CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
For support: call extension 5-Help (212-305-4357) or email us

FileVault 2 for Macintosh

FileVault Icon FileVault 2 is the native encryption program on Macintosh computers running OS 10.7 and higher. It meets Encryption Requirements for Macs used at CUMC that store, transmit or access confidential or sensitive data. FileVault 2 is not turned on by default, please review all information on this page before setting it up.
WARNING: The purpose of encryption is to make data unreadable if proper credentials are not provided. Issues including permanent loss of files can occur if you do not adequately prepare your computer and data before installing or beginning to use encryption.

How FileVault 2 Works
FileVault 2 uses full disk encryption with pre-boot authentication. Decryption happens transparently after entering your Mac login and password, simply work on it as you normally would. After logout or shut down everything is encrypted and cannot be read without an authorized login.
  • Since all files are decrypted on login, any containing confidential or sensitive data must be individually re-encrypted if copied or moved. Saving to a CUMC IT managed network drive, encrypted USB key, or other removable encryption method is ok.
  • Your computer password must be strong and cannot be shared; for help see Apple's instructions for changing or resetting the password on an OS user account.
  • It is very important to remember your password correctly, without it only the recovery key can be used to decrypt data on the computer.
  • Automatic login on the Mac is disabled once FileVault 2 is set up.
  • Your computer login prompt will appear quickly after powering on, before the OS loads ("boot up"). Once you login, the boot up and decryption processes will then run, but this shouldn't take more than a few minutes.

Earlier Versions of FileVault and Mac OS Upgrades
Macintosh OS 10.4 through 10.6 offered FileVault 1, however it only encrypted a user's home folder and did not support pre-boot authentication. Due to this, earlier versions do not meet most CUMC Encryption Requirements. To use FileVault 2 computers must be running Mac OS 10.7 or higher. IMPORTANT: if you were using FileVault with OS 10.6 or earlier, you should first turn off FileVault before upgrading the OS (see step by step instructions if needed).

Enabling FileVault 2

When FileVault 2 is first enabled it encrypts all data stored on the computer's hard disk. This may take a few hours to complete depending on the amount of data. It is ok to use the computer during this time though may run more slowly.

Prior to enabling FileVault 2:
  • Make sure you have run a recent data backup as per CUMC requirements. If issues occur during initial encryption this may be the only way to regain corrupted files.
  • Close any applications or files that are open on the computer (you can use the computer after restart).
  • Make sure your Mac is using its power cord and not running off of battery power. Interruptions due to loss of power can result in corrupted files.
  • It is also highly recommended to first check for and repair any hard disk errors using Disk Utility.
Enabling FileVault 2:
  1. Open System Preferences from your dock or the Apple drop down menu in the upper right.
  2. Select the Security & Privacy icon.

    Security and Privacy in System Preferences

  3. Select the FileVault tab from the menu bar.

    FileVault in Security and Privacy

  4. If the padlock in the lower left corner is closed, click on it and type in the Mac's Admin password when prompted.
  5. Select the Turn On FileVault button in the upper right of the window.
    NOTE: If the Mac has multiple login accounts set up, you will see a list with a button to Enable User... next to each. Please see information on Apple's Use FileVault page for help.
  6. A window with your unique recovery key will appear. Copy it down carefully and store it in a safe, secure place off of your Mac. It is the only other way to gain access to your encrypted Mac if you forget your login password.

    FileVault 2 Recovery Key

  7. Click the Continue button once you have copied and secured your recovery key.
  8. At the next window, select the option to Create a recovery key and do not use my iCloud account, then click Continue.
    Apple does not have the required Business Associate Agreement with CUMC to store keys or information pertaining to confidential and sensitive data.

    Create a recovery key and do not use iCloud

  9. At the next prompt click the Restart button. The computer will restart and begin encrypting the full disk.
    • It is ok to use the computer it is encrypting.
    • To view the status, return to the Security & Privacy option in System Preferences. It will show the approximate time remaining.

      FileVault Encryption Status

When the encryption process has completed, FileVault 2 will remain enabled. Keep in mind that while you are logged in to the Mac, data is not encrypted and can be read by anyone with access to it; be sure to set up a screensaver and lock your screen to require a password if the computer is left unattended after a short period of time.

| TOP |

Last updated 1/03/2019