uog logo
School of Physics and Astronomy – computing
phas it logo

Contents

Enabling full-disk encryption on macOS

The most straightforward case is where you wish to enable full-disk encryption (FDE), optionally with a recovery key, and this is described below. Variants are described after that.

For further details, including a discussion of other operations. see Apple’s FileVault 2 overview.

The end-state of the instructions below is:

Enabling full-disk encryption §

To enable full-disk encryption on macOS, perform the following steps. This process can potentially take quite a long time – hours – and will involve a reboot (how long, exactly, depends on how much disk space you're using; it seems to take very roughly a minute per GB). You can continue to work after the machine has started encrypting, but you shouldn't interrupt the process.

Make sure

1. Go to the FileVault preferences panel

Go to ‘System Preferences’ » ‘Security & Privacy’, and click the lock at the bottom to enable changes; this will ask you to enter your password; do so. Afterwards, the panel should look like this:

FileVault panel ready for encryption

2. Click on ‘Turn on FileVault...’

At this point, the machine will do nothing, and be rather unresponsive, for 30s or so, which feels alarmingly long, if you're not expecting it. It will then reboot itself.

3. Wait

After the machine has rebooted, the ‘Security & Privacy’ preferences panel will re-open. After another alarmingly long pause, it will show that it has started encrypting, and give an estimate of how long the process will take.

At this point, you can carry on working (if you wish), while the machine busies itself encrypting your disk.

After the process has completed, your disk is encrypted.

During the process, you may (slightly depending on your version of macOS) have been prompted to write down a ‘recovery key’, which looks like

0123-4567-89AB-CDEF-0123-4567

Write this key down somewhere secure. Local IT staff are willing to store these keys securely, in case of accidents: email it to phas-encrypt@glasgow.ac.uk.

At this point there are two decryption passwords, either one of which can decrypt your disk: one is the same as your login password, and the other is this ‘recovery key’.

You're sorted.

Alternative: Adding a recovery key §

You may find it useful to add a recovery key, which can decrypt the disk if you forget your login password. Such a key should have been added automatically if you followed the procedure above. If you have forgotten that key, however, or wish to add a key in addition to this, then you can add it this way.

Open a Terminal. On macOS 10.13 and later:

% sudo fdesetup changerecovery -personal
Password:
Enter the user name:fredbloggs
Enter the password for user 'fredbloggs':
New personal recovery key = 'XXXX-...-XXXX'
%

Older macOS versions have a rather confusing password prompt:

% sudo fdesetup changerecovery -personal
Password:
Enter a password for '/':
New personal recovery key = 'XXXX-...-XXX'
%

In each case, the first password prompt is for the sudo command. You need to enter the same login password twice, at the two prompts.

Write down the generated recovery key (remember to clearly distinguish zero and capital-O), and store it somewhere safe.

Checking the recovery key §

If you want to check you have transcribed the recovery key correctly, then, in a Terminal:

% sudo fdesetup validaterecovery
Enter the current recovery key: <XXXX-XXXX-....>
true
%

You may need to type in your login password first, for the sudo command, if it gives you a Password: prompt. When you type in the key, it must be typed in uppercase letters, and including the dashes.

You can confirm the status of the keys with

% fdesetup status

This is another operation concerning which it might be worth consulting local IT staff.