Safe Computing
Home Students Faculty and Staff IT Security Community

Encrypt and Securely Delete Files (Mac)

Encryption is the standard technology used to protect sensitive data from unauthorized disclosure. Apple makes encryption easy by providing a built-in tool called FileVault. By using FileVault, you can encrypt just your home folder rather than your whole hard drive, for example, if you share a computer and just want to encrypt your own files.

Keep in mind:

  • Disk encryption technologies such as FileVault can protect your data from unauthorized access, but it does nothing to protect data that is transmitted over the network or via email.
  • FileVault does not protect your data when you log in and visit a malicious web site or open a malicious email.
  • Back up your data and password, or risk losing your data irretrievably.
  • Sophos anti-virus software and FileVault are NOT compatible. Using them together will cause your machine to crash.

How to Encrypt Documents with FileVault on Your Apple Computer

Before You Proceed:

These instructions are intended for non-technical users who manage their own computers. If your computer is managed by U-M, do not proceed. Contact your IT administrator for further assistance.

Turn on FileVault

  1. Quit any application you may have open.

  2. From the Apple menu in the upper left corner, choose System Preferences and click Security.

  3. If the Security pane shows that a master password has not been set, click Set Master Password.

    If a master password has already been set, click Turn On FileVault and skip to Step 5.

  4. Type the password in the Master Password box and again in the Verify box. Then click OK.

  5. You will be asked to type the password for your user account. Then click Turn on FileVault and read the message that appears.

    Note: Use your normal user login password, NOT the Master Password you may have just set.

  6. Click Turn On FileVault in the dialog or Cancel to stop. If you want to be sure your deleted files can never be recovered, click Use secure erase.

You are logged out of your account during the encryption process. When the encryption process is finished, log back into your account. You home folder icon will include a combination lock to show that it’s protected by FileVault.

Access and work with your encrypted documents just like you did before. You don’t have to do anything special since the computer automatically encrypts and decrypts the data for you.

If you move or copy a file out of an encrypted folder, the filename may turn black, indicating that it is no longer encrypted.

REMEMBER: Back Up Your FileVault-Encrypted Documents!

These instructions are primarily about encrypting data on laptop computers to prevent unauthorized access to sensitive data when the laptop is lost, stolen, confiscated, or otherwise physically compromised. With that in mind, we support creating clear-text (unencrypted) back-ups of sensitive data as long as those clear-text back-ups are physically secured away from the mobile laptop in a safe, vault, locked cabinet, server room etc.

Creating clear-text back-ups has the added advantage of providing access to your data in the event that the key recovery process (also described in this document) fails for some reason (such as forgetting your recovery key password).

To back up your FileVault-encrypted documents in clear-text, simply copy them from your encrypted folder to a network server, external hard drive, CD ROM, USB flash drive, etc. (When you perform that copy operation, FileVault will inform you that your back-up copy will be unencrypted. Click Yes.To Turn off FileVault True?)

Turn off FileVault

  1. From the Apple menu in the upper left corner, choose System Preferences and click Security.

  2. Click Turn Off FileVault.

  3. Click Turn Off FileVault again in the dialog.

  4. Log in again with your user password (NOT the Master Password).

  5. Your folder is now unencrypted.

How to Securely Delete Files on Your Mac

Estimated time to complete: 5 mins

Deleting a file from your computer is like opening a book and scratching out the name of a chapter in the table of contents. The chapter isn’t really gone, just the information about how to find it is. To really wipe out the information in a book, you would turn to the chapter itself and scribble over the words until they were illegible.

When you delete a file by emptying the Trash folder, the only data erased from the hard drive is a small bit of information that points to the location of the file. The actual file remains on the hard drive where it can be retrieved with common software tools.

Using Secure Empty Trash or the Disk Utility will prevent the recovery of deleted files by overwriting the file data with meaningless data. Securely erasing data with these procedures is considered a best practice for eliminating sensitive data, and is a critical task to perform if you donate or sell your computer.

Before You Proceed:

These instructions are intended for non-technical users who manage their own computers. If your computer is managed by U-M, do not proceed. Contact your IT administrator for further assistance.

These examples require a Mac running OS X 10.3 or later. The screen shots will vary depending on what operating system you are using. The screenshots shown are of a Mac running OS X 10.4.

Delete Using Secure Empty Trash

  1. Drag the items you wish to delete into the Trash at the end of the Dock.

    At this point, any files or folders you drag to the Trash will remain there until you empty the trash. If you change your mind, you can still retrieve items by clicking the Trash icon to open the window, and then dragging items you want back to your home folder. Even after you empty the Trash, deleted files may still be recovered by using special data-recovery software.

  2. To delete files so that they cannot be recovered, click the Trash icon. You will see that your file is now in the Trash folder. Make sure that there is nothing else in the Trash folder that you don’t want to permanently delete.

  3. Choose Finder > Secure Empty Trash.

  4. A dialog box appears with the question "Are you are sure you want to erase the items in the Trash permanently using Secure Empty Trash?" Choose OK.

    The Secure Empty Trash option performs a 7-Pass Erase, which meets current U.S. Department of Defense security requirements for general files. Depending on the size of the file, this process may take some time.

Using the Disk Utility to Prevent Recovery of Deleted Files

You can erase unused disk space—which could include files that have previously been deleted but have not been overwritten—that reside on your hard drive. This operation is especially useful if files containing sensitive data have been previously deleted by selecting Empty Trash, rather than Secure Empty Trash. You can use Disk Utility to erase the free space populated by deleted files by having zeros written over the space once, seven times, or 35 times.

Securely erasing data with the Disk Utility is considered a best practice for eliminating sensitive data, and is a critical task to perform if you donate or sell your computer.

Erasing free disk space does not erase the other files on your disk. Also, depending on the amount of free space on your disk, this process may take some time.

  1. Click on the Finder icon on your dock, then Applications > Utilities > Disk Utility.

  2. In Disk Utility, select the disk or volume in the list which contains the free space you want to erase. In this example, the Macintosh hard drive is selected.

  3. Click the Erase tab.

  4. Click the Erase Free Space button.

  5. A dialog box opens with Erase Free Space Options: Zero Out, 7-Pass, and 35-Pass. Zero Out writes a single pass of 0’s over the portions of the disk being erased, while 7- or 35-Pass will write and delete random 0’s and 1’s for the specified number of passes. While the multi-pass erase options take time to run, they are highly secure methods for ensuring that your data cannot be restored.

    35-Pass is recommended for very sensitive data. The Secure Empty Trash option performs a 7-Pass Erase

  6. Select an option that works best for you, then click Erase. Make sure to give yourself plenty of time for the mechanism to run, especially the multi-pass methods.

Troubleshooting

If an item is locked, you cannot put it in the Trash.

  1. Select the item and choose File > Get Info.
  2. Deselect the Locked checkbox in the General pane.

If you do not own the item, you may need to provide an administrator's name and password to put the item in the Trash.

Additional Resources

Protecting your data before selling or giving up possession of your Mac