Manage FileVault
Mac automatically encrypts user data. Turning on FileVault adds another layer of security by requiring a login password to decrypt user data, even if someone has physical access to the Mac.
macOS Recovery contains tools and utilities that an administrator uses to manage accounts and security on the Mac, FileVault protects macOS Recovery from access by anyone who is not an administrator on the Mac.
Note: FileVault can be managed by a device management service. A device management administrator can turn on FileVault and the service can store the recovery key.
To turn on FileVault, the user must be an administrator on the Mac. When they turn on FileVault, they choose how they want to unlock the startup disk if they don’t have the password:
iCloud and password: This choice is convenient if they’re using iCloud or plan to set it up, so they don’t need to keep track of a separate recovery key.
Recovery key: The key is a string of letters and numbers created for the user. A copy of the key should be kept somewhere other than the encrypted startup disk. If they write the key down, be sure to exactly copy the letters and numbers shown. Then keep the key somewhere safe and memorable, but not in the same physical location as the Mac, where it can be discovered.
WARNING: Don’t forget the recovery key. If they turn on FileVault and then forget their login password and can’t reset it, and they also forget their recovery key, they won’t be able to log in, and their files and settings will be lost forever. If FileVault is not being managed by a device management service they can view the recovery key in System Settings > Privacy & Security > FileVault then click Show button in Recovery in Password Reset.
Turn on FileVault
Either you or the user can complete this task:
On the Mac, choose Apple menu > System Settings, then click Privacy & Security in the sidebar.
Click FileVault. (You might need to scroll down.)
Click Turn On.
You might be asked to enter the password.
Choose how to unlock the disk and reset the login password if you forget it:
iCloud account: Click “Allow my iCloud account to unlock my disk” if the user already uses iCloud. Click “Set up my iCloud account to reset my password” if they don’t already use iCloud.
Recovery key: Click “Create a recovery key and do not use my iCloud account.” Write down the recovery key and keep it in a safe place.
Click Continue.
If the Mac has additional users, their information is also encrypted. Users unlock the encrypted disk with their login password.
If there’s an Enable Users button, you must enter a user’s login password before they can unlock the encrypted disk. Click Enable Users, select a user, enter the login password, click OK, then click Continue.