Use FileVault to encrypt your Mac startup disk

FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk. 

Turn FileVault on or off

When FileVault is turned on, your Mac requires your user account password to unlock your built-in startup disk and allow your Mac to finish starting up. No user account is permitted to log in automatically. Follow the appropriate steps based on the version of macOS you're using.

macOS Ventura or later

  1. Choose Apple menu  > System Settings.
  2. Click Privacy & Security in the sidebar.
  3. Scroll down to the FileVault section on the right, then click Turn On or Turn Off.

Earlier versions of macOS

  1. Choose Apple menu  > System Preferences, then click Security & Privacy.
  2. Click the FileVault tab.
  3. Click the lock Locked and enter an administrator name and password.
  4. Click Turn On FileVault or Turn Off FileVault.


When you turn on FileVault, you can choose how you want to be able to unlock your disk and reset your password in case you ever forget your password. For example, you can use your iCloud account or use a recovery key. Learn more about these options.

If other users have accounts on your Mac, you're prompted to enable each user and enter their password before they can unlock the disk. User accounts added after turning on FileVault are automatically enabled.

If you lose both your account password and your FileVault recovery key, you won't be able to log in to your Mac or access the data on your startup disk.

Change your recovery key or reset your password

To change the recovery key used to encrypt your startup disk, first turn off FileVault, which requires your account password. You can then turn it on again to generate a new key and disable all older keys.

If you forget your account password or it doesn't work, you might be able to reset your password.

Published Date: