OS X Lion: About FileVault 2

FileVault 2 requirements

FileVault 2 requires OS X Lion and Recovery HD installed on your startup drive, which the OS X Lion installer will attempt to create at installation. If you receive an alert that no Recovery HD could be created and continued to install OS X Lion, you will be unable to use FileVault 2. See this article for more information. Please note that Recovery HD must be present on your computer's startup volume to use FileVault 2 (not an external Recovery HD).

Turning on FileVault 2

FileVault 2 is managed via the Security & Privacy preference in System Preferences. Click the FileVault tab in the Security & Privacy preferences and you can enable or disable FileVault. 

If you migrated a home directory that was encrypted by an earlier version of FileVault, you will not be able to turn on FileVault 2. See the "Migrating a FileVault-protected Home from an earlier version of Mac OS X" section below for more information. 

Upon selecting "Turn On FileVault", if your Mac has multiple user accounts, you will be asked to identify the user accounts that will be allowed to unlock the encrypted drive (to start the computer or recover from sleep or hibernation).

Users not enabled for FileVault unlock will only be able to log in to that Mac after an unlock-enabled user has started or unlocked the drive. Once unlocked, the drive remains unlocked and available to all users, until the computer is shut down.

You will need to enter the password, or have users enter their passwords, for each account you wish to allow to unlock FileVault 2.

After enabling users for disk unlock, you will be shown your recovery key.

This key is a backup unlock method provided to you in case the unlock-enabled user password is forgotten. You can highlight and copy this key to print it out, email it or otherwise copy it. Remember that maintaining a copy of this key on your computer will do you no good if you forget your login password because it will be encrypted and inaccessible along with the rest of your data. Make an external copy or write it down and store it in a secure, but physically retrievable, location.

You are also given the opportunity to store your recovery key with Apple. See the "Storing your recovery key with Apple" section below for more information.

When you've completed the process of turning on FileVault, you will be prompted to restart your Mac. After restarting, you will notice the login screen appears very quickly, then an Apple logo with spinning gear appears after typing in your password. With FileVault 2 enabled, you are now logging in at EFI which unlocks the drive and begins the normal OS X Lion start up process.

The user account that unlocked the drive will be logged into their own account after start up completes, without needing to log in again.

If you want to make the Mac available to a user that does not have unlock capabilities, log in, then when you see your own desktop, choose "Log Out (user name)" from the Apple () menu. Also, you can unlock the disk, then choose the other user's name from the Fast User Switch (appears as the currently-logged in user's name) menubar item in the upper-right part of the screen.

FileVault should finish the initial encryption of your entire hard disk within a few hours. This happens in the background, and won't interrupt normal usage of your computer. In addition to using your computer, you can sleep, log out and even turn off your computer during this time.
 

Storing your recovery key with Apple

After you are shown your recovery key, you will be given the opportunity to store your recovery key with Apple.

 If you choose to store your key with Apple, you will presented with three "Choose a question…" drop-down menus with three corresponding textfields.

Complete the questions and answers in the associated text fields.

The key you store with Apple will be encrypted using the answers you provide before it is sent to Apple. Please take care to choose answers that you can easily remember exactly as you typed them, should you need to retrieve your recovery key from Apple. Click Continue to send your key to Apple and restart in order to begin FileVault disk encryption.

Retrieving your recovery key from Apple

If you forget your login password for a OS X Lion FileVault-encrypted drive, and you had chosen to store your recovery key with Apple, you may contact AppleCare and request retrieval of your recovery key. Typing in the wrong login password three times will produce a note under the password field which states, "If you forgot your password, you can… …reset it using your recovery key."

Click the triangle-button next to that message to reveal the Recovery Key textfield (which replaces the password textfield) and AppleCare contact information, along with your computer's Serial Number and a Record Number. You will need to provide these two pieces of information in order for AppleCare to retrieve your recovery key.

Upon successful retrieval and entry of your recovery key, you will be prompted to change your login password. After changing your login password, it is also recommended that you change your FileVault recovery key and upload the new one to Apple.

Changing your recovery key

In the Security & Privacy system preference, under the FileVault tab, click "Turn Off FileVault…" to disable FileVault. After FileVault is off, FileVault will begin to decrypt your drive. Once decryption is complete, you'll be able to click the "Turn On FileVault…" button. Doing so will allow you to enable unlock-capable users, will show you a new recovery key and will give you the option of sending this new key to Apple. The old key sent to Apple will not be able to unlock your newly-encrypted disk. If you need to retrieve your recovery key from Apple, only the new one will be retrieved based on the Serial Number and Record Number displayed to you in the login window.
 

Migrating a FileVault-protected Home from an earlier version of Mac OS X

If you are using FileVault in Mac OS X v10.6 Snow Leopard, you can install OS X Lion and continue to use your FileVault-encrypted home directory in the same way you did in Snow Leopard. OS X Lion considers your earlier version of FileVault encryption to be "Legacy FileVault". With a Legacy FileVault encrypted home directory, opening the Security & Privacy preference pane will cause the following dialog to appear, alerting you that "You're using an old version of FileVault":

You may continue to use OS X Lion with Legacy FileVault, but you cannot enable Legacy FileVault for other user accounts in OS X Lion. If you turn off Legacy FileVault, the Legacy FileVault tab will disappear and you can then choose to enable OS X Lion's FileVault 2 (disk encryption).