How to encrypt your Mac with FileVault 2, and why you absolutely should

Apples first pass at built-in encryption was, frankly, terrible. The original FileVault, introduced with 10.3 Panther in 2003, only encrypted a users home directory, and had a number of functional and implementation problems. FileVault 2 appeared in 2011 with 10.7 Lion, and had almost nothing to do with the original except the name.

FileVault 2 offers full-disk encryption (FDE). When enabled, the entire contents of the startup drive are encrypted. When your computer is powered off, the drives data is fully unrecoverable without a password. It also lets you use Find My Mac to wipe your drive in a matter of seconds remotely if youre concerned about into whose hands your computer has fallen. You can enable FileVault 2 with an existing Mac, but starting with 10.10 Yosemite, OS X now encourages turning on FileVault 2 during setup of a laptop.

This has made some law-enforcement officials unhappy, who seemingly dont want your data to be protected this strongly, so they can get access in the unlikely event that they need it. Relatively few people engage in criminal activities, and of them, even fewer ever have their computers seized and examined. Its a good sign as to how well FileVault 2 works that officials are so morose about it.

FileVault is easy to enable in System Preferences > Security & Privacy, and then once the intial encryption is over, it won't even slow your Mac down day to day.

FileVault 2 takes advantage of the ever-improving processor speed and features in Macs to perform on-the-fly encryption and decryption. Every chunk of data read from and written to disk, whether of the spinning variety or SSD, has to go through this process. Macs introduced starting in 2010 and 2011, and every model since, can use encryption circuitry in the processor, boosting performance.

FileVault 2 works hand in hand with OS X Recovery, a special disk partition that lets you run Disk Utility from the same drive you may be having trouble with, restore or install OS X via the Internet, restore a Time Machine backup, or browse Safari. With FileVault 2 enabled, your computer boots into the Recovery volume, prompting you to login with any account thats been allowed to start up the computer.

On a system without FileVault 2 already in place, you need to turn it on, which converts your startup drive from its unencrypted state to fully encrypted. This comes with a few big flashing red warnings and pieces of advice before you proceed. (You can encrypt secondary and external drives by Control-clicking a drives icon and select Encrypt Drive Name, but it doesnt tie in with login: you set a password for the drive, and have to enter it to mount it.)

Warning 1! During the setup, OS X creates a Recovery Key for your drive. As with Apples two-step verification for Apple ID accounts, this Recovery Key is critical to retain. Without it, if you lose or forget the account password to all FileVault 2enabled accounts, your drive is permanently inaccessible. Keep a copy of the Recovery Key, probably printed out, for emergencies.

Warning 2! Once you start the conversion, theres no stopping it. It has to complete, and it consumes CPU resources like mad, slowing down your machine and likely firing up the fan to high speed. Your computer also has to remain plugged in. The operation takes many hours. A friends niece accidentally accepted the option to enable FileVault 2 when upgrading to Yosemite a few evenings ago, and had her machineneeded for a computer-science class the next morningslow to a crawl.

Apple provides step-by-step details in a Knowledge Base note, so I wont repeat all of that, but will highlight the critical parts.

Read this article:
How to encrypt your Mac with FileVault 2, and why you absolutely should