Encrypt The Startup Disk On Your Mac With FileVault 2 [OS X Tips]






Last week I wrote a few tips about disk encryption, but I didn’t write about what to do with the startup disk on your Mac. I cannot think of any reason you shouldn’t encrypt your startup disk after the release of Mac OS X Lion. Apple has made it just to easy for you to encrypt your drive.  It is quick, fast and easy. I’ll show you how today.

The quick, fast and easy part actually depends on how your Mac is configured, because on a Mac with a solid state drive it will be very fast. However, my 27-inch iMac with a standard hard disk drive was relatively fast, but not as fast as my 13-inch MacBook Air. The added protection of full disk encryption from FileVault 2 was worth the wait.

Here are the steps to turn on full disk encryption on your Mac running Mac OS X Lion:

  • Open System Preferences and open Security & Privacy.
  • Unlock the Security & Privacy preferences by clicking the lock in the bottom left hand corner. Enter your administration accounts password when prompted.
  • Click the FileVault tab.
  • Click Turn On FileVault.

Take note of the recovery key you are presented. I’d write it down, double-check what you wrote down and secure the written recovery key in a safe and secure place. Don’t forget about where you put it!

  • You’ll be prompted to decide if you want to store the recovery key with Apple or not. I usually select not to do that since I’d rather be in complete control of any future recoveries. That is why it is important to keep that recovery key and not misplace it. Click on Do not store the recovery key with Apple.
  • When prompted to restart your Mac click the provided Restart button that appears.
  • Log back into your Mac.

At this point Mac OS X Lion will encrypt your disk while you work. If you want to periodically check it just go back to the Security & Privacy preferences pane. You’ll see the status of the process which includes estimated time remaining for completion.

Here are a few things to note about this process:

If you select the option to Store the Recovery Key with Apple you will be asked to setup three security questions. You’ll need to know the answers to these or Apple will not be able to help you with the recovery. This option also mentions the possibility that “fees may apply” and something about “subject to support eligibility. ” That probably means that if you don’t have AppleCare you might be asked to pay for service. My suggestion above in the steps to use encryption on your startup disk will always be free.

If you have multiple accounts on your Mac you maybe prompted to select the accounts that are allowed to startup your Mac. You’ll note that the startup screen changes after encryption is turned on. This is due to the fact that your Mac is using a new trick. The trick is that it uses the Recovery HD partition to do the initial boot, verifies you when you log in and then completes the startup using the encrypted drive. It’s all really slick and transparent. Apple did a good job with this.

  • David Marcantonio

    There’s a way you can set your own recovery key. 

    diskutil coreStorage convert /Volumes/Macintosh\ HD -passphrase “yourpassphrase”

    Replace Macintosh HD with your startup volume name and put the recovery key you want inside the quotes. This is the same effect, but you can set the key to what you want.

  • haroldteunissen

    this process wrecked my MBP twice. It refused to boot. Lucky through recovery mode and disk utility you can turn off the disk encryption, and promptly the machine booted.

  • DavidWMartin

    What was special about your circumstances? I’ve performed this on over a dozen Macs. No issues whatsoever. Was there some existing condition on your startup disk?

  • freediverx

    “I cannot think of any reason you shouldn’t encrypt your startup disk after the release of Mac OS X Lion.”

    1) Has FileVault 2 addressed the issue of incremental backups? Previously, with full disk encryption Time Machine would need to backup your entire hard drive every time a file changed.

    2) Is FileVault 2 fully compatible and reliable with all third party software?

    3) Is FileVault 2 any more resistant to total hard drive data corruption in the event that a single block or sector of the disk image becomes corrupted?

  • David Clark

    What exactly is disk encryption? I know that it ‘locks’ files, but what good does that serve?

  • Asda

    Doesn’t it makes the computer slower to encrypt and decipher every time I open a file?

  • toodarnloud

    “I cannot think of any reason you shouldn’t encrypt your startup disk after the release of Mac OS X Lion.”
    You definitely increase your chances of losing your whole startup disk. 

    I’d be interested to know what percentage of people experience issues with FileVault.

  • Laurence McAhren

    Issues arise if the HD fails and you have no Time Machine or other backup. Data recovery from a FileVault encrypted disk is non-existant. 
    I have had no less than 2 people bring computers in for data recovery, only to find out they had turned on FileVault. Those were two very unhappy people!
    Password protect your account, password protect important files or folders, but NEVER turn on FileVault. I advise all my clients against it.

  • David Rutan

    I’ve had filevault on mine for quite a while and not had any issues.
    You do need to make extra sure you’re backing up regularly with Time Machine or some other backup solution though due to possible corruption as mentioned in other comments.

    I use filevault on portables that travel outside my home, but for desktops it doesn’t make much sense. Since it’s a work system, I also did the firmware password and of course account passwords, along with Find my mac.

    As for performance hits, I haven’t noticed any, however I have been using SSD drives so it could impact performance but it’s so fast I don’t notice.