October 20, 2014

MacBook Users: Encrypt Your Drive with OS X FileVault! It’s Easy and Free!

Apple’s MacBook laptops have become increasingly desirable and successful, making them a prime target for thieves. Now that Mac OS X includes integrated and efficient full disk encryption, I recommend that everyone with a MacBook enable it. It’s easy, nonintrusive, and a potential lifesaver if your machine is stolen!

Why Encrypt Your MacBook?

Like so many features in Mac OS X, Apple did not invent full disk encryption. What they did was make it simple to set up and non-intrusive on a daily basis. Setting up FileVault 2 is quick and painless, with just a few clicks. Once FileVault is set up, you never have to bother with it!

But if your MacBook is stolen, knowing the data is encrypted will really bring peace of mind! Consider all the valuable personal information on your computer: Banking and health information, passwords, personal correspondence and photos, and so much more. The information on your computer is much more valuable and dangerous than the computer itself!

The iconic MacBook has become a status symbol to be sure. Even though Apple does not pay for product placements, MacBooks are everywhere in movies and on television. And a walk-through any coffee shop shows just how much of a status symbol these computers have become. I have even seen people stick Apple logos on generic PC’s just for the perceived cachet!

I won’t argue that MacBooks are intrinsically more valuable than PC laptops, but I imagine that this massive exposure makes them a prime target for thieves. After all, thieves are people too and they are going to think that any computer with that kind of image is going to be worth something on the resale market! And they would be right, since MacBooks hold their value much better than PC laptops and usually cost more as well.

When it comes to identity theft, MacBooks are an even better target. After all, anyone willing to spend so much money on a flashy laptop has got to have more to steal, right? Hopefully, by now, you are scared out of your wits that someone is going to steal your MacBook. Because that’s a real possibility!

Protect Your Identity and Your Data By Encrypting Your MacBook!

Apple has included FileVault encryption in versions of Mac OS X in back to version 10.3 “Panther” in 2003. But until Mac OS X 10.7 “Lion” was released in 2011, it was a hassle and only a partial solution. Back then, I didn’t recommend FileVault and instead used third-party full-disk encryption software.

Now that “Lion” and “Mountain Lion” are here, FileVault 2 has become a “must-have” in my opinion. Although I’m not sure it’s really necessary for desktop computers, since they tend to stay put behind locked doors, there is no excuse not to use FileVault on your MacBook laptop.

What about performance? Encrypting data requires some heavy duty calculations, but modern Apple computers include hardware offload thanks to the Intel AES-NI instruction set. All current Apple computers, including every model of MacBook with a Core i5 or Core i7 processor, support hardware acceleration of FileVault 2 encryption. Although there is some performance lost with FileVault encryption, it’s nothing you would notice in day-to-day usage.

This is especially true when using a SSD-equipped MacBook. Although many SSDs have trouble maintaining performance and reliability when encryption is enabled, Apple specifically chose encryption-compatible SSDs from Toshiba and Samsung for the MacBook Air and MacBook Pro. If you use a third-party SSD, however, do some research to see if it will have issues with full-disk encryption.

How to Enable FileVault 2 Encryption in Mac OS X

Enabling FileVault 2 encryption in Mac OS X “Lion” or “Mountain Lion” is simple.

  1. Close any applications and files; FileVault 2 requires one reboot to set up.
  2. Open System Preferences and click on “Security & Privacy
    FileVault 1 System Preferences
  3. Click “FileVault
    FileVault 2 Security Privacy
  4. Click on the padlock icon, authenticate with your password, and click “Turn On FileVault…
    FileVault 3 Turn On
  5. If you have multiple users, you will be asked to authenticate with their passwords so they will be able to access the drive as well.
    FileVault 4 Users
  6. FileVault will generate a “recovery key” which can be used to access the drive if you forget your password. You will not need this on a daily basis, but you should keep it in a safe place in case you ever have to use it!
    FileVault 5 Recovery Key
  7. Apple can store your recovery key on their servers so you will be able to recover it using your Apple ID. I chose not to do this since Apple IDs can be stolen by scammers.
    FileVault 6 Apple
  8. That’s it! Just click “Restart” and your computer will quickly reboot. You can go back to using it normally afterward – all encryption happens in the background!
    FileVault 7 Restart
  9. If you’re interested in checking on the status of the encryption, you can open Terminal and type “diskutil cs list” to show CoreStorage status. As long as it is working, it will show “Converting”. Once it’s done, this will read “Complete.”
    FileVault 8 Converting

Hardware acceleration and fast SSD performance means that the background work of encrypting your drive won’t impact normal operation and won’t take too long. My 15″ MacBook Pro with Retina (mid 2012) took just 33 minutes to encrypt its 256 GB Samsung SSD while I performed other light tasks.

For more details, see this Apple whitepaper, Best Practices for Deploying FileVault 2

Stephen’s Stance

Once you encrypt your MacBook’s drive with FileVault 2, you’ll never even know it’s there. But if you ever lose your machine, you can rest easy knowing that your data is safe. Considering how well this solution performs and that it is included free of charge, there is no reason not to use it!

It is important to also encrypt any other locations where you store personal information, especially portable hard drives used for Time Machine backups! In another article, I will describe the process for encrypting external drives without losing data.

  • http://blog.ciscoinferno.net/ Anthony Burke

    Super post Stephen – insightful as always.
    I am a user of 10.6 with my very old 06 macbook. I was wondering what third party full disk encryption applications you would recommend?

  • http://twitter.com/icemarkom Marko Milivojevic

    I remember a problem where FileVault encrypted volumes would be inaccessible via SMB sharing. If this is not needed, I suppose it’s a good thing to do.

  • http://twitter.com/dpironet Didier Pironet

    Hi Stephen, great write-up!

    I’m using VMware Fusion and I’m a bit concerned about performance and eventually compatibility issues using FileVault and Fusion.

    Have you had the chance to test FileVault+Fusion or do you have any hint here?

  • http://twitter.com/robcommins Rob Commins

    Hi Stephen – please check step 6 – I think you forgot a “do not” in there. thanks for the post!!!

  • http://blog.fosketts.net sfoskett

    Whoa! Thanks for that Rob! I fixed that step now.

  • http://blog.fosketts.net sfoskett

    I haven’t had any issues with FileVault and Fusion. I used it on my last MacBook Pro since it came out with no issues. I’ve not had any issues with Fusion on my new one either.

  • Michael Stanclift

    I have been using Fusion and FileVault with no issues.

  • Michael Stanclift

    I have never seen that, but I also don’t go sharing files on my laptop. I don’t know why this would be the case it’s the encryption is not file level and should be transparent to the application and services running on the system.

  • Erik

    You can also see the encryption status in the FileVault settings pane. It will even show an ETA. (at least on OS X 10.8.2, don’t know about prior versions)

  • Chris

    Thanks for the easy to follow instructions. However, when I clicked the Turn on FileVault…” it said I required an extra 230GB disk space. Clearly it doesn’t duplicate your data. Any thoughts?
    Thanks, Chris

  • http://scoop.it/t/secular-curated-news-views Secular Antitheist Liberal

    Great article. Very insightful. I’ve been using my mid-2012 macbook and I’m just learning about filevault. Can I still enable filevault on this old macbook air or is it only installed when the macbook is new?