Speed up FileVault decryption process. Ask Question Asked 2 years, 3 months ago. Active 2 years, 3 months ago. Viewed 878 times 3. There is a reason for me (testing. FileVault for Mac 10.13.14 or greater As of Aug 1, 2020 SecureDoc MAC Encryptionsupports Apple MACs up to OS version 10.13.13. To upgrade to a newer version greater than 10.13.13, the MAC OS must have SecureDoc decrypted and uninstalled first and turn on the MACs own internal encryption system called FileVault. Speed Up Filevault Decryption. Recently I made the mistake of trying out FileVault to encrypt the files on my MacBook Pro. Unfortunately I came to realize that this is a very tedious process that can take days to complete and slow down the performance of my machine. After trying multiple methods to either speed up the encryption.
Apple’s first pass at built-in encryption was, frankly, terrible. The original FileVault, introduced with 10.3 Panther in 2003, only encrypted a user’s home directory, and had a number of functional and implementation problems. FileVault 2 appeared in 2011 with 10.7 Lion, and had almost nothing to do with the original except the name.
FileVault 2 offers full-disk encryption (FDE). When enabled, the entire contents of the startup drive are encrypted. When your computer is powered off, the drive’s data is fully unrecoverable without a password. It also lets you use Find My Mac to wipe your drive in a matter of seconds remotely if you’re concerned about into whose hands your computer has fallen. You can enable FileVault 2 with an existing Mac, but starting with 10.10 Yosemite, OS X now encourages turning on FileVault 2 during setup of a laptop.
This has made some law-enforcement officials unhappy, who seemingly don’t want your data to be protected this strongly, so they can get access in the unlikely event that they need it. Relatively few people engage in criminal activities, and of them, even fewer ever have their computers seized and examined. It’s a good sign as to how well FileVault 2 works that officials are so morose about it.
FileVault 2 takes advantage of the ever-improving processor speed and features in Macs to perform on-the-fly encryption and decryption. Every chunk of data read from and written to disk, whether of the spinning variety or SSD, has to go through this process. Macs introduced starting in 2010 and 2011, and every model since, can use encryption circuitry in the processor, boosting performance.
FileVault 2 works hand in hand with OS X Recovery, a special disk partition that lets you run Disk Utility from the same drive you may be having trouble with, restore or install OS X via the Internet, restore a Time Machine backup, or browse Safari. With FileVault 2 enabled, your computer boots into the Recovery volume, prompting you to login with any account that’s been allowed to start up the computer.
How to use FileVault 2
On a system without FileVault 2 already in place, you need to turn it on, which converts your startup drive from its unencrypted state to fully encrypted. This comes with a few big flashing red warnings and pieces of advice before you proceed. (You can encrypt secondary and external drives by Control-clicking a drive’s icon and select Encrypt “Drive Name,” but it doesn’t tie in with login: you set a password for the drive, and have to enter it to mount it.)
Speed Up Filevault Decryption Windows 10
Warning 1! During the setup, OS X creates a Recovery Key for your drive. As with Apple’s two-step verification for Apple ID accounts, this Recovery Key is critical to retain. Without it, if you lose or forget the account password to all FileVault 2–enabled accounts, your drive is permanently inaccessible. Keep a copy of the Recovery Key, probably printed out, for emergencies.
Warning 2! Once you start the conversion, there’s no stopping it. It has to complete, and it consumes CPU resources like mad, slowing down your machine and likely firing up the fan to high speed. Your computer also has to remain plugged in. The operation takes many hours. A friend’s niece accidentally accepted the option to enable FileVault 2 when upgrading to Yosemite a few evenings ago, and had her machine—needed for a computer-science class the next morning—slow to a crawl.
Apple provides step-by-step details in a Knowledge Base note, so I won’t repeat all of that, but will highlight the critical parts.
Only accounts enabled with FileVault 2 can unlock the volume at boot time after a cold start (when shut down) or restart. For accounts you don’t opt to enable, restarting or starting up will require an account with permission logs in, then logs out. If you’re helping set up FileVault 2 for a novice user who trusts you, you may ask them to create an account for you that would let you log in if they can’t.
Accounts that use an iCloud password for login do provide a way out if you forget or lose an account password, but also offers a security risk if someone obtains your iCloud account information. (During a Yosemite upgrade, you can choose this explicitly when enabled FileVault 2 by checking a box that reads “Allow my iCloud account to unlock my disk.” Oddly, Apple has no information about this option on its support site.)
The option to store your Recovery Key on Apple’s servers is secure, in that Apple apparently can only unlock the key given information you provide, exactly as it’s typed, including capitalization. It doesn’t retain enough information to unlock it independently. However, it does put the key in the hands of a party other than yourself, making it possible under the right circumstances for a government agency or ne’er-do-wells to legally or socially engineer access to your recovery key.
Once the conversion is complete, the startup drive is fully protected within the limits of exposure I note above.
Speed Up Filevault Decryption Tools
What’s even niftier is that with Find My Mac enabled on the computer, you have a sort of secret weapon. Find My Mac works when the computer is booted and connected to a network. You can play a sound, lock the computer, locate it (if Wi-Fi networks or other cues to location are nearby), and erase it. Because FileVault 2 relies on a stored encryption key, erasing the drive wipes that key, rendering the drive unrecoverable, even by you.
But the extra-secret secret weapon is Guest mode. When a user logs in as a guest and connects to a network, or the Mac automatically connects to a known network, Find My Mac continues to work. Thus, if someone finds your computer, any message you send with the Lock option can appear, even if it was online before they log in as a guest. But so too can an Erase request make its way through silently.
FileVault 2 can make nations quake, apparently, but it’s just a bit of good information hygiene, letting you make choices about the degree of vulnerability you want to tolerate for your locally stored data and any software or stored passwords for services in your accounts. With it off, you’re not risking everything, but with it on, you have a high degree of assurance about who can access what.
Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read ouraffiliate link policyfor more details.
- Related:
Newer Macs come with a T2 Security Chip with its own Secure Enclave, a tamper-resistent bit of silicon that allows high levels of security just like on an iPhone and iPad. It’s used to enable Touch ID and allow Apple Pay on laptops, but it also handles a number of other tasks, including full-disk encryption. (The T2 chip began appearing in Macs with the iMac Pro in very late 2017; see this list to check if you’re not sure if yours is one of them.)
On pre-T2 models, macOS uses a combination of software and hardware-accelerated encryption to encrypt all the data on your disk using FileVault, which can be turned on and off via the Security & Privacy preference pane’s FileVault tab. It can take an extremely long time for FileVault to encrypt a drive completely the first time on these older Macs and bog down a system while it is underway. Afterwards, Macs generally handle live reading and writing at almost the same speed as if the data weren’t encrypted.
FileVault prevents the data on a disk at rest—not powered up and logged in—from being extractable in any effective way. The data is just a bunch of digital garbage without access to the key, and the key can’t be retrieved without the password of one of the FileVault-linked accounts on the Mac, which has to be entered at startup time to unlock the drive.
With the T2 chip managing encryption, what is FileVault left to do on these models? It’s rather subtle.
With FileVault off on a T2-bearing Mac, if a ne’er-do-well extracted the drive from a Mac, the contents remain inaccessible. That’s an improvement over pre-T2 Macs, where the non-FileVault-protected contents would be fully readable. It’s a baseline security improvement. (As a result, by the way, T2-equipped Macs that receive an Erase This Device command via Find My Device become nearly instantly “erased,” just like a Mac with no T2 chip and FileVault enabled: erasing the encryption key renders the drive’s contents permanently irretrievable.)
However, without enabling FileVault, a Mac merely has to be booted for the full-disk encryption to start working, even if it doesn’t automatically log into an account. While the encryption is locked to a hardware key managed by the Secure Enclave in the T2 chip, decryption kicks in as soon as the Mac boots to a login screen. A malicious party might be able to subvert macOS or use hardware methods to access data from the mounted and running drive.
Turn on FileVault, however, and a T2-equipped Mac engages in the same boot behavior as one that handles disk encryption in software. Instead of loading macOS directly, the Recovery partition boots in a special mode that requires entry of the password of any account allowed to use FileVault. Until that password is entered, the disk’s contents remain encrypted just as if it were at rest.
I recommend enabling FileVault on T2-equipped Macs for the greatest security and peace of mind. The bonus? Because the T2 chip has already encrypted the drive, there’s no overhead and no delay: FileVault is immediately enabled.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to mac911@macworld.com including screen captures as appropriate, and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.
Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read ouraffiliate link policyfor more details.
- Related: