Here’s something you probably don’t think about when using your Mac: encrypting your startup disk and setting a firmware password.
Device encryption and firmware passwords will not only protect your personal data from unwanted access but it will also make it easier to recover lost or stolen devices.
Disk encryption is self explanatory, but you might be confused about that firmware password. Simply put, a firmware password prevents your Mac from starting up from any device other than your startup disk.
It can be helpful if your Mac is lost or stolen and will protect your against Direct Memory Access ( DMA ) attacks which can read your FileVault passwords and inject kernel modules.
Luckily you can easily enable both on your Mac, without 3rd party software, so let’s get started…
HOW TO ENCRYPT YOUR MAC
NOTE: FileVault is known for its issues. BACKUP before proceeding.
1. Go to System Preferences > Security & Privacy
2. Click the FileVault tab and click the lock to make changes
3. Enter your password
4. Turn on FileVault
5. Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:
- If you’re using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you’re sure to remember.
- If you’re using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.
- If you don’t want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.
NOTE: I suggest creating a recovery key instead of using your iCloud account. MAKE SURE you create multiple copies of your key ( both on paper and digital ) and keep them in multiple locations. Preferably on offline devices, but if you must upload your key to a cloud service, consider encrypting first.
If you lose or forget both your account password and your FileVault recovery key, you won’t be able to log in to your Mac or access the data on your startup disk.
6. When FileVault setup is complete, your Mac restarts and asks you to log in with your account password. Your password unlocks your disk and allows your Mac to finish starting up.
FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.
After your Mac starts up, encryption of your startup disk occurs in the background as you use your Mac. This takes time, and it happens only while your Mac is awake and plugged in to AC power.
You can check progress in the FileVault section of Security & Privacy preferences. Any new files that you create are automatically encrypted as they’re saved to your startup disk.
To turn off FileVault repeat the steps above and click “Turn Off FIleVault” in step 4. Then restart your Mac.
After your Mac starts up, decryption of your startup disk occurs in the background as you use your Mac. This takes time, and it happens only while your Mac is awake and plugged in to AC power.
You can check progress in the FileVault section of Security & Privacy preferences.
HOW TO SET UP A FIRMWARE PASSWORD
1. Shut down your Mac
2. Turn it back on and hold down CMD+R on your keyboard immediately after pressing the power button to boot to Recovery Mode
3. When the utilities window appears, go to the menu bar and choose Utilities > Firmware Password Utility.
4. Click Turn On Firmware Password
5. Enter your password in the fields provided and click Set Password.
NOTE: set a strong password and MAKE SURE you remember it.
6. Quit Firmware Password Utility and restart your Mac by choosing Apple () menu > Restart.
NOTE: Your Mac asks for the firmware password only when attempting to start up from a storage device other than the one selected in Startup Disk preferences, or when starting up from macOS Recovery. Enter the firmware password when you see the lock icon and password field
To turn off the firmware password, repeat the steps above and click “Turn Off Firmware Password” in step 4.