Apple has used the FileVault name to cover full - disc encryption ( often abbreviated FDE ) since Mac OS X 10.7 Lion back in 2011 . For years , FileVault used a read / write intensive encoding method that took a farseeing time to first inscribe your drive and then was a slight retarding force on carrying into action thereafter , though not very noticeable .
In telephone exchange , FileVault offered three significant protections against strong-arm admission to your computer , up to and including someone running off with your Mac and having all the fourth dimension in the world to acquire access .
First , at remainder ( when powered down ) , your Mac ’s cause was completely inscribe . Without have the encryption keys , which are protected by your account password , an attacker could test to break in like a shot or extract a severe drive ( or later , Fusion Drives and SSDs ) , but they ’d be totally locked out .
Enabling FileVault adds one more strong level of protection to your Mac startup.
enable FileVault adds one more secure level of protection to your Mac startup .
metalworks
Second , macOS would n’t unlock your drive for access at inauguration without a valid business relationship password or an associated Recovery Key . One vector that can still be exploit is that if you use Apple ’s option to store your Recovery Key in escrow in your Apple ID write up , someone who cracks your Apple ID account could potentially also derive access to the Recovery Key and unlock your Mac ’s drive . ( Technically , with FileVault active , your Mac starts up using the recoveryOS , the modest partition that also helps you reinstall macOS or recover from big problems . )
[ Ca n’t find your Recovery Key ? See “ How to find your FileVault retrieval key in macOS . ” Not sure if you have a current written matter of the Recovery Key ? “ Is your macOS FileVault Recovery Key stream ? Here ’s how to check . ” ]
Third , even after successfully unlock the driving and booting into macOS proper , someone still has the normal Mac security measure to get through : they call for an account word to sign in . While exploits have been find occasionally that let attackers bypass the login screen , they are typically short - lived — because they ’re worthful on the gray market place and then discovered and patch by Apple — and ca n’t be trigger remotely in any case . A ne’er - do - well has to have such an exploit , andyour locked but boot into macOS calculator in front of them .
Starting with Intel Macs that featured the T2 Security Chip , Apple built encoding in at the bottom level of macOS : your startup intimate intensity isalwaysencrypted , and you ca n’t twist it off . This is the same with all M - serial Apple atomic number 14 Macs . ( If you use an extraneous volume , enabling FileVault also encrypts the volume , which can be quite speedy with a modern SSD . )
For T2 - outfit Intel Macs and all M - series Macs , FileVault adds security at step two only . With FileVault disabled on those Macs , when you start up up your computer , the cause is automatically unlocked and ready for use with a login .
masses have varying security needs . If you never fear that your computer will be steal by anyone who could employ some in high spirits level of hack science — including a government agency — then perhaps you do n’t need to enable FileVault . FileVault append a spirit level of peril because if bill data is somehow defile on the recoveryOS , you must have your Recovery Key to get back into your Mac . ( See “ How to unlock your Mac with its Recovery Key and FileVault participating . ” ) I receive emails on a regular basis from people who ca n’t find their Recovery Key and did n’t use Apple ’s iCloud escrow for security reasons .
However , if you are sure you may maintain upright criminal record ( or trust the iCloud escrow ) and want to be sure that a stolen or get at Mac will never give up your private data point and other secrets , enable FileVault provides just one more layer of protection .
This Mac 911 article is in reply to a doubt submitted by Macworld reader Derek .
Ask Mac 911
We ’ve compiled a list of the dubiousness we get require most frequently , along with answer and links to pillar : read our super FAQ to see if your interrogation is treat . If not , we ’re always look for novel problem to solve ! Email yours tomac911@macworld.com , including screen captures as appropriate and whether you want your full name used . Not every doubt will be answered , we do n’t answer to email , and we can not allow for lineal troubleshooting advice .
