FileVault Encryption UPDATE FOR 10.13
Contents
Introduction
All MacBook laptops in Orchard must be encrypted using FileVault to help keep the data on them secure in the event that they are lost or stolen. Without FileVault a malicious third party with physical access could create an administrator account on your laptop quite easily and view or steal the data held on it.
What is Encryption?
Encryption scrambles the data on your computer using a strong cipher so that it cannot be read or copied by others without the necessary key to decrypt it. You can think about the encrypted data on the computer like a message stored in code and only you have the means to decode it (your password). Encryption is used in all sorts of areas for data security including secure websites (SSL/TLS - when you see the padlock in your browser communications between your computer and the server are encrypted), secure email, and computer data encryption.
What is FileVault?
FileVault is Apple's standard method for encrypting the data on Macs. It works by encrypting the data on the boot (system) disk in your Mac using your login password as a key to decrypt it. After encryption is started, when the computer starts up it will immediately ask for a username and password. Until a password that is allowed to unlock FileVault is entered, the data on the computer is completely unreadable to third parties. Once a password is successfully entered, the data is decrypted 'on the fly' - meaning as it is loaded - and the computer then loads the operating system and goes straight to the desktop of the user that signed in. This is different to the process on an unencrypted Mac, where the computer would load the operating system first and then ask for a user to log in.
FileVault also creates what is known as a Recovery Key at encryption time, in case you forget your password and need to decrypt the drive in an emergency.
Orchard FileVault
If you have a MacBook, Orchard makes sure that it is encrypted using FileVault automatically. Orchard can detect if a MacBook is not encrypted and will take steps to remediate this. Normally your designated IT Support Staff (ITSS) will normally perform the encryption when the MacBook is initially enrolled to Orchard. The main user of the device (you) is then added to the list of users able to unlock FileVault on the computer.
There is a guide to encryption for ITSS here: ITSS/FileVault
Recovery Key
During the encryption process the Recovery Key is sent to Orchard. Should you ever forget your password and need to log in urgently, you should contact your local IT Support Staff who will be able to give you the Recovery Key. The Recovery Key may also be used by IT Support Staff to decrypt your laptop if you have given them permission to do so.
Checking Encryption Status
You can check the encryption status of a Mac by opening System Preferences and then choosing the FileVault tab. In this example we show a MacBook that has finished encrypting with FileVault. If the laptop was currently encrypting or decrypting you would see a progress bar. Do not be alarmed by the message that some users cannot unlock the disk, this is normal (we do not allow the ladmin local administrator account to unlock FileVault as users should not be logging in to their laptop with this account).