One of the sections that Apple takes most earnestly from its devices is security. The firm has always stood out in this section against the competition and today continues to do so. This does not mean that their software is perfect in this section. Of course not, but they do do do everything on their part to make it as safe as possible.
Among the security measures that Apple has included in all Macs is one that for many has gone unnoticed, but that can mark a before and after, especially in the case of laptops. Its name is FileVault.
What is FileVault on macOS?
FileVault is a feature built into macOS, the operating system of Macs, that allows you to automatically encrypt all files stored on your computer’s hard drive or SSD memory.
FileVault uses 256-bit XTS-AES-128 encryption to prevent unauthorized access to data. One of the highest-level encryption technologies makes it unfeasible for anyone to access the data stored on the computer without authorization. In the case of macOS, without knowing the login password of any computer user or without the encryption key.
How FileVault works on your Mac
FileVault is responsible for encrypting all the files you store on your computer with the XTS-AES-128 256-bit encryption that I mentioned in the previous point.
This service can be activated when starting the computer for the first time or after using it for a while. If you do this when activating the computer, all the files that you save in the storage system will be automatically encrypted.
On the other hand, if you activate it after using the computer for a long time, the encryption will be carried out progressively for the existing files as long as the Mac is connected to the electric current (a measure to avoid a fall in the autonomy of the MacBook). In contrast, the new ones will be encrypted when creating them (whether or not the computer is connected to the power). You can continue using the computer during the process, although you may notice a drop in performance since the process can consume many resources and take a lot of time if you have many files saved.
How to turn on FileVault on macOS
The FileVault activation process is straightforward and will not take you more than a few seconds. It is true that once active, it can take several hours to be fully applied to the entire disk or SSD, but the activation process is fast.
Basically you should follow these steps:
- Open System Preferences from the menu with the Apple icon in the upper-left corner of the screen.
- Select the Security & Privacy option.
- Click on the FileVault tab.
- Click on the lock icon in the lower left corner of the screen and enter the computer administrator password.
- Click the Turn On FileVault button.
Once this is done, you will only have to follow the instructions on the screen to activate the service for all users and set a method to recover the password in case of forgetting.
For the first step, you will have to know each user’s password or, at least, ask users to enter the password. If you can not contact all users at that time, the service will be activated the first time they log in to the computer.
As for the second step, setting a password recovery method, there are three different options:
- Use your iCloud account to unlock the disk and reset the password.
- Create a local recovery key.
- Store a recovery key in Apple and set three security questions and their answers. This option is only available to OS X Mavericks users.
With any of these methods, you can decrypt the data on the disk in case you forget the password to access the Mac user.
Of course, you must make sure you remember the password of the Apple ID you use or, in the case of the local recovery key, that you keep it somewhere safe outside your Mac. If you forget this data, you will not be able to decrypt the disk, which means losing the data stored on the computer.
Turn off FileVault
If you want to turn off FileVault on your Mac for any reason at any given time, you can do so. To do this, you have to follow these steps:
- Click on the icon with the Apple logo in the upper left corner of the screen and select the System Preferences option.
- Access the Security and privacy section.
- Click on the FileVault tab.
- Click on the lock icon and enter the administrator password.
- Tap the Turn off FileVault button.
Once this is done, the service will be disabled, although it will not be decrypted immediately. The process will take a few hours and will be carried out in the background. As with activation, for it to be completed, the computer must be connected to the power, so in the case of laptops, it can not be completed if it is running on the battery.
If you want to know what state the process is in, you can access the Security and Privacy window, click on the FileVault tab, and see the progress.
Is it worth activating FileVault?
The main disadvantage of activating FileVault is related to the performance of the computer. The read/write processes will be slower with the active service, as the files will have to be decrypted or encrypted on the fly. Depending on the hardware of your computer, the loss of performance will be greater or lesser. The lower the power, the greater the performance drop, and the lower the fall. Here is a guide you can use- How to fix high CPU usage on macOS?
So… Is it worth activating FileVault and keeping the computer’s disks encrypted?
This is the million-dollar question, and, as a good Galician, I don’t think there is a single valid answer. Everything will depend on the use you make of the computer, locations, and the value of the data stored on the computer.
For example, if your computer is a desktop in your home, it does not seem essential to activate this option. They can indeed enter to steal and take the Mac, although this possibility is quite remote.
On the other hand, if you have a MacBook and you always carry it, the chances of losing it or suffering a theft are much higher. In this case, it may make much more sense to activate the service and “suffer” that small performance drop since even if it is stolen, your data will be safe on the encrypted disk inside the computer. Of course, you will also have to assess the type of data you usually carry on the disk. If it is not sensitive data (photos, personal documentation, etc.), you may not be interested in active this service.