Web U-M ITSS only
itss2008banner_blue-tabs
ITSS logo
Home students Faculty & Staff IT Security Community
Events
Training
Services
Tools & Tips
Links
Report an IT Security Incident
About IIA
Contact Us
F.A.Q.

Home IT Security Tools and Tips Security Shorts

How to Encrypt Documents with FileVault on Your Apple Computer

Estimated time to complete: 5 mins

What do you carry around on your laptop? Does it include things like your resume, transcripts, school or internship applications, or financial records? If you are using a laptop for your job, maybe you have files like human resources records, student applications, transcripts, human subject research data or payroll information.

These documents likely include some form of SENSITIVE DATA, which is data whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services or individuals. If your laptop falls outside of your physical control due to loss or theft, you’ll want the data inside to be electronically inaccessible.

Encryption is the standard technology used to protect sensitive data from unauthorized disclosure. Apple makes encryption easy by providing a built-in tool called FileVault.  

By using FileVault, you can encrypt just your home folder rather than your whole hard drive, for example, if you share a computer and just want to encrypt your own files.

Before You Proceed:

These Security Shorts are intended for non-technical users who manage their own computers. If your laptop is managed by an IT department, do not proceed. Contact your IT administrator for further assistance.

Keep in mind:
  • Disk encryption technologies such as FileVault can protect your data from unauthorized access, but it does nothing to protect data that is transmitted over the network or via e-mail.
  • FileVault does not protect your data when you log in and visit a malicious Web site or open a malicious e-mail.
  • Back up your data and password, or risk losing your data irretrievably.
  • Sophos anti-virus software and FileVault are NOT compatible. Using them together will cause your machine to crash.

What’s in this document

How to Encrypt Documents with FileVault

Password Protect Your Account…

Turning on FileVault…

Turning off FileVault…


Password Protect Your Account

If you haven’t already, you need to build the first level of defense for your data, which is password protection. Consider using a pass-phrase, which is a more complex combination of letters than a typical password.

  • Here are some things to keep in mind when you create your new password:
    • Select a unique password — not one you are using or have used elsewhere. Do not use a PIN number or a password used for other computing accounts like AOL or hotmail.
    • Use at least nine characters containing a mix of upper- (capital) and lower-case letters, numbers, and common punctuation. However, do not use a forward slash (/) or a space bar.
    • The best passwords are made up. (Of course, don't use any examples shown here.)
      • Use the first letter of words in a phrase and include numbers and punctuation; for example, “Do you know the way to San Jose on US-12?” becomes “DyktwtSJoUS-12?”
      • Use an entire phrase, like Rudolph Is My Favorite Reindeer.

Turning on FileVault

  1. Quit any application you may have open.
  2. From the Apple menu in the upper left corner, choose System Preferences and click Security.

  3. If the Security pane shows that a master password has not been set, click Set Master Password.

    If a master password has already been set, click Turn On FileVault and skip to Step 5.

  4. Type the password in the Master Password box and again in the Verify box. Then click OK.

  5. You will be asked to type the password for your user account. Then click Turn on FileVault and read the message that appears.

    Note: Use your normal user login password, NOT the Master Password you may have just set.

  6. Click Turn On FileVault in the dialog or Cancel to stop. If you want to be sure your deleted files can never be recovered, click Use secure erase.

You are logged out of your account during the encryption process. When the encryption process is finished, log back into your account. You home folder icon will include a combination lock to show that it’s protected by FileVault.

Access and work with your encrypted documents just like you did before. You don’t have to do anything special since the computer automatically encrypts and decrypts the data for you.

If you move or copy a file out of an encrypted folder, the filename may turn black, indicating that it is no longer encrypted.

REMEMBER:  Back Up Your FileVault-Encrypted Documents!

This security short is primarily about encrypting data on laptop computers to prevent unauthorized access to sensitive data when the laptop is lost, stolen, confiscated, or otherwise physically compromised.  With that in mind, we support creating clear-text (unencrypted) back-ups of sensitive data as long as those clear-text back-ups are physically secured away from the mobile laptop in a safe, vault, locked cabinet, server room etc.

Creating clear-text back-ups has the added advantage of providing access to your data in the event that the key recovery process (also described in this document) fails for some reason (such as forgetting your recovery key password).

To back up your FileVault-encrypted documents in clear-text, simply copy them from your encrypted folder to a network server, external hard drive, CD ROM, USB flash drive, etc. (When you perform that copy operation, FileVault will inform you that your back-up copy will be unencrypted. Click Yes.To Turn off FileVault True?)

Turning off FileVault

  1. From the Apple menu in the upper left corner, choose System Preferences and click Security.
  2. Click Turn Off FileVault.

  3. Click Turn Off FileVault again in the dialog.

  4. Log in again with your user password (NOT the Master Password).
  5. Your folder is now unencrypted.

 
Last modified November 09, 2009