On this page:
FileVault enables encryption of your files that are in your home folder. Your home folder stores your documents, files on your desktop, personal settings, downloads and some application-related files like temporary files. The first time you use FileVault, all of these files will be encrypted. If your computer is lost or stolen, the files in your home folder remain protected as long as your login password remains known only to you.
- You must have a known good backup of your home folder. If you use TSM, run an incremental backup. If you use Time Machine, run a Back Up Now.
- The amount of time it takes to encrypt your home folder is dependent on its size. On average, you can plan on it taking between 2-4 hours to work its magic.
- You'll need some free disk space - a little over 2x the size of your current home folder.
- You need to ensure that any files that must be protected or that you intend to protect stay in your home folder, or in folders beneath your home folder like Documents or on your desktop, to remain encrypted (and aren't in /Applications or /tmp or somewhere else on your hard drive). This will always apply while using FileVault, so keep this in mind.
- You'll need to be an administrator on your computer.
You enable both a screen saver password and wake-from-sleep password for FileVault to be effective. Without having a password protecting the computer upon wake-from-sleep or wake-from-screen saver, anyone who finds/takes your computer while it's running will have access to everything on it.
Open System Preferences | Security | General
'Require password... after sleep or screen saver begins'.
To speed up the encryption process, you might want to move large folders like Music, Pictures and Movies out of your home folder first (unless you have sensitive music), and move them back in after the process completes. If you need assistance moving files out of your home folder, contact your local support or the helpdesk.
Now may be a good time to clean house and delete files you don't need (e.g. in your Downloads folder). Check that your trash is emptied.
If you use TSM for backups, scroll down to TSM & FileVault.
If you use Time Machine for backups, scroll down to Time Machine & FileVault.
Verify, once again, that you have a known good backup of your home folder.
- Open your System Preferences panel and click Security.
- On the General tab, check 'Require password immediately after sleep or screen saver begins', 'Disable automatic login' and 'Secure virtual memory'
- Click the FileVault tab.
- Click Set Master Password.... This password can be used to unlock all FileVault accounts on your computer. If you have DITR support, they will set this password for you while setting up FileVault. It's a feature that's intended to provide recovery for accounts. Set this password to something you won't forget, but is different from your local account password. Do not lose or forget this password; if you forget both your password and this password, your home folder will be lost.
- Click Turn On FileVault... Make sure that Use secure virtual memory is selected.
Use 'Use secure erase' with caution: if you have a large home folder, secure erase - because it makes 3 wipes of each file - can take an extremely long time (tens of hours for a 50GB home folder). Seek your local support or call the helpdesk for guidance if you have sensitive data to protect and have a large home folder.
- Enter your login password; you'll be logged out and FileVault will begin encrypting your home folder.
If you don't have enough disk space available (you need 2x the size of your home folder), you'll receive this message when you try to use FileVault:
If you forget your login password you'll need to use the master password to log back in to your account. From there, you can reset your account password. If you don't know your computer's master password, speak to your local support staff if they set FileVault up for you. If they don't know the master password, your home folder will be lost.
To reset your password for a FileVault encrypted home folder:
- Click Forgot Password at the login prompt.
- Enter (or have your support staff enter) the master password.
- You'll be prompted to enter a new password for your account.
You'll need to make a small change to TSM in order for backups to work properly once FileVault is finished encrypting your home directory. In the TSM application, your home directory will now appear under the Removable section. This is because your home directory has, for all intents and purposes, become mountable and unmountable, just like a .dmg. It now is a sparse bundle - a single file that's encrypted and contains all of your files. When you're logged in, it's mounted and readable by you (and any programs you run, like TSM). When logged out, it appears as a single .sparsebundle file.
- In the TSM application, under your nodename, expand the Removable section.
- Place a check on your home directory name or, if you don't want all files and folders in your home directory backed up, expand it and select the folders you'd like backed up individually.
Because both Time Machine and FileVault are native OS X applications built by Apple, they need to meet everyone's needs. When Time Machine backs up your home folder on OS X 10.5 and up, it backs up the portions of your encrypted home folder that have changed (into an encrypted image called a sparsebundle). It's important to note that Time Machine runs a backup only when you log out, due to the mechanics Apple uses to maintain consistency. Logging out to back up isn't the most convenient, especially for those not in the habit of logging out, but it's a good practice to adopt - your encrypted home folder is safest when you're logged out.
Your Time Machine backups do remain encrypted on the drive you're using to back up. One caveat to using Time Machine with FileVault is that you can't restore only a single file using Time Machine's "Enter Time Machine". While using Time Machine's interface, you can only restore an entire home folder from a point in time - the last time you logged out and Time Machine completed its backup. There do exist methods to retrieve a single file however, while not terribly difficult, they are not supported by Apple.
AES-256 which is very good.