University Systems help centre
Encrypt a disk using FileVault 2: Mac
Apple's FileVault 2 software keeps your data secure by encrypting the entire hard drive. FileVault 2 is a feature of Mac OS 10.7 and 10.8, so no additional software is required.
1. Ensure that the computer meets the requirements for using FileVault 2:
- Your Apple desktop or laptop is running Mac OS Lion (10.7) or Mountain Lion (10.8).
- Mac OS Lion (OS 10.7) or Mountain Lion (Mac OS 10.8) Recovery Partition installed on the startup drive.
- You are NOT using Boot Camp (a type of software that lets you run Windows on your Mac)
- In the event of a drive or encryption failure, data recovery will be impossible. If your data is not also stored on a network share drive, you should have an active backup of your computer. University Systems recommends Tivoli Storage Manager for this purpose.
- Your screensaver is configured to lock automatically after 15 minutes of inactivity.
- Your system is configured to require a password when returning from hibernate, sleep, and screensaver modes.
Note: Computers with Mac OS 10.6 and lower have a different version of File Vault which does provide the same level of security as FileVault 2. If your computer has Mac OS 10.6, follow the instructions for installing and setting up PGP Whole Disk Encryption instead. If you have Mac OS 10.5 or lower, contact the Computer Help Desk or your Desktop Support person to discuss your options for upgrading your computer.
2. Click on the System Preferences icon and then select the Security & Privacy icon
3. In the Security control panel, select the FileVault tab.
4. To start FileVault, click the Turn on FileVault… button. You may need to unlock the control panel by clicking the lock icon (located on the bottom left corner) and entering the credentials of an administrator account.
5. Select the user(s) who will be allowed to unlock the encrypted drive. You will need to enter the password, or have users enter their passwords, for each account you wish to allow to unlock the computer.
Note: Users not enabled to unlock the computer will only be able to log in to that Mac after an unlock-enabled user has started or unlocked the drive.
6. You will be shown a 24-character personal recovery key. Copy and record this key in a secure, but physically retrievable, location. Do not store the key on the encrypted computer.
If you have forgetten your password and lose or misplace this key, all of the data on this computer will be lost. University Systems will be unable to retrieve any of the information on this drive.
7. Click the Continue button once the number has been recorded. If you quit the FileVault setup at this stage, a different key will be created next time.
8. Apple can store the recovery key encrypted on their servers as a backup. Click Do not store the recovery key with Apple and then click the Continue button.
9. You will be prompted to restart your computer to begin the encryption process.
10. A computer encrypted with FileVault will display a login screen showing only the users that are allowed to unencrypt the computer.
As a security measure, if the login screen is left inactive for approximately five minutes, the computer will shut down automatically.
11. You can check the status of the encryption by returning to the Security & Privacy control panel. Select the FileVault tab and you will see the progress bar show the time remaining.
If you reboot or shutdown while the disk is being encrypted, the process will continue where it left off. Note the drive is not fully encrypted until the process has completed.