FileVault is Apple's full-disk encryption feature for macOS. It protects the contents of your startup disk by requiring a password (or recovery key) before the system will boot. This guide walks you through enabling FileVault on macOS Ventura or later, managing recovery keys, and verifying encryption status from the command line.
Before You Begin
You will need:
- Administrator access on the Mac you want to encrypt
- A recent backup (Time Machine or equivalent) in case recovery fails
- The Terminal application from
/Applications/Utilities - AC power — older Intel Macs will not start encryption on battery
How FileVault Works on Different Macs
FileVault behaves differently depending on your hardware:
| Hardware | Disk Encryption at Rest | What FileVault Adds |
|---|---|---|
| Apple Silicon (M1+) | Always on (Secure Enclave) | Passphrase protects the Data volume key |
| Intel with T2 chip | Always on (T2 Secure Enclave) | Passphrase protects the Data volume key |
| Older Intel (pre-T2) | Off by default | Performs actual AES-XTS encryption of disk |
On Apple Silicon and T2 Macs, the Data volume is already encrypted with a hardware-bound key. Without FileVault, that key is released on boot — meaning anyone who powers on the Mac can read the data. Enabling FileVault wraps the key with your login password so the disk stays sealed until a trusted user logs in.
On older Intel Macs, enabling FileVault triggers actual background encryption of the entire volume, which can take hours.
Method 1: Enable FileVault via System Settings
- Open System Settings from the Apple menu
- Click Privacy & Security in the sidebar
- Scroll down and click Turn On... next to FileVault
- Authenticate with an administrator password when prompted
- Choose how you want to recover your disk if you forget your password:
- Allow my iCloud account to unlock my disk (consumer default)
- Create a recovery key and do not use my iCloud account (recommended for business)
- If you selected the local recovery key, write it down and store it somewhere safe — not on the Mac itself
- Click Continue
On Apple Silicon and T2 Macs, FileVault is effectively active as soon as you finish the wizard. On older Intel hardware, encryption runs in the background; you can continue working normally.
Method 2: Enable FileVault via Terminal
For scripted deployments or remote management, use the fdesetup command.
-
Open Terminal
-
Run:
sudo fdesetup enable -
Enter the administrator password when prompted
-
fdesetupreturns a personal recovery key on stdout — capture it immediately:Recovery key = 'XXXX-XXXX-XXXX-XXXX-XXXX-XXXX' -
Store the recovery key in your password manager or MDM escrow system
To enable without printing the key to the terminal (for example, when piping through a script that escrows it), use -outputplist:
sudo fdesetup enable -outputplist > /var/root/fv-recovery.plist
Recovery Key Types
FileVault supports three recovery key models. You can use more than one at the same time.
| Key Type | Stored Where | Best For |
|---|---|---|
| Personal | User-provided / MDM escrow | Per-device recovery, MDM fleets |
| Institutional | FileVaultMaster.keychain | Organization-wide master key |
| iCloud | Apple ID (consumer) | Home users, single-device recovery |
Personal Recovery Key
The default. Each Mac gets a unique 24-character key. MDM platforms can escrow this key and rotate it with:
sudo fdesetup changerecovery -personal
Institutional Recovery Key
A shared key stored in /Library/Keychains/FileVaultMaster.keychain. Any Mac that was enabled with this key can be unlocked by it. To create one:
sudo security create-filevaultmaster-keychain /Library/Keychains/FileVaultMaster.keychain
Then enable FileVault with the keychain reference:
sudo fdesetup enable -keychain
Keep the private copy of FileVaultMaster.keychain offline — never deploy it to endpoints.
iCloud Recovery
Available only via the GUI. The key is escrowed to your Apple ID and released after identity verification with Apple support. Not recommended for business use.
Checking FileVault Status
To see whether FileVault is on:
sudo fdesetup status
Typical output:
FileVault is On.
During initial encryption on older Intel Macs you will see a percentage:
FileVault is On.
Encryption in progress: Percent completed = 42.0
To list users enabled to unlock the disk at boot:
sudo fdesetup list
Each line shows a username and the user's UUID. Only listed users can enter a password at the pre-boot login screen.
Adding and Removing Users
To enable another local user for FileVault:
sudo fdesetup add -usertoadd alice
You will be prompted for both the admin credentials and the target user's password. To remove a user:
sudo fdesetup remove -user alice
Removing a user does not decrypt the disk — it only revokes that user's ability to unlock it at boot.
Troubleshooting
"Encryption paused"
Usually caused by low battery or the Mac being on battery power. Connect AC power and the encryption will resume automatically. On older Intel Macs, avoid sleeping the lid during the initial encryption pass.
User is not enabled for FileVault
New users created after enablement sometimes fail to appear in fdesetup list. Add them manually with sudo fdesetup add -usertoadd <username> and confirm they appear in the list.
Lost recovery key and password
If both are gone, the data is unrecoverable. Boot into macOS Recovery with Command + R (Intel) or by holding the power button (Apple Silicon), erase the disk using Disk Utility, and restore from a backup.
fdesetup enable returns "Error: User is not authorized"
The calling user must be a local admin with a Secure Token. Check token status with sysadminctl -secureTokenStatus <username>. If the token is missing, grant it from another admin account with sysadminctl -secureTokenOn <username> -password -.
FileVault will not turn on via MDM
Confirm the configuration profile includes a payload for com.apple.MCX.FileVault2 and that the user has logged in at least once after the profile was installed — deferred enablement only triggers at login.