How to Enable FileVault on Mac: Step-by-Step Encryption Guide

Introduction / Why This Is Needed

FileVault is macOS's built-in full-disk encryption system (XTS-AES-128 with a 256-bit key). It automatically encrypts all data on your Mac's internal drive in real-time, requiring no further action from the user once enabled.

Enabling FileVault is critical for security if you:

• Carry your Mac with you (laptop, MacBook).
• Store confidential data on the device (documents, photos, work information).
• Work in an environment where physical access by third parties is possible.

If your device is lost or stolen, an encrypted disk without the key (password) is virtually useless to an attacker. This guide will help you securely and quickly activate FileVault on modern versions of macOS.

Requirements / Preparation

Before you begin, ensure the following conditions are met:

1. Operating System: macOS Ventura (13.x) or newer (Sonoma, Sequoia). The interface and location of settings may differ in older versions (Monterey, Big Sur).
2. Account: You must be logged in with an account that has administrator privileges.
3. Power: The initial encryption process can take anywhere from several minutes to several hours (depending on disk volume and data amount). The device must be connected to its power adapter for the entire duration of the encryption. You can pause the process by shutting down the Mac, but it's best to complete it in one session.
4. Backup (Recommended): Although the encryption process is safe, as a precaution, ensure you have an up-to-date backup of important data (via Time Machine or another method).
5. Recovery Key: Be prepared to securely store the Recovery Key if you do not plan to use iCloud for storage. Write it down in a password manager or on paper in a safe place.

Step-by-Step Instructions

Step 1: Opening FileVault Settings

1. Click the Apple menu () in the top-left corner of the screen.
2. Select System Settings.
3. In the sidebar, find and select the Privacy & Security section.
4. Scroll down the list to the Security block.
5. Click the FileVault item.

Step 2: Enabling FileVault and Choosing a Recovery Method

1. In the FileVault window, you will see the current status (e.g., "FileVault is Off").
2. Click the Turn On FileVault button.
3. A window will appear prompting you to choose a recovery key method:
   • Save a copy of your recovery key to iCloud: Your Apple ID (if used for login) will store the key. This is the most convenient but less isolated option. If an attacker gains access to your iCloud account and password, they could obtain the key.
   • Create a recovery key manually: The system will generate a 24-character (or 20-character in older versions) key as a set of characters (e.g., abcd-efgh-ijkl-mnop-qrst-uvwx). You must write this down and store it in an absolutely secure place, separate from your Mac. Without this key, if you forget the administrator password, all data on the disk will be permanently lost.
4. Make your selection and click Continue.
5. If you chose the manual key, the system will display it on the screen. Carefully transcribe it (or take a photo, but store the photo separately from the computer) and click Continue.

Step 3: Starting Encryption and Waiting

1. After selecting the method, the system will begin the encryption process. You will see a progress indicator (bar or percentage) in the FileVault window.
2. Do not shut down or put your Mac to sleep during the initial encryption. Keep it connected to power.
3. You can continue using your Mac while encryption is in progress. Performance may degrade slightly during active disk writes.
4. Encryption time depends directly on:
   • The capacity of the internal drive (SSD).
   • The amount of existing data.
   • The drive's speed. A 512 GB SSD with ~200 GB of data typically takes 30-60 minutes.

Step 4: Checking Status and First Reboot

1. When the progress bar reaches 100%, the status in the FileVault settings will change to "FileVault is On".
2. A very important step: Restart your Mac (Apple menu → Restart).
3. During the boot process, immediately after the startup chime, a password entry screen (or a Recovery Key prompt if the password is forgotten) should appear. This confirms that the disk is encrypted and the system is requesting the key to decrypt it before loading macOS.
4. Enter the password for your administrator account. If everything is done correctly, the system will boot normally.

Verifying the Result

After a successful reboot:

1. Open System Settings → Privacy & Security → FileVault again.
2. Ensure the status now reads "FileVault is On" and also displays information about when encryption was completed.
3. Try shutting down and starting up your Mac again. Confirm that during the boot phase (before the Apple logo appears), the system prompts for the administrator password.

Additional verification via Terminal (optional):

• Open Terminal.
• Enter the command: sudo fdesetup status
• Enter the administrator password when prompted.
• In the output, you will see FileVault is On. or FileVault is Off..

Potential Issues

Error: "FileVault cannot be turned on"

• Cause: Lack of administrator privileges, or insufficient free space on the disk for temporary encryption files (~5-10% free space required).
• Solution: Ensure you are logged in as an administrator. Free up disk space (delete unnecessary files, empty the Trash) and try again.

Error: "Failed to create recovery key"

• Cause: Most often occurs when selecting "Save to iCloud" but iCloud login is not configured on the device, or there are network/account issues.
• Solution: Select the "Create a recovery key manually" option and be sure to record the generated key.

Forgotten administrator password and Recovery Key

• Cause: This is a critical situation. Without one of these keys, it is impossible to decrypt the disk and access the data.
• Solution: Unfortunately, in this case, the only option is to completely erase the disk and reinstall macOS. This will result in the permanent loss of all data. Always store the Recovery Key in a secure location.

Encryption process "stuck" at a certain percentage for a long time

• Cause: Active disk usage by other processes (background updates, Spotlight indexing, caching) can slow down encryption.
• Solution: Close all unnecessary applications and let the system idle. If the stall lasts unusually long (e.g., a day for a small amount of data), you can try restarting the Mac. The encryption process usually resumes from where it left off.

Mac does not ask for a password at startup after enabling FileVault

• Cause: On some Macs with Apple Silicon, if Automatic login is enabled in user settings, the system might bypass the disk password prompt.
• Solution: Disable automatic login. Go to System Settings → Users & Groups → click the Login Options button and select Off. Then restart your Mac.

Impact on Time Machine

• Cause: Time Machine backups to an external drive that is not encrypted may contain encrypted data, but the backup itself will not be encrypted. If you want to encrypt backups, you need to encrypt the Time Machine drive itself.
• Solution: This is not an error, but a feature. For full data security, you can additionally encrypt the Time Machine drive via Disk Utility.