FileVault in the System Preferences under Security
|Other names||Disk encryption software|
30 keyboard shortcuts Mac users need to know This collection of keyboard shortcuts for macOS can help users get the most from their iMacs, MacBook Pro and MacBook laptops. With Google Earth for Chrome, fly anywhere in seconds and explore hundreds of 3D cities right in your browser. Roll the dice to discover someplace new, take a guided tour with Voyager, and create.
FileVault is a disk encryption program in Mac OS X 10.3 (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.
Versions and key features
- A USB-C to USB-C charging cable tops up the power on your MX Keys for Mac – and connects directly to your Mac without the need of a clunky dongle. MX Keys for Mac stays powered up to 10 days on a full charge – or up to 5 months with backlighting turned offBattery life may vary based on user and computing conditions.
- Much of the documentation for Investor/RT is written from the perspective of the Windows version of the software. There is frequent mention of the Alt key, the Ctrl Key and the Delete Key. These are keys typically visible on Windows PC keyboards. On Macintosh PC's the keys are labeled differently (Think Different, as the Apple slogan goes). The Alt Key is called the Command.
FileVault was introduced with Mac OS X Panther (10.3), and could only be applied to a user's home directory, not the startup volume. The operating system uses an encrypted sparse disk image (a large single file) to present a volume for the home directory. Mac OS X Leopard and Mac OS X Snow Leopard use more modern sparse bundle disk images which spread the data over 8 MB files (called bands) within a bundle. Apple refers to this original iteration of FileVault as legacy FileVault.
How To Check Mac Version
Mac OS X Lion (2011) and newer offer FileVault 2, which is a significant redesign. This encrypts the entire OS X startup volume and typically includes the home directory, abandoning the disk image approach. For this approach to disk encryption, authorised users' information is loaded from a separate non-encrypted boot volume (partition/slice type Apple_Boot).
The original version of FileVault was added in Mac OS X Panther to encrypt a user's home directory.
Master passwords and recovery keys
When FileVault is enabled the system invites the user to create a master password for the computer. If a user password is forgotten, the master password or recovery key may be used to decrypt the files instead.
Migration of FileVault home directories is subject to two limitations:
- there must be no prior migration to the target computer
- the target must have no existing user accounts.
If Migration Assistant has already been used or if there are user accounts on the target:
- before migration, FileVault must be disabled at the source.
If transferring FileVault data from a previous Mac that uses 10.4 using the built-in utility to move data to a new machine, the data continues to be stored in the old sparse image format, and the user must turn FileVault off and then on again to re-encrypt in the new sparse bundle format.
Instead of using FileVault to encrypt a user's home directory, using Disk Utility a user can create an encrypted disk image themselves and store any subset of their home directory in there (for example, ~/Documents/private). This encrypted image behaves similar to a FileVault encrypted home directory, but is under the user's maintenance.
Encrypting only a part of a user's home directory might be problematic when applications need access to the encrypted files, which will not be available until the user mounts the encrypted image. This can be mitigated to a certain extent by making symbolic links for these specific files.
Limitations and issues
- These limitations apply to versions of Mac OS X prior to v10.7 only.
Without Mac OS X Server, Time Machine will back up a FileVault home directory only while the user is logged out. In such cases, Time Machine is limited to backing up the home directory in its entirety. Using Mac OS X Server as a Time Machine destination, backups of FileVault home directories occur while users are logged in.
Because FileVault restricts the ways in which other users' processes can access the user's content, some third party backup solutions can back up the contents of a user's FileVault home directory only if other parts of the computer (including other users' home directories) are excluded.
Several shortcomings were identified in Legacy FileVault. Its security can be broken by cracking either 1024-bit RSA or 3DES-EDE.
Legacy FileVault used the CBC mode of operation (see disk encryption theory); FileVault 2 uses stronger XTS-AESW mode. Another issue is storage of keys in the macOS 'safe sleep' mode. A study published in 2008 found data remanence in dynamic random-access memory (DRAM), with data retention of seconds to minutes at room temperature and much longer times when memory chips were cooled to low temperature. The study authors were able to use a cold boot attack to recover cryptographic keys for several popular disk encryption systems, including FileVault, by taking advantage of redundancy in the way keys are stored after they have been expanded for efficient use, such as in key scheduling. The authors recommend that computers be powered down, rather than be left in a 'sleep' state, when not in physical control by the owner.
Early versions of FileVault automatically stored the user's passphrase in the system keychain, requiring the user to notice and manually disable this security hole.
In 2006, following a talk at the 23rd Chaos Communication Congress titled Unlocking FileVault: An Analysis of Apple's Encrypted Disk Storage System, Jacob Appelbaum & Ralf-Philipp Weinmann released VileFault which decrypts encrypted Mac OS X disk image files.
A free space wipe using Disk Utility left a large portion of previously deleted file remnants intact. Similarly, FileVault compact operations only wiped small parts of previously deleted data.
FileVault uses the user's login password as the encryption pass phrase. It uses the XTS-AES mode of AES with 128 bit blocks and a 256 bit key to encrypt the disk, as recommended by NIST. Only unlock-enabled users can start or unlock the drive. Once unlocked, other users may also use the computer until it is shut down.
The I/O performance penalty for using FileVault 2 was found to be in the order of around 3% when using CPUs with the AES instruction set, such as the Intel Core i and MacOS 10.10.3. Performance deterioration will be larger for CPUs without this instruction set, such as older Core CPUs.
Master passwords and recovery keys
When FileVault 2 is enabled while the system is running, the system creates and displays a recovery key for the computer, and optionally offers the user to store the key with Apple. The 120 bit recovery key is encoded with all letters and numbers 1 through 9, and read from /dev/random, and therefore relies on the security of the PRNG used in macOS. During a cryptanalysis in 2012, this mechanism was found safe.
Changing the recovery key is not possible without re-encrypting the File Vault volume.
Users who use FileVault 2 in OS X 10.9 and above can validate their key correctly works after encryption by running sudo fdesetup validaterecovery in Terminal after encryption has finished. The key must be in form xxxx-xxxx-xxxx-xxxx-xxxx-xxxx and will return true if correct.
Starting the OS with FileVault 2 without a user account
If a volume to be used for startup is erased and encrypted before clean installation of OS X 10.7.4 or 10.8:
- there is a password for the volume
- the clean system will immediately behave as if FileVault was enabled after installation
- there is no recovery key, no option to store the key with Apple (but the system will behave as if a key was created)
- when the computer is started, Disk Password will appear at the EfiLoginUI – this may be used to unlock the volume and start the system
- the running system will present the traditional login window.
Apple describes this type of approach as Disk Password—based DEK.
- ^'Apple Previews Mac OS X 'Panther''. Apple Press Info. Apple. June 23, 2003. Retrieved January 21, 2013.
- ^ScottW (November 5, 2007). 'Live FileVault and Sparse Bundle Backups in Leopard'. macosx.com. Archived from the original on October 29, 2013. Retrieved January 21, 2013.
- ^ abcdApple Inc (August 9, 2012). 'OS X: About FileVault 2'. Apple Inc. Retrieved September 5, 2012.
- ^Apple Inc (August 17, 2012). 'Best Practices for Deploying FileVault 2'(PDF). Apple Inc. p. 40. Archived from the original(PDF) on August 22, 2017. Retrieved September 5, 2012.
- ^'Archived - Mac OS X 10.3, 10.4: Transferring data with Setup Assistant / Migration Assistant FAQ'. Apple support. Apple. Retrieved January 21, 2013.
- ^'Using Encrypted Disks'. CrashPlan PROe support. CrashPlan PROe. Retrieved January 21, 2013.
- ^'Using CrashPlan with FileVault'. CrashPlan support. CrashPlan. Retrieved January 21, 2013.
- ^Jacob Appelbaum, Ralf-Philipp Weinmann (December 29, 2006). 'Unlocking FileVault: An Analysis of Apple's disk encryption'(PDF). Retrieved March 31, 2007.Cite journal requires
- ^J. Alex Halderman; et al. (February 2008). 'Lest We Remember: Cold Boot Attacks on Encryption Keys'(PDF). Archived from the original(PDF) on May 14, 2008.Cite journal requires
- ^'Unlocking FileVault: An analysis of Apple's disk encryption system'(PDF).
- ^'File Vault's Dirty Little Secrets'.
- ^ abApple, Inc (August 17, 2012). 'Best Practices for Deploying FileVault 2'(PDF). Apple, Inc. p. 28. Archived from the original(PDF) on August 22, 2017. Retrieved September 5, 2012.
- ^Dworkin, Morris (January 2010). 'Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices'(PDF). NIST Special Publication (800–3E).
- ^'Tech ARP - How Fast is the 512 GB PCIe X4 SSD in the 2015 MacBook Pro?'.
- ^Choudary, Omar; Felix Grobert; Joachim Metz (July 2012). 'Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption'. Retrieved January 19, 2013.Cite journal requires
- ^'fdesetup(8) Mac OS X Manual Page'. Apple. August 21, 2013. Retrieved August 9, 2014.
What you need to install Windows 10 on Mac
- MacBook introduced in 2015 or later
- MacBook Air introduced in 2012 or later
- MacBook Pro introduced in 2012 or later
- Mac mini introduced in 2012 or later
- iMac introduced in 2012 or later1
- iMac Pro (all models)
- Mac Pro introduced in 2013 or later
The latest macOS updates, which can include updates to Boot Camp Assistant. You will use Boot Camp Assistant to install Windows 10.
64GB or more free storage space on your Mac startup disk:
- Your Mac can have as little as 64GB of free storage space, but at least 128GB of free storage space provides the best experience. Automatic Windows updates require that much space or more.
- If you have an iMac Pro or Mac Pro with 128GB of memory (RAM) or more, your startup disk needs at least as much free storage space as your Mac has memory.2
An external USB flash drive with a storage capacity of 16GB or more, unless you're using a Mac that doesn't need a flash drive to install Windows.
A 64-bit version of Windows 10 Home or Windows 10 Pro on a disk image (ISO) or other installation media. If installing Windows on your Mac for the first time, this must be a full version of Windows, not an upgrade.
- If your copy of Windows came on a USB flash drive, or you have a Windows product key and no installation disc, download a Windows 10 disk image from Microsoft.
- If your copy of Windows came on a DVD, you might need to create a disk image of that DVD.
How to install Windows 10 on Mac
To install Windows, use Boot Camp Assistant, which is included with your Mac.
1. Use Boot Camp Assistant to create a Windows partition
Apple Mac Versions
Open Boot Camp Assistant, which is in the Utilities folder of your Applications folder. Then follow the onscreen instructions.
- If you're asked to insert a USB drive, plug your USB flash drive into your Mac. Boot Camp Assistant will use it to create a bootable USB drive for Windows installation.
- When Boot Camp Assistant asks you to set the size of the Windows partition, remember the minimum storage-space requirements in the previous section. Set a partition size that meets your needs, because you can't change its size later.
2. Format the Windows (BOOTCAMP) partition
When Boot Camp Assistant finishes, your Mac restarts to the Windows installer. If the installer asks where to install Windows, select the BOOTCAMP partition and click Format. In most cases, the installer selects and formats the BOOTCAMP partition automatically.
3. Install Windows
Unplug any external devices that aren't necessary during installation. Then click Next and follow the onscreen instructions to begin installing Windows.
4. Use the Boot Camp installer in Windows
After Windows installation completes, your Mac starts up in Windows and opens a ”Welcome to the Boot Camp installer” window. Follow the onscreen instructions to install Boot Camp and Windows support software (drivers). You will be asked to restart when done.
- If the Boot Camp installer never opens, open the Boot Camp installer manually and use it to complete Boot Camp installation.
- If you have an external display connected to a Thunderbolt 3 port on your Mac, the display will be blank (black, gray, or blue) for up to 2 minutes during installation.
How to switch between Windows and macOS
Restart, then press and hold the Option (or Alt) ⌥ key during startup to switch between Windows and macOS.
If you have one of these Mac models using OS X El Capitan 10.11 or later, you don't need a USB flash drive to install Windows:
- MacBook introduced in 2015 or later
- MacBook Air introduced in 2017 or later3
- MacBook Pro introduced in 2015 or later3
- iMac introduced in 2015 or later
- iMac Pro (all models)
- Mac Pro introduced in late 2013
To remove Windows from your Mac, use Boot Camp Assistant, not any other utility.
For more information about using Windows on your Mac, open Boot Camp Assistant and click the Open Boot Camp Help button.
1. If you're using an iMac (Retina 5K, 27-inch, Late 2014) or iMac (27-inch, Late 2013) or iMac (27-inch, Late 2012) with a 3TB hard drive and macOS Mojave or later, learn about an alert you might see during installation.
2. For example, if your Mac has 128GB of memory, its startup disk must have at least 128GB of storage space available for Windows. To see how much memory your Mac has, choose Apple menu > About This Mac. To see how much storage space is available, click the Storage tab in the same window.
Keynote Versions For Mac
3. These Mac models were offered with 128GB hard drives as an option. Apple recommends 256GB or larger hard drives so that you can create a Boot Camp partition of at least 128GB.