Back to Mobile View

Skip to Content

Mountain Lion 101: Finder encryption via contextual menu (updated)

[Post updated, see below.] Whole-drive encryption isn't one of the sexiest features in OS X, but it's nice to know it's there. FileVault 2 (introduced in Lion; the original FileVault began in 10.3 Panther) can be very useful, especially for Mac users with sensitive information on their hard drives. The ability to lock down either a boot disk or a removable drive means additional security for Mac users when they need it.

In Mountain Lion, Apple has made the encryption process easier and faster by adding a contextual menu option to the Finder. Removable drives can be encrypted simply by choosing the Encrypt option when you right-click (or control-click, or two-finger click -- we need a better word for that task) the drive icon. Note that only drives with a GUID partitioning setting can be encrypted, and the resulting encrypted volumes can only be read on other Macs running Lion or Mountain Lion.

Mountain Lion also adds encryption as an option for Time Machine backups, and there's a new command-line tool (fdesetup, well-described by Rich Trouton) that allows third-party tools and system administrators to monitor and adjust FileVault settings. ML's FileVault can sync credentials with a directory system in enterprise environments, and the overall encryption scheme is in the process of certification under the US government's FIPS 140-2 standard, appropriate for "sensitive but unclassified information."

Encrypting removable drives is now three-clicks easy, but if you want to encrypt your startup disk completely the process has not changed markedly from Lion. Head into System Preferences under Security & Privacy and choose the FileVault menu. You will need to turn on FileVault there. You'll also need to make sure Recovery HD is installed on your hard drive. It should have been when you first installed your system, but it may not have if something went wrong. Then you'll need to have a password for all users using the encryption. Once you activate FileVault, you'll get a recovery key, which is a last-ditch effort to recover your files if your password is lost or forgotten.

After that, your files are locked down. You can use the computer normally, but if you ever lose your password and that recovery key (or if someone tries to sneak in without those), your files won't be accessible. There is an option to save the key with Apple itself, but you'll have to answer some other security questions to retrieve it.

FileVault also offers an "instant wipe" feature, which will wipe the encryption key and all of your files from your Mac. So if you do encrypt your files and ever need to pass it on to someone else, you can be sure none of your secrets will make the trip. FileVault is a powerful feature, and if you need to keep a secret, it can make an important task very simple.

Update: Clarified that the new features in Mountain Lion are the Finder contextual menu, encrypted TM backups and the command-line fdesetup tool, not the underlying FileVault 2 encryption. Our apologies for the mixup.