. This option is only available for OS X Mavericks users.
With any of these methods you can even decrypt the data on the disk in case you forget the password for the Mac user.
Of course, it’s important to make sure you remember the password for the Apple ID you’re using or, in the case of a local recovery key, that you keep it somewhere safe outside of the Mac. In the event that you forget this data , you will not be able to decrypt the disk, which means losing the data stored on the computer.
If for any reason at any time you want to disable FileVault on your Mac , you can do so. To do so, just follow these steps:
- Click on the Apple logo icon in the upper left corner of the screen and select the System Preferences option.
- Access the Security and Privacy section.
- Click on the FileVault tab.
- Click on the lock icon and enter the administrator password.
- Click the Disable FileVault button.
Once this is done, the service will be deactivated, although will not be immediately decrypted . The process will take a few hours and will be done in the background. As with activation, the computer needs to be connected to the power supply to be able to complete it, so in the case of laptops it will not be possible to complete it if it is running on battery.
If you want to know the status of the process, you can access the Security and Privacy window, click on the FileVault tab and see the progress.
Is it worth activating FileVault?
The main disadvantage of enabling FileVault is related to the computer performance . The read/write processes will be a bit slower with the service active, as files will have to be decrypted or encrypted on the fly. Depending on the hardware of your computer, the performance loss will be greater or lesser, the lower the power the greater the drop in performance and the higher the power the lesser the drop.
So… Is it really worth activating FileVault and keeping the computer’s disks encrypted?
This is the million dollar question and, as a good Galician, I don’t think there is a single valid answer . It all depends on how you use your computer, in which locations and also the value of the data stored on your computer.
For example, if your computer is a desktop that is in your house, it does not seem that it is very necessary to activate this option. It is true that they can break in and take the Mac, although this possibility is quite remote.
But if you have a MacBook and you carry it around with you, the chances of losing it or having it stolen are much higher. In this case, it may make more sense to activate the service and “suffer” that small drop in performance, because even if it’s stolen, your data will be safe on the encrypted disk inside your computer. Of course you will also have to assess the type of data you usually carry on the disk, if it is not sensitive data (photos, personal documentation, etc, etc …), you may not be interested in activating this service.
On TodoAppleBlog : Improve Mac Performance