Why you should enable FileVault

One of the features of all modern Macs, whether they have Intel processors with a T2 chip, or are Apple silicon models, is that they all encrypt the Data volume on their internal storage. So why should you enable FileVault when the volume is already encrypted? This article explains the difference, and why every Mac running recent macOS should have FileVault enabled on its startup Data volume.

Intel Macs without a T2 chip

The situation is clearest in Intel Macs without a T2 chip, as by default they don’t encrypt any volume. As they can be booted from an external disk, anyone who gets hold of that Mac, even for a few minutes, can steal what they want from it. Although encryption does impose a small overhead, all recent Intel processors have instructions that accelerate it. You’re unlikely to notice the difference in performance, although initial encryption can take many hours for larger volumes. If you’re planning for a clean install of macOS, that doesn’t matter, as you can enable FileVault before you migrate anything to it, when encryption is quickest.

Intel Macs with a T2 chip and Apple silicon Macs

The Data volume on the internal SSD is always encrypted, and can’t be run unencrypted. Although this might suggest that FileVault is superfluous, it adds valuable protection at absolutely no cost.

Default encryption with FileVault turned off uses two keys generated internally, to protect the key used to perform the encryption of the volume, known as the Volume Encryption Key or VEK. While these keys are protected in the Secure Enclave, they don’t rely on any external secret such as a password.

With FileVault turned on, the same VEK is used, so the volume doesn’t have to be decrypted and re-encrypted to use FileVault, but the VEK is protected by additional encryption using your password with a hardware key. Without the user password, no decryption can be performed, even if the SSD is removed from the Mac. You can also change your password at any time without that requiring decryption and re-encryption. Best of all, there’s no overhead in using FileVault, as exactly the same encryption and decryption is performed using the same VEK, it’s just that accessing the VEK requires your password. Apple explains this fully in its Platform Security Guide.

Bootable external disks

These are often forgotten, although as external storage can be much more likely to be lost or stolen, you should normally enable FileVault to cover the Data volume, and use APFS (Encrypted) volumes to store any other data.

Contrary to rumour, FileVault is fully supported on bootable external disks for Apple silicon Macs. To enable it, start your Mac up from its external disk, open Privacy & Security settings, and at its foot click on the Turn On… button.


You’ll then be prompted to choose how to access its Recovery Key. If you don’t opt for iCloud, the key will be displayed for you to take a screenshot and make a copy to store securely elsewhere.


With a near-empty Data volume, encryption takes but a few seconds.


SilentKnight should then give your Mac and its system a clean bill of health.


Encryption overhead remains small, and shouldn’t be noticeable on a reasonably fast external SSD connected by Thunderbolt. In my case, read performance fell from 2.8 GB/s best speed to 2.6 GB/s with FileVault, and write speed from 2.2 GB/s to 1.8 GB/s. If you want better performance, then you should instead be booting from your Mac’s internal SSD.

Time Machine backup disks

When you first set up Time Machine backups to APFS storage, macOS now encourages you to use APFS (Case-sensitive, encrypted) format. This is most important for backup storage that you might take with a notebook, but it makes good sense to encrypt those backups whatever.

Lightweight Virtual Machines

Yes, you can enable FileVault in VMs running on Apple silicon Macs using lightweight virtualisation. If you process sensitive data and your VM is kept on external storage that isn’t formatted in APFS (Encrypted), then this should be a good way to protect that data.


  • Unless there’s a good and sound reason, enable FileVault on your Mac.
  • Wherever you store potentially sensitive data, ensure it’s either protected by FileVault or that volume is formatted APFS (Encrypted).

Further reading

What’s the overhead of using APFS encryption?
Explainer: FileVault
Apple’s Platform Security Guide