Use FileVault to encrypt the startup disk on your Mac

FileVault helps prevent unauthorized access to documents and other important data stored on your startup disk.

About FileVault

You can use FileVault full disk encryption (FileVault 2) to help prevent access to documents and other data stored on your startup disk. FileVault uses XTS-AES 128 encryption. To use this feature, you need OS X Lion or later, and a working OS X Recovery volume on your startup disk.

Turn on FileVault

When you first set up your Mac, you might be asked if you want to turn on FileVault. You can check to see if FileVault is turned on in the Security & Privacy pane of System Preferences. 

If FileVault is turned off, you can use these steps to turn it on:

  1. From the Apple menu, choose System Preferences.
  2. Click the Security & Privacy icon in the System Preferences window.
  3. Click the FileVault tab.
  4. Click the lock icon and enter an administrator name and password.
  5. Click the "Turn On FileVault" button.

Enable users

If you enable FileVault on a Mac with more than one user account, you're asked to identify which users can unlock your startup disk as part of setup. Click Enable next to a user name to let that user log in to your Mac at startup. Then, enter the password for that account.

Users that you don't enable can't unlock the startup disk. These users aren't able to use your Mac until after an enabled user logs in.

Any new user accounts you create after you turn on FileVault are automatically enabled.

Choose a recovery option

When you enable FileVault on your startup disk, you can choose an option that helps you if you later forget your password:

  • In OS X Yosemite, you can store your FileVault key in iCloud. You can then use your iCloud account name and password to unlock your startup drive or reset your password. 
  • In OS X Mavericks, you can share your FileVault key with Apple by answering a set of security questions. You can then contact Apple Support if you you forget your login password and need to decrypt your startup drive.
  • You can also create a recovery key that consists of a combination of numbers and letters. You can use this key to unlock your drive or disable FileVault. Keep a copy of this key somewhere other than your encrypted startup disk. If you write the key down, be sure to exactly copy the letters and numbers that are shown, and keep it somewhere safe that you'll remember. If your Mac is at a business or school, your institution can also set a recovery key to unlock it.

Your password and Recovery Key are very important. If you don't have access to your password or Recovery Key, you won't be able to log in or access any of the documents or other data stored on your the startup disk of your Mac.

Restart your Mac

After you've set up FileVault, you're prompted to restart your Mac. After restarting, a login screen appears. Select your account name and enter your password to continue. This unlocks your startup disk and takes you to your desktop.

When FileVault is enabled you can't log in automatically. A password is always required when you start up your Mac so that OS X can unlock your startup disk. 

The first time you log in after turning on FileVault, encryption of your startup disk begins.

  • This initial encryption takes time, and it happens only while your Mac is plugged in to AC power. You can check encryption progress from the FileVault section of the Security & Privacy pane in System Preferences.
  • You can continue to use your Mac while encryption happens in the background.
  • Encryption pauses when your Mac is sleeping or turned off, and continues when your Mac is turned on.
  • Any new files you create are automatically encrypted as they're saved to your startup disk.

If you forget your password

When you turn on your Mac, you're prompted to select your user account and then enter your password. This unlocks your startup disk and automatically brings you to your desktop.

If you forget your password, follow the onscreen prompts that appear at the login screen to reset your password using your Apple ID or iCloud account. In OS X Yosemite, your password is automatically stored in iCloud if you turned on FileVault when you first set up your Mac.

If you set a Recovery Key, you can also enter it as your login password if you don't know the right password to log in. 

In OS X Yosemite, you can also reset the login password you use with FileVault by using the Reset Password Assistant:

  1. Start up your Mac.
  2. Leave your Mac at the login screen for 60 seconds until you see the forgotten password prompt appear.
  3. Press and hold the power button to turn off your Mac. 
  4. Press the power button again to turn your Mac back on.
  5. When the Reset Password window appears, follow the onscreen prompts to unlock your startup disk using your iCloud account or your FileVault Recovery Key. 
  6. When you're finished, move your pointer to the top of the screen to make the menu bar appear. Then, choose Restart from the Apple menu to restart your Mac normally.

Turn off FileVault

If you no longer want to encrypt your startup disk, you can turn off FileVault. You can still require a password to log in to your Mac, but turning off FileVault decrypts the files stored on your startup drive.

  1. From the Apple menu, choose System Preferences.
  2. Click the Security & Privacy icon in the System Preferences window.
  3. Click the FileVault tab.
  4. Click the lock icon and enter an administrator name and password.
  5. Click the "Turn Off FileVault" button.

You must then restart your Mac to turn off FileVault. After restarting, your startup disk is decrypted in the background. Decryption pauses if you sleep or turn off your Mac during this process, and continues when your Mac is powered on again. You can check decryption progress from the FileVault section of the Security & Privacy pane in System Preferences.

Change your Recovery Key

If you want to change the Recovery Key used to encrypt your startup disk, you need to turn FileVault off and back on again to generate a new key.

Turning FileVault back on provides you with a new recovery key and allows you to again specify which users can unlock your startup disk. You won't be able to use any older recovery keys to unlock your startup disk, so be sure to store the new key in iCloud, or write it down and keep it somewhere safe.

Learn more

Encrypting your startup disk requires OS X Recovery. In rare situations, you might receive an alert during installation of OS X that OS X Recovery could not be created. If this happens, you can't use FileVault full disk encryption until you correct this issue. See About OS X Recovery for more information.

Migrating a Legacy FileVault account

  • If you're using FileVault home directory encryption ("Legacy FileVault") in Mac OS X v10.6 Snow Leopard, you can upgrade to a later version of OS X and continue to use your FileVault-encrypted home directory. With a Legacy FileVault encrypted home directory, opening the Security & Privacy preference pane alerts you when you're using an older version of FileVault.
  • You can continue to use Legacy FileVault encryption in newer versions of OS X, but you can't enable it for additional user accounts. If you want to use the newer full disk encryption feature instead, turn off Legacy FileVault encryption from the Security & Privacy preference pane first.

If you choose to store your recovery key with Apple, be careful to choose security questions and answers that you can clearly convey to an AppleCare Advisor.

When storing your recovery key with Apple or iCloud, there is no guarantee that Apple will be able to provide your recovery key back to you.

Not all languages or regions are serviced by AppleCare or iCloud. Check the Apple Support website to see if you can retrieve your recovery key, should you need to. Not all AppleCare-supported regions provide support in every language. If you choose your preferred language, enable FileVault, and choose to store your key with Apple, your answers may be in languages and/or characters not supported by AppleCare.

Last Modified:
Helpful?
84% of people found this helpful.

Additional Product Support Information

Start a Discussion

in Apple Support Communities
See all questions on this article See all questions I have asked
United States (English)