If you use Macs for business, you should be familiar with FileVault. Apple’s built-in disk encryption system for macOS can help protect corporate data. If you run a business on Macs (and many companies do) then you should become familiar with FileVault, the disk encryption system that’s built into macOS. When used properly, it makes it extremely hard for any malicious person to access your company’s confidential data in the event your Mac is lost or stolen. What’s the problem FileVault tries to solve? Most businesses possess various forms of sensitive data. This might include corporate or supplier data, confidential order books, financial records, contact names and addresses, and more. That information has business value, but if compromised could also place you, your employees, or your customers at risk. In many industries, protection of such information is mandatory and legally required. Apple’s FileVault makes it much harder for unauthorized users to extract this kind of data from company Macs. It does so by encrypting the data on the Mac and decrypting it only once an appropriate login is used. FileVault encyrypts and decrypts data in the background, so the system can be used while the it does. What is FileVault? Apple introduced FileVault in 2005 with Mac OS X Panther (10.3). At that time, it only protected a user’s Home folder. The technology has evolved since then and now offers XTS-AES 128 data encryption for the whole disk, protected by a 256-bit key. When it comes to business, IT can manage FileVault using most available MDM systems and consoles. When a Mac is protected by FileVault, no one can access its data unless they have the FileVault decryption key or user account credentials. The current implementation of FileVault is available on both recent Intel and Apple Silicon Macs. How to enable FileVault FileVault is not enabled by default. To enable it you must be an Admin user on your Mac. If so, you can open System Preferences>Security & Privacy and check the FileVault tab. You will be given two choices, to protect the Mac using your iCloud account and password, or to use a Recovery Key. The first option is fine for personal users, but most enterprises will probably use a Recovery Key. It is very important to note your login password and the recovery key generated for you when you enable FileVault. That’s because if you forget them both, all the data on your Mac will be unavailable to you. One protection here is that console-based MDM-based systems may be able to remotely assign new keys. NB: Once you enable FileVault, it cannot be turned off until the first full encrypt has taken place. That first encryption can take time, depending on how much information you have on your Mac. Subsequently, in the event the passphrase or recovery key is changed the entire volume must be decrypted and re-encrypted. Know your limits It is extremely important to note that an individual user who cannot recall their password or recovery key will never be able to access that data, as they will eventually need to delete and reinstall macOS. However, a business that makes use of a modern MDM system to manage its Macs can also assign institutional recovery keys that can be managed and stored from the MDM console. That’s useful as it means that if a user forgets their password, IT can use the recovery key to reset FileVault and assign a new password to get them back in. What to consider when creating passcodes Companies should consider passcode policy for FileVault volumes. A generalization is that longer passcodes are stronger passcodes (so long as they aren’t 12345678910), but it’s also important to consider passcode rotation schedules and alphanumeric codes. In my experience, the challenge with the FileVault recovery key is that since it is used so infrequently, it is very easy to forget the code. This is one code that needs to be written down and locked away somewhere, even if you use a transposition cipher to secure that written key. [Also read: How to stay as private as possible on the Mac] Some Macs already encrypt Macs equipped with an Apple T2 Security chip automatically encrypt data already. It’s still worth using FileVault with those systems as it enhances the inherent protection by requiring your login password to decrypt your data. Apple maintains a list of Macs that make use of the T2 Security Chip here. Should all your Macs be protected by FileVault? As a rule of thumb, any Mac that carries or has access to personal or sensitive business data should use FileVault encryption. What are the consequences of using FileVault? Other than the complete loss of data in the event you forget your passcodes and lose access to your Mac, the biggest negative outcome when using FileVault is that I/O performance can sometimes be affected. What can I use instead of FileVault? Though FileVault has the big advantage of being Mac-native, some businesses may prefer to use alternative solutions such as VeraCrypt. Where can I find out more about FileVault? Apple’s current advice on use of FileVault in macOS Monterey is available here. Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe. Related content news analysis Apple earnings: About that iPhone 'slump' in China Based on information from Thursday's earnings report, it seems that data pointing to an iPhone slump in China were over-baked. By Jonny Evans May 03, 2024 9 mins iMac iPhone Apple news analysis Apple confirms it will open up the iPad in Europe this fall The latest efforts to comply with Europe’s Digital Markets Act mean developers can offer to side load apps to both iPhones and iPads in the EU. Apple has also taken steps to improve what it offers to smaller and non-commercial developers in the By Jonny Evans May 02, 2024 6 mins iPad Apple Mobile Apps news Mosyle and Fleet bring new device management options to Apple enterprise Apple's growing enterprise market share is generating tons of opportunity for the company's partners in the device management market. Their approaches reflect the diversity of use. By Jonny Evans May 01, 2024 4 mins Apple Mobile Device Management Mobile Security feature Apple is intensely focused on its global AI efforts When the ship that is Apple moves in any direction, you can always count on careless whispers to expose the destination. From research labs to sophisticated AI models and Apple Silicon for server farms, here's what we've learned in just one By Jonny Evans Apr 30, 2024 6 mins Apple Artificial Intelligence Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe