FileVault 2, introduced with OS X Lion, offers full disk encryption to protect your data and keep unauthorized users from retrieving information from your Mac's drive.
Once you encrypt your Mac's startup drive with FileVault 2, anyone who doesn't have the password or recovery key will be unable to log in to your Mac or access any of the files on the startup drive. Without the log-in password or recovery key, the data on your Mac's startup drive remains encrypted; in essence, it's a confusing scramble of information that makes no sense.
However, once your Mac boots up and you log in, the data on the Mac's startup drive is once again available. That's an important point to remember; once you unlock the encrypted startup drive by logging in, the data is readily available to anyone who has physical access to your Mac. The data only becomes encrypted when you shut down your Mac.
Apple says that FileVault 2, unlike the older version of FileVault introduced with OS X 10.3, is a full disk encryption system. That's almost correct, but there are a few caveats. First, OS X Lion's Recovery HD remains unencrypted, so anyone can boot to the Recovery partition at any time.
The second issue with FileVault 2 is that it only encrypts the startup drive. If you have additional drives or partitions, including a Windows partition created with Boot Camp, they will remain unencrypted. For these reasons, FileVault 2 may not meet the stringent security requirements of some organizations. It does, however, fully encrypt the Mac's startup partition, which is where most of us (and most applications) store important data and documents.
Setting Up FileVault 2
Even with its limitations, FileVault 2 provides XTS-AES 128 encryption for all of the data stored on a startup drive. For this reason, FileVault 2 is a good choice for anyone who is concerned about unauthorized individuals accessing their data.
Before you turn on FileVault 2, there are a few things to know. First, Apple's Recovery HD partition must be present on your startup drive. This is the normal state of affairs after installing OS X Lion, but if for some reason you removed the Recovery HD, or you received an error message during installation telling you that the Recovery HD wasn't installed, then you won't be able to use FileVault.
If you plan to use Boot Camp, be sure to turn FileVault 2 off when you use Boot Camp Assistant to partition and install Windows. Once Windows is functional, you can turn FileVault 2 back on.
Continue reading for complete instructions on how to enable the FileVault 2 system.