Understanding Apple FileVault Disk Encryption

Apple FileVault is a feature built into macOS that allows you to encrypt your hard drive to protect your data from unauthorized access. When enabled, FileVault uses XTS-AES 128-bit encryption to secure the entire startup disk.

How FileVault works

• Full disk encryption: All data on the startup volume is encrypted. Without the password or recovery key, the data is unreadable.
• Transparent to the user: Once you log in, files are decrypted on the fly. You don't need to take extra steps to access your data.
• Recovery key: During setup, you receive a recovery key. Store it securely—without it, you cannot recover data if you forget your password.

Enabling FileVault

1. Open System Settings → Privacy & Security → FileVault
2. Click "Turn On" and follow the prompts
3. Choose to use your iCloud account for recovery or create a local recovery key
4. Encryption runs in the background; you can continue using your Mac

Best practices

• Enable FileVault on all Macs that handle sensitive data
• For organizations, use MDM to enforce FileVault and escrow recovery keys
• Ensure backups are also encrypted and stored securely

FileVault is an essential control for protecting data at rest, especially on laptops that could be lost or stolen.