FileVault 2 for Macintosh
FileVault 2 is the native encryption program on Macintosh computers running OS 10.9 (Mavericks), 10.8 (Mountain Lion) and 10.7 (Lion). It meets Encryption Requirements for Macs used at CUMC that store, transmit or access confidential or sensitive data. FileVault 2 is not turned on by default, please review all information on this page before setting it up.
How FileVault 2 Works
WARNING: The purpose of encryption is to make data unreadable if proper credentials are not provided. Issues including permanent loss of files can occur if you do not adequately prepare your computer and data before installing or beginning to use encryption.
FileVault 2 uses full disk encryption with pre-boot authentication. Decryption happens transparently after entering your Mac login and password, simply work on it as you normally would.
After logout or shut down everything is encrypted and cannot be read without an authorized login.
- Since all files are decrypted on login, any containing confidential or sensitive data must be individually re-encrypted if copied or moved. Saving to a CUMC IT managed network drive, encrypted USB key, or other individual file encryption method is ok.
- Your computer password must be strong and cannot be shared; click here for instructions on changing your password.
- It is very important to remember your password correctly, without it only the recovery key can be used to decrypt data on the computer.
- Automatic login on the Mac is disabled once FileVault 2 is set up.
- Your computer login prompt will appear quickly after powering on, before the OS loads ("boot up"). Once you login, the boot up and decryption processes will then run, but this shouldn't take more than a few minutes.
Earlier Versions of FileVault and Mac OS Upgrades
Macintosh OS 10.4 through 10.6 offered FileVault 1, however it only encrypted a user's home folder and did not provide pre-boot authentication. Due to this, earlier versions do not meet most CUMC Encryption Requirements. To use FileVault 2 computers must be running Mac OS 10.7 or 10.8. IMPORTANT: if you were using FileVault with OS 10.6 or earlier, you should first turn off FileVault before upgrading the OS (click here to view step by step instructions).
Enabling FileVault 2
When FileVault 2 is first enabled it encrypts all data stored on the computer's hard disk. This may take a few hours to complete depending on the amount of data. It is ok to use the computer during this time though may run more slowly.
Prior to enabling FileVault 2:
Enabling FileVault 2:
- Make sure you have run a recent data backup as per CUMC requirements. If issues occur during initial encryption this may be the only way to regain corrupted files.
- Close any applications or files that are open on the computer (you can use the computer after restart).
- Make sure your Mac is using its power cord and not running off of battery power. Interruptions due to loss of power can result in corrupted files.
- It is also highly recommended to first check for and repair any hard disk errors using Disk Utility.
When the encryption process has completed, FileVault 2 will remain enabled. Keep in mind that while you are logged in to the Mac, data is not encrypted and can be read by anyone with access to it; be sure to set up a screensaver lock to require a password if the computer is left unattended after a short period of time.
- Open System Preferences from your dock or the Apple drop down menu in the upper right.
- Select the Security & Privacy icon.
- Select the FileVault tab from the menu bar.
- If the padlock in the lower left corner is closed, click on it and type in your computer's Admin password when prompted.
- Select the Turn On FileVault button in the upper right of the window.
NOTE: If the Mac has multiple login accounts set up, you will see a list with a button to Enable User next to each. Please see information on Apple's About FileVault 2 page under the Turning on FileVault 2 heading for help.
- A window with your unique recovery key will appear. Copy it down carefully and store it in a safe, secure place off of your Mac. It is the only other way to gain access to your encrypted Mac if you forget your login password.
- Click the Continue button once you have copied and secured your recovery key.
- At the next window, select the option Do not store the recovery key with Apple and click Continue. Apple does not have the required Business Associate Agreement with CUMC to store keys or information pertaining to confidential and sensitive data.
- At the next prompt click the Restart button. The computer will restart and begin encrypting the full disk.
- It is ok to use the computer it is encrypting.
- To view the status, return to the Security & Privacy option in System Preferences. It will show the approximate time remaining.
| TOP |