How to encrypt your Mac OS X laptop

Check for Encryption Software

Mac computers (laptops and desktops) running OS X are most commonly encrypted by FileVault 2 (the native Mac OS X encryption software) or PGP Desktop (a third-party encryption software by Symantec).

First, check which application is on your device by clicking on the Apple icon in the upper-left corner of your screen and going to System Preferences, and your Applications folder. The applications may be listed in either of these locations.

Once you have located the application, follow the steps in the appropriate document (pdf) below to find out if your computer is encrypted:

Already encrypted? Skip to Step 5.

IT Security Requirements

To use your personal device for University business, it must meet all requirements and standards of both the University and the UCLA Health Sciences. Devices must meet five major requirements to be acceptable for University business usage (not comprehensive).

Note: Please read all UCLA Health Sciences policies to ensure your device meets all the requirements.

Before Encryption

Before attempting to encrypt your computer, please read and follow these best practices to prepare for encryption.

Device Requirements

  1. Administrative rights
    • You must have administrative rights to your computer (using an administrative account) to initiate encryption.
  2. AC power adapter
    • Your computer must be on AC power (plugged in to a wall outlet) during encryption.
  3. Active network connection
    • Your computer must have an active network (Internet) connection to store recovery keys.
  4. Supported Operating System (Mac OS X 10.8 and higher)
    • Mac OS X 10.11 (El Capitan) is the recommended version. Operating Systems older than 10.7 (Lion) do not support FileVault 2.

Device Preparation

  1. Back up files
    • Back up your files before encrypting your computer. Files may be lost or damaged in the event of encryption failure.
  2. Check hard drive
    • Check your disk for errors and repair errors to ensure your hard drive is healthy enough for encryption.
  3. Update software/applications
  4. Clean up viruses and malware
    • Scan your computer with anti-virus/anti-malware software and clean up any threats. Sophos Anti-Virus is recommended.

Use FileVault to encrypt the startup disk on your Mac

FileVault helps prevent unauthorized access to documents and other important data stored on your startup disk.

About FileVault

You can use FileVault full disk encryption (FileVault 2) to help prevent access to documents and other data stored on your startup disk. FileVault uses XTS-AES 128 encryption. To use this feature, you need OS X Lion or later, and a working OS X Recovery volume on your startup disk.

1. Turn on FileVault

When you first set up your Mac, you might be asked if you want to turn on FileVault. You can check to see if FileVault is turned on in the Security & Privacy pane of System Preferences. If the option is ‘greyed’ out, click on the padlock in the bottom left corner of the window and enter your password to unlock.

If FileVault is turned off, you can use these steps to turn it on:

  1. From the Apple menu, choose System Preferences.
  2. Click the Security & Privacy icon in the System Preferences window.
  3. Click the FileVault tab.
  4. Click the lock icon and enter an administrator name and password.
  5. Click the "Turn On FileVault" button.

2. Enable users

If you enable FileVault on a Mac with more than one user account, you're asked to identify which users can unlock your startup disk as part of setup. Click Enable next to a user name to let that user log in to your Mac at startup. Then, enter the password for that account.

Users that you do not enable cannot unlock the startup disk. These users are not able to use your Mac until after an enabled user logs in.

Any new user accounts you create after you turn on FileVault are automatically enabled.

3. Choose a recovery option

When you enable FileVault on your startup disk, you can choose an option to help you later if you forget your password:

  • In OS X Yosemite, you can store your FileVault key in iCloud. Use your iCloud account name and password to unlock your startup drive or reset your password.
  • In OS X Mavericks, you can share your FileVault key with Apple by answering a set of security questions. You can contact Apple Support if you forget your login password and need to decrypt your startup drive.
  • You can also create a recovery key that consists of a combination of numbers and letters. You can use this key to unlock your drive or disable FileVault. Keep a copy of this key somewhere other than your encrypted startup disk. If you write the key down, be sure to exactly copy the letters and numbers that are shown, and keep it somewhere safe that you'll remember.

Your password and Recovery Key are very important. If you don't have access to your password or Recovery Key, you won't be able to log in or access any of the documents or other data stored on the startup disk of your Mac.

4. Restart your Mac.

After you set up FileVault, you are prompted to restart your Mac. After restarting, a login screen appears. Select your account name and enter your password to continue. This unlocks your startup disk and takes you to your desktop.

When FileVault is enabled you cannot log in automatically. A password is always required when you start up your Mac so that OS X can unlock your startup disk.

The first time you log in after turning on FileVault, encryption of your startup disk begins.

  • This initial encryption takes time, and it happens only while your Mac is plugged in to AC power. You can check encryption progress from the FileVault section of the Security & Privacy pane in System Preferences.
  • You can continue to use your Mac while encryption happens in the background.
  • Encryption pauses when your Mac is sleeping or turned off, and continues when your Mac is turned on.
  • Any new files you create are automatically encrypted as they're saved to your startup disk.

When you turn on your Mac, you are prompted to select your user account and then enter your password. This unlocks your startup disk and automatically brings you to your desktop.

If you forget your password, follow the onscreen prompts that appear at the login screen to reset your password using your Apple ID or iCloud account. In OS X Yosemite, your password is automatically stored in iCloud if you turned on FileVault when you first set up your Mac.

If you set a Recovery Key, you can also enter it as your login password if you don't know the right password to log in.

In OS X Yosemite, you can also reset the login password you use with FileVault by using the Reset Password Assistant:

  1. Start up your Mac.
  2. Leave your Mac at the login screen for 60 seconds until you see the forgotten password prompt appear.
  3. Press and hold the power button to turn off your Mac.
  4. Press the power button again to turn your Mac back on.
  5. When the Reset Password window appears, follow the onscreen prompts to unlock your startup disk using your iCloud account or your FileVault Recovery Key.

  6. When you're finished, move your pointer to the top of the screen to make the menu bar appear. Then, choose Restart from the Apple menu to restart your Mac normally.

After your device has been encrypted, you must register it here .

Register your Device

It is your responsibility to ensure your device is verifiably encrypted. To validate that your computer is encrypted, you must register your computer in the UCLA Health Sciences IT Organization inventory.

To register your device in the inventory, please click on the link below. Before registering your device, please read all disclaimers and instructions. You must have a UCLA Logon to register a device.