How to Enable FileVault Disk Encryption on Mac

FileVault encrypts your Mac so data is protected if the device is lost or stolen. Here is how to enable it and what to know about recovery keys.

Published 2024-04-10 by TechNet New England

FileVault is the built-in full-disk encryption feature in macOS. When enabled, all data on your Mac is encrypted and protected by your login password. If someone steals your Mac or removes the drive, they cannot read your data without the password. ## Why Enable FileVault **Data protection.** If your Mac is lost or stolen, the data is unreadable without your password. **Compliance.** Many organizations require disk encryption for devices that handle sensitive data (FERPA, HIPAA, PCI, state privacy laws). **It is free.** FileVault is built into macOS. No additional software or licenses needed. **Minimal performance impact.** On modern Macs with Apple Silicon or T2 chips, FileVault has virtually no performance impact because the hardware handles encryption natively. ## How to Enable FileVault 1. Open **System Settings > Privacy and Security**. 2. Scroll down to **FileVault**. 3. Click **Turn On**. 4. Choose a recovery method: **iCloud account:** Your Apple ID can unlock the disk if you forget your password. This is the simplest option for personal Macs. **Recovery key:** A 24-character key is generated. You must write this down and store it securely. If you lose both your password and the recovery key, your data is permanently inaccessible. 5. Click **Continue**. 6. Encryption begins in the background. You can use your Mac normally while it encrypts. On modern Macs (Apple Silicon, T2 chip), encryption is nearly instant because the hardware already encrypts data by default. FileVault activates the protection layer on top. ## Recovery Key If you choose the recovery key option, store it: In a password manager. In a physically secure location (a safe, a locked drawer). With your IT provider (they should store it in their documentation system). **Do not store the recovery key on the Mac itself.** That defeats the purpose. **Do not store it in iCloud Notes or email.** If your Apple ID is compromised, the attacker could access the key. ## For Managed Macs If your Mac is managed by an organization through Jamf, Mosyle, or another MDM platform: FileVault may be enabled automatically by policy. The recovery key is typically escrowed (stored) in the MDM platform so your IT provider can recover the Mac if needed. You do not need to manage the recovery key yourself. Check with your IT provider to confirm FileVault is enabled and the recovery key is stored. ## How to Check If FileVault Is Enabled 1. Open **System Settings > Privacy and Security > FileVault**. 2. It will say either "FileVault is turned on" or "FileVault is turned off." Or from Terminal: ```bash fdesetup status ``` ## Disabling FileVault If you need to turn off FileVault (not recommended unless required for a specific reason): 1. Go to **System Settings > Privacy and Security > FileVault**. 2. Click **Turn Off**. 3. Decryption begins in the background. On managed Macs, you may not be able to disable FileVault. The toggle may be grayed out or controlled by your organization.