FileVault 2 protects a Mac computer by encrypting the entire hard drive when a FileVault-authorized user (the “Managed By” user) logs out. To set up FileVault 2 for the first time, you must log on to the Mac computer as the “Managed By” user, then log out, as explained in the following procedure. After FileVault 2 is set up, only a FileVault 2-authorized user may start up the Mac computer. You may add more authorized users if you wish, or maintain a single account.
Note: Although starting up the Mac computer requires a user account that is authorized to decrypt the start up disk, after the computer has started, this user account may log out to allow other user accounts to log in.
To set up FileVault 2 protection
- Log on to the Mac computer with the “Managed By” account that you specified in Assign an Active Directory user who is authorized to manage an encrypted disk.
- Log the “Managed By” user out of the Mac computer, and when prompted, enter the user’s password to set up FileVault 2 protection.
The system displays a message that it is enabling FileVault protection, and when finished, restarts the computer.
- Log back on to the Mac computer with the “Managed By” account.
The log on screen will show the FileVault 2-authorized user alone, because this is the only user authorized to open the start up disk.
Open System Preferences, click Security & Privacy and click the FileVault tab to verify details about FileVault protection.
Log out the FileVault-authorized user.
The log on screen now shows all users who are authorized for the computer.
A FileVault-authorized user is always required to start up the computer because the start up disk is encrypted. However, after the computer is running, any authorized user can log on to the computer. At this point, you have specified a single authorized account. To add more FileVault-authorized users, see Adding FileVault-authorized users.