macOS Sierra: Encrypt the contents of your Mac with FileVault
You can use FileVault to encrypt the information on your Mac. FileVault encodes the data on your startup disk so that unauthorized users, apps, or utilities can’t access your information. For more information about FileVault, see About FileVault encryption.
To set up FileVault, you must be an administrator. When you turn on FileVault, you choose how you want to unlock your startup disk if you ever forget your password: using your iCloud account and password, or using a recovery key that’s created for you. If you choose the recovery key, keep a copy of the key somewhere other than your encrypted startup disk. If you write the key down, be sure to exactly copy the letters and numbers that are shown, and keep it somewhere safe that you’ll remember—but not in the same physical location as your Mac, where it can be discovered. If your Mac is at a business or school, your institution can also set a recovery key to unlock it.
WARNING: Don’t forget your recovery key. If you turn on FileVault and then forget your login password and can’t reset it, and you also forget your recovery key, you won’t be able to log in and your files and settings will be lost forever.
FileVault encryption can’t be used with some highly partitioned disk configurations, such as RAID disk sets.
Important: After you turn on FileVault and the encryption begins, you can’t turn off FileVault until the initial encryption is complete. Encryption can take a long time, depending on the amount of data stored on your computer, but you can continue to use your computer as you normally do. Once the encryption process is complete, you can turn off FileVault.
Choose Apple menu > System Preferences, click Security & Privacy, then click FileVault.
Click the lock icon to unlock it, then enter an administrator name and password.
Click Turn On FileVault.
If a message says your computer needs to restart, click Restart. After restarting, log in and return to the FileVault pane.
Choose how to unlock your disk and reset your login password if you forget it:
Use your iCloud account: Click “Allow my iCloud account to unlock my disk.”
Create a recovery key: Click “Create a recovery key and do not use my iCloud account.” Write down the recovery key and keep it in a safe place.
If your Mac has multiple users, click Enable Users, click Enable User and enter the login password (or have the user enter it) for each user that you want to allow to login after the Mac starts up, then click OK.
If you don’t allow a user to log in after startup, an administrator must log in before the user does.
After you restart, encryption begins. It may take some time to encrypt your information, depending on how much is stored. However you can use your Mac as usual while your information is being encrypted.
Note: If you see an alert message that encryption has been paused, your Mac may have detected a problem that could keep the encryption from completing successfully. For example, if your portable computer is not plugged into an electrical outlet, the encryption process may pause until the power plug is connected.