Apple has used the FileVault name to cover full-disk encryption (often abbreviated FDE) since Mac OS X 10.7 Lion back in 2011. For years, FileVault used a read/write intensive encryption method that took a long time to first encrypt your drive and then was a slight drag on performance thereafter, though not very noticeable.
In exchange, FileVault offered three significant protections against physical access to your computer, up to and including someone running off with your Mac and having all the time in the world to gain access.
First, at rest (when powered down), your Mac’s drive was completely encrypted. Without having the encryption keys, which are protected by your account password, an attacker could try to break in directly or extract a hard drive (or later, Fusion Drives and SSDs), but they’d be completely locked out.
Enabling FileVault adds one more strong level of protection to your Mac startup.
Foundry
Second, macOS wouldn’t unlock your drive for access at startup without a valid account password or an associated Recovery Key. One vector that can still be exploited is that if you use Apple’s option to store your Recovery Key in escrow in your Apple ID account, someone who cracks your Apple ID account could potentially also gain access to the Recovery Key and unlock your Mac’s drive. (Technically, with FileVault active, your Mac starts up using the recoveryOS, the small partition that also helps you reinstall macOS or recover from big problems.)
[Can’t find your Recovery Key? See “How to find your FileVault recovery key in macOS.” Not sure if you have a current copy of the Recovery Key? “Is your macOS FileVault Recovery Key current? Here’s how to check.”]
Third, even after successfully unlocking the drive and booting into macOS proper, someone still has the normal Mac security to get through: they need an account password to log in. While exploits have been discovered occasionally that let attackers bypass the login screen, they are typically short-lived—because they’re valuable on the gray market and then discovered and patched by Apple—and can’t be triggered remotely in any case. A ne’er-do-well has to have such an exploit, and your locked but booted into macOS computer in front of them.
Starting with Intel Macs that featured the T2 Security Chip, Apple built encryption in at the bottom level of macOS: your startup internal volume is always encrypted, and you can’t turn it off. This is the same with all M-series Apple silicon Macs. (If you use an external volume, enabling FileVault also encrypts the volume, which can be quite rapid with a modern SSD.)
For T2-equipped Intel Macs and all M-series Macs, FileVault adds protection at step two only. With FileVault disabled on those Macs, when you start up your computer, the drive is automatically unlocked and ready for use with a login.
People have varying security needs. If you never fear that your computer will be stolen by anyone who could employ some high level of hacker skills—including a government agency—then perhaps you don’t need to enable FileVault. FileVault adds a level of risk because if account data is somehow corrupted on the recoveryOS, you must have your Recovery Key to get back into your Mac. (See “How to unlock your Mac with its Recovery Key and FileVault active.”) I receive emails regularly from people who can’t find their Recovery Key and didn’t use Apple’s iCloud escrow for security reasons.
However, if you are sure you can maintain good records (or trust the iCloud escrow) and want to be sure that a stolen or accessed Mac will never give up your private data and other secrets, enabling FileVault provides just one more layer of protection.
This Mac 911 article is in response to a question submitted by Macworld reader Derek.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.