Skip to content

Configure Filevault to encrypt your hard disk

Introduction

Without disk encryption, the person who has physical access to a computer can get access to all the data stored on this computer’s fixed (HDD or SSD) disks, including documents and emails stored in the local copy of the users’ mailbox. This is particularly relevant to portable computers in case they are lost or stolen.

Starting with version 10.7, macOS has a full disk encryption technology called FileVault built into the operating system. This document presents the configuration steps to enable FileVault to encrypt the fixed disks in your Mac computer. Before deciding whether to encrypt the disk or not, please note the following side effects of disk encryption.

Side effects of disk encryption

Disk encryption makes it impossible to access the data on the disk without first decrypting it. This has the side effects that you may be unable to access your date in case:

  • You forget your password
  • Your computer hardware is damaged
  • Your computer’s firmware is updated
  • You want to access your disk from a different computer

At the same time, the recovery key may be used to decrypt the disk.

It is essential to save the recovery key, and store it in a secure place. It is also essential to properly back up all important data stored on your computer's hard drive before enabling disk encryption.

Manual configuration or Mac Self-Service configuration?

Filevault can be manually configured through System Preferences. In that case you will have to keep safely the recovery key by yourself. If you lose the recovery key, and if you forget your password no one will be able to provide access your hard drive anymore.

To avoid this kind of situation you can use the "FileVault (Disk encryption) Activation" action in Mac Self-Service, which will allow you to configure Filevault easily and, the most importantly, will store your recovery key in a safe place.

It is possible to store a backup of your recovery key in the iCloud, however we rather recommend configuring FileVault via Mac Self Service and not using this option.

Please note that

  • the disk encryption will only happen after the next reboot following the request for the encryption
  • the recovery key will only be saved on the server once the encryption is finished. Make sure you don't disable the Mac Self-Service before the recovery key has been stored on our server.

In case of need (if you forget your password for example) you will be able to get your recovery key by opening a ticket with the Service-Desk.