What is FileVault on a Mac#

FileVault on a Mac is macOS's built-in full-disk encryption. When it's on, everything written to the startup disk is encrypted, and unlocking the disk requires a user account password, an escrowed recovery key, or the iCloud account credentials linked at setup. Without one of those, the disk's bytes are unreadable, even if the SSD is removed from the Mac. (Apple Support)

The mechanics are very different across Mac generations, and that difference is the most important thing to understand before turning it on (or buying a Mac in the second-hand market that has it on). FileVault sits inside the larger checklist of what to verify when buying a Mac, alongside Activation Lock, MDM, ADE, and the other barriers.

How it works on Apple silicon and T2 Macs#

The internal SSD on these machines is always hardware-encrypted by the Secure Enclave's AES engine, whether FileVault is "on" or "off." That encryption layer is invisible: it's enforced at line rate by dedicated silicon, keyed from the Secure Enclave's per-device UID, and it cannot be turned off.

Turning FileVault on adds the user-password requirement on top of that always-on hardware encryption. Toggling FileVault is nearly instantaneous because no bytes are actually being rewritten. The hardware was already encrypting everything; FileVault is just controlling who holds the wrapping key.

The performance consequence is that FileVault on a T2 or Apple silicon Mac is essentially free. There's no reason to leave it off.

How it works on older Intel Macs without a T2#

On a pre-2018 Intel Mac (and the 2016 and 2017 MacBook Pros that have the T1 chip but not the T2), FileVault uses software encryption. Turning it on triggers a multi-hour background pass that re-writes the entire drive through the CPU's AES instructions. The CPU is taxed during the pass, and the laptop has to remain plugged in and awake.

Turning FileVault off on the same Mac triggers an equivalent multi-hour decryption pass with the same constraints. The drive really is being re-written either way.

This is why "should I turn on FileVault" used to be a real question on Intel Macs and stopped being one once the T2 arrived: the trade-off changed completely.

Pre-boot password requirements#

A pre-boot password is required to release the decryption keys. Touch ID, Apple Watch unlock, and password autofill cannot substitute for it. The Secure Enclave requires user-provided entropy to derive the volume keys, and biometric methods alone don't produce that entropy.

This is also why a FileVault-protected Mac, when it boots, asks for a password before the macOS login screen even appears.

The two recovery options#

During FileVault setup, the user picks one of two recovery paths:

• iCloud recovery. The user's Apple Account credentials can unlock the volume and reset the local account password.
• Personal recovery key. A locally generated 24-character alphanumeric key that's displayed to the user exactly once. There is no second chance to view it.

The second option is more secure if you control the key, and a permanent paperweight if you don't. Write it down somewhere outside the Mac.

Checking FileVault state#

GUI: Apple menu → System Settings → Privacy & Security → scroll to FileVault. Status will read On or Off. (Pre-Ventura: System Preferences → Security & Privacy → FileVault tab.)

Terminal:

fdesetup status

To check whether an encryption or decryption pass is currently in progress on an older Intel Mac:

diskutil apfs list

Look at the "Encryption Progress" metadata in the output.

The corporate-Mac caveat#

Corporate Macs frequently have FileVault enabled with the recovery key escrowed to the Mobile Device Management server. Even after a wipe, that key may still be controlled only by the previous IT department. Buyers who pick up an ex-corporate Mac and find FileVault on with no clear path to the password sometimes discover that the only entity who can release the volume is the original organization. If that organization is unwilling or unreachable, the disk is functionally inaccessible.

This is one of several reasons to verify a Mac's MDM enrollment state before money changes hands, with both profiles status -type enrollment in Terminal and a look at System Settings → General → Device Management.

What this means for buyers and sellers#

Sellers should not hand off a Mac with FileVault still on and a password the buyer doesn't have. On a T2 or Apple silicon Mac, the buyer can't erase from Recovery without that password or the recovery key, which means the Mac is unusable until the seller is reached again. The clean handoff is the one-step Mac factory reset, which clears the encryption keys cleanly along with everything else, and leaves the buyer at a fresh Setup Assistant.

Buyers, if you're handed a Mac without a clean wipe and FileVault is on, treat it the same way you'd treat any other lock barrier. Don't pay until the seller wipes it in front of you and the Mac reaches the "Hello" screen. The companion check that catches the other half of the failure mode is the pre-purchase iCloud lock walkthrough.

FileVault itself is not a deal-breaker on a used Mac. The deal-breaker is FileVault on plus no password and no recovery key, on a machine that's already been handed over.