FileVault 2 is the native encryption program on Macintosh computers running OS 10.8 (Mountain Lion) and 10.7 (Lion). It meets Encryption Requirements for Macs used at CUMC that store or access confidential or sensitive data. FileVault 2 is not turned on by default, please review all information on this page before setting it up.
WARNING: The purpose of encryption is to make data unreadable if proper credentials are not provided. Issues including permanent loss of files can occur if you do not adequately prepare your computer and data before installing or beginning to use encryption.
How FileVault 2 Works
FileVault 2 uses full disk encryption with pre-boot authentication. Decryption happens transparently after entering your Mac login and password, simply work on it as you normally would.
After logout or shut down everything is encrypted and cannot be read without an authorized login.
Your computer password must be strong and cannot be shared; click here for instructions on changing your password.
It is very important to remember your password correctly, without it only the recovery key can be used to decrypt data on the computer.
Automatic login on the Mac is disabled once FileVault 2 is set up.
Your computer login prompt will appear quickly after powering on, before the OS loads ("boot up"). Once you login, the boot up and decryption processes will then run, but this shouldn't take more than a few minutes.
Earlier Versions of FileVault and Mac OS Upgrades
Macintosh OS 10.4 through 10.6 offered FileVault 1, however it only encrypted a user's home folder and did not provide pre-boot authentication. Due to this, earlier versions do not meet most CUMC Encryption Requirements. To use FileVault 2 computers must be running Mac OS 10.7 or 10.8. IMPORTANT: if you were using FileVault with OS 10.6 or earlier, you should first turn off FileVault before upgrading the OS (click here to view step by step instructions).
The computer cannot be used while FileVault is being turned off, and may take a long time depending on how many files are in the home folder.
Make sure you have the same amount of free space on the Macintosh's hard disk as your home folder. Example: your home folder (usually labeled with your login name) is 95GB, you must have at least 95GB available on the Macintosh HD itself. If you do not, you will need to backup and delete files first. The space is only used temporarily.
Make sure the computer is plugged in and not running off of the battery. If the process is interrupted due to lack of power, it may cause irreparable damage to your data.
Open System Preferences from your dock or the main Apple drop down menu.
Select the Security icon.
In the Security window, select the FileVault tab.
If the padlock in the lower left corner of the Security window is closed, click it and enter your computer's Admin password when prompted.
Click the Turn Off FileVault... button.
A window stating You are ready to turn off FileVault protection will appear, select the Turn Off FileVault button to confirm that you are ready.
A Decrypting _______'s home folder window will appear showing the progress.
Please note that any other home folders/login accounts on the Mac that have been encrypted with FileVault 1 should be decrypted as well before upgrading your Mac OS.
Enabling FileVault 2
When FileVault 2 is first enabled it encrypts all data stored on the computer's hard disk. This may take a few hours to complete depending on the amount of data. It is ok to use the computer during this time though may run more slowly.
Prior to enabling FileVault 2:
Make sure you have run a recent data backup as per CUMC requirements. If issues occur during initial encryption this may be the only way to regain corrupted files.
Close any applications or files that are open on the computer (you can use the computer after restart).
Make sure your Mac is using its power cord and not running off of battery power. Interruptions due to loss of power can result in corrupted files.
It is also highly recommended to first check for and repair any hard disk errors using Disk Utility.
Enabling FileVault 2:
Open System Preferences from your dock or the Apple drop down menu in the upper right.
Select the Security & Privacy icon.
Select the FileVault tab from the menu bar.
If the padlock in the lower left corner is closed, click on it and type in your computer's Admin password when prompted.
Select the Turn On FileVault button in the upper right of the window.
NOTE: If the Mac has multiple login accounts set up, you will see a list with a button to Enable User next to each. Please see information on Apple's About FileVault 2 page under the Turning on FileVault 2 heading for help.
A window with your unique recovery key will appear. Copy it down carefully and store it in a safe, secure place off of your Mac. It is the only other way to gain access to your encrypted Mac if you forget your login password.
Click the Continue button once you have copied and secured your recovery key.
At the next window, select the option Do not store the recovery key with Apple and click Continue. Apple does not have the required Business Associate Agreement with CUMC to store keys or information pertaining to confidential and sensitive data.
At the next prompt click the Restart button. The computer will restart and begin encrypting the full disk.
It is ok to use the computer it is encrypting.
To view the status, return to the Security & Privacy option in System Preferences. It will show the approximate time remaining.
When the encryption process has completed, FileVault 2 will remain enabled. Keep in mind that while you are logged in to the Mac, data is not encrypted and can be read by anyone with access to it; be sure to set up a screensaver lock to require a password if the computer is left unattended after a short period of time.