Client Security Part 2 – FileVault 2

Hi all. Once again I’m delving into client security for end users as part 2 of the series. This time I am focusing on the use of FileVault 2, Apple’s full disk encryption solution.
As before, this is geared more towards your average end-user more than IT administrators, but it may provide you with ideas for your own end users.
The usual Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.
Secondary Disclaimer:
A lot of the items recommended in this series involve making your Mac more secure. A secondary result of this is that your data will be harder to recover if things should go wrong. Please ensure you have a full, all encompassing and tested (!) backup of your data before attempting these recommendations or you could find yourself locked out of your data!
This is especially true with full disk encryption.
Right, lets get to it.

FileVault 2

FileVault 2 was the successor to Apple’s FileVault encryption system (surprise!). This provided a means to encrypt a user’s home area but no way to encrypt the entire disk. More so with the early versions, FileVault had a tendency to be buggy. With FileVault 2 Apple have increased the robustness as well as the features:

  • By default, FileVault 2 will encrypt the entire boot disk, ensuring that data stored anywhere on the Hard Disk is protected.
  • FileVault 2 uses “full disk, XTS-AES 128 encryption” to ensure your data is safe.
  • FileVault 2 allows any administrative user to manage whom is allowed to unlock the disk, whilst allowing all users access once the disk has been unlocked.

Sounds good, but what’s the catch?

A fair question, and I have some answers for you:

  • You must have the recovery partition installed. This is installed by default on any Mac that ships with 10.7 (Lion) and higher (see the section on how it works for why).
  • The volume can not be on a software RAID. This comes in line with the above requirement, as you normally can not install a recovery partition on a software RAID, therefore you cannot use FileVault 2.
  • You must remember your Recovery Key!  OK this is more for after using FileVault 2 but it is extremely important if you forget your password.

But how does it work?

I’m assuming you’re not interested in the nitty gritty tech side of it, but more to how it’ll work for you. OK here we go….
Once you are fully up and running with FileVault 2, your Mac will now boot to a ‘pre-boot’ login window. Behind the scenes, it is actually booted to the recovery partition, as this is the only part of the Hard Drive that will remain unencrypted (and so is why you need it). I mean you need to put a password in somehow!
On this screen, you’ll be shown a list of users who have been allowed to unlock the entire Hard Drive. Click on your user and enter your password. As long as it’s correct, the computer will now do a quick half-reboot to your now unlocked Hard Drive.
As part of the process the user you clicked on, and the password you have typed, will be forwarded onto the Login Window and you’ll be taken straight to your desktop.
On shutdown (including reboot) the computer will automatically ‘lock’ the Hard Drive up again.

Great, but how do I turn it on….?

Simple, here are some steps I prepared earlier:

  1. Login as your Administrator user. Launch System Preferences either from the Apple () menu or the Applications folder. Once open, select ‘Security & Privacy’
mac os x client ‘Security & Privacy’


  1. Once in this tab, select ‘FileVault’ and click the padlock icon in the lower left corner.


file vault client security mac os x


  1. When prompted, enter your Administrator user password and click ‘Unlock’


administrator password mac os x


  1. Once unlocked, click “Turn On FileVault…” to start the process.


turn on file vault


  1. On the next screen, you will see a list of users on this machine. Click “Enable User…” next to each user you wish to allow to unlock the machine, entering their password when prompted. Once all required users have been enabled, click ‘Continue’.


enable user mac os x client security


  1. The next window will show the Recovery Key. This is unique to each machine and if the enabled user forgets their password and the Administrator user password then this will be the only way to unlock the machine to access the data. This will not be shown again. I would recommend that this be stored somewhere online such as a password Google Docs. Once complete, click “Continue”.


client security recovery key


  1. On the next screen, set the radio button to “Do Not Store with Apple” if you are happy to look after the code yourself. Otherwise select “Store with Apple” and click “Continue” to follow the instructions.

Please Note: If you choose to store your recovery key with Apple you will be asked three questions. If you need to get the key back from Apple you will need to provide the EXACT SAME answers.

  1. Finally, click “Restart” to complete the process. The machine will now start the encryption process whenever the machine is powered up and booted into the Mac OS. The machine can be used, rebooted and shutdown during the process, but the entire drive will not be encrypted until this is complete. The average time for this is 12-24 hours.

Using FileVault 2

So you’ve enabled FileVault 2, but not for little Timmy who wants to share your computer. You don’t want him to be able to unlock the computer but you do want him to use it without having to disable FileVault 2 each time.
There’s a solution for that:
Simply login as your user account, wait until you reach the desktop, then logout again. As long as you don’t shutdown or restart the computer, you will be returned to the normal login window at which point, little Timmy can log into his account and do his homework, while all the data on the Mac remains protected.
What about after Timmy gets a little older and you want to allow him to unlock your Mac?
Go back to System Preferences’ Security Pane, click FileVault and select “Enable users”. Follow step 5 above and you’ll be able to add a new user to the ‘allowed’ list in no time.


I hope that this will be of some help to people out there who are unsure exactly how to protect the data on their Mac or just how to enable it.
The last part in this series will be on remote wiping devices. Any other recommendations are welcome! Let us know in the comments below and I’ll try to respond to as many as I can.

Further reading

Apple – “About FileVault 2”
Apple – “How to perform a Safe-boot if FileVault 2 is enabled”
Apple – “How to create and deploy a recovery key for FileVault 2”