Contents
All MacBook laptops in Orchard must be encrypted using FileVault to help keep the data on them secure in the event that they are lost or stolen. Without FileVault a malicious third party with physical access could create an administrator account on your laptop quite easily and view or steal the data held on it.
Encryption scrambles the data on your computer using a strong cipher so that it cannot be read or copied by others without the necessary key to decrypt it. You can think about the encrypted data on the computer like a message stored in code and only you have the means to decode it (your password). Encryption is used in all sorts of areas for data security including secure websites (SSL/TLS - when you see the padlock in your browser communications between your computer and the server are encrypted), secure email, and computer data encryption.
FileVault is Apple's standard method for encrypting the data on Macs. It works by encrypting the data on the boot (system) disk in your Mac using your login password as a key to decrypt it. After encryption is started, when the computer starts up it will immediately ask for a username and password. Until a password that is allowed to unlock FileVault is entered, the data on the computer is completely unreadable to third parties. Once a password is successfully entered, the data is decrypted 'on the fly' - meaning as it is loaded - and the computer then loads the operating system and goes straight to the desktop of the user that signed in. This is different to the process on an unencrypted Mac, where the computer would load the operating system first and then ask for a user to log in.
FileVault also creates what is known as a Recovery Key at encryption time, in case you forget your password and need to decrypt the drive in an emergency.
If you have a MacBook, Orchard makes sure that it is encrypted using FileVault automatically. Orchard can detect if a MacBook is not encrypted and will take steps to remediate this.
On ‘’’macOS version 10.13 High Sierra and later’’’, your designated IT Support Staff (ITSS) will normally perform the encryption when the MacBook is initially enrolled to Orchard. The main user of the device (you) is then added to the list of users able to unlock FileVault on the computer.
On macOS version 10.12 Sierra or earlier, the main user (you) should be prompted to enable encryption after logging on. If it is not convenient you can skip a number of times but you are encouraged to encrypt your MacBook as soon as possible. The prompt which appears after logging on is:
'Enable now' will display a confirmation window
Then your Recovery Key (see below) will be shown. You can record the Recovery Key if you wish but ‘’’it is saved to Orchard and can be provided by your designated IT Support’’’.
Dismiss the Recovery Key window. The MacBook will restart and you need to enter your login password.
If your laptop has never been encrypted, you will see the following box pop up:
After you click Log out you will be able to save all your work and then the computer will log out to a black screen and the following box will appear:
Enter the password that you use to log in to the Mac and click Restart. After a short while your computer should restart and immediately present you with a login screen similar to this:
Select your username and enter your password. If your password is entered correctly, the computer will then load the operating system and take you straight to your Desktop. Encryption will now take place automatically, as long as you are plugged in to a power source (macOS will warn you if you are not, and will suspend encryption until you reconnect to power).
During the encryption process the Recovery Key is sent to Orchard. Should you ever forget your password and need to log in urgently, you should contact your local IT Support Staff who will be able to give you the Recovery Key. The Recovery Key may also be used by IT Support Staff to decrypt your laptop if you have given them permission to do so. If the Recovery Key has been used once, it will be regenerated and sent to Orchard again, so the same key could not be used to unlock the disk multiple times.
You can check the encryption status of a Mac by opening System Preferences and then choosing the FileVault tab. In this example we show a MacBook that has finished encrypting with FileVault. If the laptop was currently encrypting or decrypting you would see a progress bar. Do not be alarmed by the message that some users cannot unlock the disk, this is normal (we do not allow the ladmin local administrator account to unlock FileVault as users should not be logging in to their laptop with this account).
1. My laptop was previously encrypted manually by IT Support Staff or myself, what happens to my Recovery Key?
Orchard will automatically detect this, regenerate the Recovery Key and send it to Orchard's management server.
2. Does this mean my data is always secure from hackers when my computer is on?
Encryption means that the data on your hard drive is only readable if it has been unlocked at the startup boot screen. If unlocked, the computer will be decrypted for anyone that has physical access with a user account. Therefore it is still important to have a strong password and not to leave your computer unattended, and to take normal precautions when visiting websites and opening files and emails.
3. Does encryption with FileVault slow my computer down?
With most modern Mac laptops FileVault has a negligible effect on computer speed, and may in fact make it faster for certain operations.
4. Who can decrypt my data?
Any local user account that has been enabled for FileVault can decrypt the data on the computer. Also, anyone who has the Recovery Key can decrypt it. The viewing of the Recovery Key is limited to staff that would need to provide you with it in an emergency, or that would need to decrypt the laptop with your permission - e.g. for IT support purposes. The key is hidden within the management server and there is an Audit Log of those who have viewed it should you want to know.
5. What about Symantec Whole Disk Encryption? (WDE) I thought that was what the University recommends?
Symantec WDE has extremely poor Mac support. The current version does not work with the latest macOS version at the time of writing. FileVault is built in to macOS and is the preferred method for encrypting Macs.
6. What should I do if my MacBook is lost or stolen
You should report it to your local IT Support Staff as soon as possible. They will be able to send remote commands to your MacBook to lock it with a passcode or wipe the data, depending on whether you believe you will retrieve your computer. If it is wiped, all encryption keys to unlock the disk are deleted from the computer meaning the data cannot be read.
