Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

AMSOS

macrumors 6502
Original poster
Nov 21, 2010
363
30
Hi. I've recently upgraded from the old MacBook Air 2017 model to the M2 Mac. It's quite a jump and I am obviously liking it so far. I had some queries about the setup process through which I was guided during the purchase.

FireVault is enabled. This encrypts the SSD. So, what issues does it create if I can’t remember my computer’s password? I do remember setting an email ID as a recovery email, but is that sufficient to bail me out and help me enter the computer as well as recover all my data if I ever forget the password? I am looking to hear about any horror stories of losing data too. Just don't want to jump in an regret in any way later.

Then there is 2FA. Is there some way I could set it up to only work with my phone number? That way I won’t need to depend on the internet, and for times when connections can be sketchy, which is not infrequent around where I live. Any particular precautions I need to take when switching on 2FA?

Thanks!
 
FireVault is enabled. This encrypts the SSD. So, what issues does it create if I can’t remember my computer’s password? I do remember setting an email ID as a recovery email, but is that sufficient to bail me out and help me enter the computer as well as recover all my data if I ever forget the password? I am looking to hear about any horror stories of losing data too. Just don't want to jump in an regret in any way later.
If you can't remember the FileVault password, you will be forced to use a recovery method. If you haven't setup something beforehand, you'll lose all access to the data on the Mac.

See here for the options for recovery.


You may be conflating a recovery email for your Apple Account (AppleID) with a recovery key for FileVault. Those are completely different things.
 
  • Like
Reactions: chabig
is that sufficient to bail me out and help me enter the computer as well as recover all my data if I ever forget the password?
You have to type your password with enough regularity that I don’t think you’ll forget it. If you are unusually forgetful, write it down and save it somewhere safe.
 
If you can't remember the FileVault password, you will be forced to use a recovery method. If you haven't setup something beforehand, you'll lose all access to the data on the Mac.

See here for the options for recovery.


You may be conflating a recovery email for your Apple Account (AppleID) with a recovery key for FileVault. Those are completely different things.
Thanks for sending this useful link. I do use the iCloud account and password regularly. Does this mean I don't need to worry about both gaining access to my computer as well as recovering data? i.e., can I avoid using the recovery key? When I turned on FireVault, there was no suggestion to download a recovery key.

I also notice from this web page that for laptops with Mac powered chips encryption is on by default, and FireVault adds another layer of protection. That means unlike for older computers, there was no much need for me to switch on FireVault for the MacBook Air M2!

Is there some way to safely switch off FireVault?

Thanks!
 
Is there some way to safely switch off FireVault?
At the bottom of the page for the prior link I posted is a link "Turn off FileVault on Mac".

There should have been 2 options when turning on FileVault: recover using Apple Account, or recover using a recovery key. I think you can only choose one, because the dialog uses radio buttons to present the choice. If you aren't sure which one you chose, or how to actually recover, you should probably disable FileVault and then re-enable it. That's the only way I saw for changing the option or getting the recovery key.

I also recommend that you read through the instructions, and maybe even make a practice run, for whatever recovery option you chose. If you don't know how to recover, it will be even more harrowing to learn it when your data is actually on the line.
 
  • Like
Reactions: Brian33
Is there some way to safely switch off FireVault?
You are right. Your SSD is encrypted, FileVault or not. With FileVault off, the data is encrypted using a Volume Encryption Key, stored in the Secure Enclave. With FileVault on, it's the same, but the Volume Encryption Key is further protected by your user password. There is no benefit to turning FileVault off.

 
At the bottom of the page for the prior link I posted is a link "Turn off FileVault on Mac".

There should have been 2 options when turning on FileVault: recover using Apple Account, or recover using a recovery key. I think you can only choose one, because the dialog uses radio buttons to present the choice. If you aren't sure which one you chose, or how to actually recover, you should probably disable FileVault and then re-enable it. That's the only way I saw for changing the option or getting the recovery key.

I also recommend that you read through the instructions, and maybe even make a practice run, for whatever recovery option you chose. If you don't know how to recover, it will be even more harrowing to learn it when your data is actually on the line.
Thanks for the useful suggestions. I checked and it does give me two options. Obviously I would want to choose the iCloud option, rather than bother about having to safely store a recovery key.

I do feel reassured that recovery should not be an issue, if needed.

So, let me ask why FileVault is needed at all, now that the SSD is encrypted by default. With Intel chips, someone could just plug-in into your computer and see the data. That's no longer possible, so why the twin layers of protection? Isn't that carrying things too far?

Very important point about doing a practice recovery run. But let me see if sticking to the iCloud recovery may not be a better ideas.
 
You are right. Your SSD is encrypted, FileVault or not. With FileVault off, the data is encrypted using a Volume Encryption Key, stored in the Secure Enclave. With FileVault on, it's the same, but the Volume Encryption Key is further protected by your user password. There is no benefit to turning FileVault off.

So, we need a key to protect the key that open the computer?

Where does this stop? Or, am I missing something here 🤔
 
So, we need a key to protect the key that open the computer?

Where does this stop? Or, am I missing something here 🤔
You have a choice:
A) The machine’s login password is the only possible way to decrypt a FileVault-encrypted drive, or
B) You can choose to set up FileVault with a Recovery Key. If you forget the machine’s password, Apple can decrypt the FileVault-encrypted drive, but only if you provide them with your Recovery Key.

If you forget the login password and you don’t enable the recovery key feature, the data on the drive cannot be accessed.
If you forget the login password and you lose the recovery key, the data on the drive cannot be accessed.
 
So, we need a key to protect the key that open the computer?

Where does this stop? Or, am I missing something here 🤔
I think of it like 2 factor authentication. To access the data, two things are required, 1) something your computer has, and 2) something you know.
 
You have a choice:
A) The machine’s login password is the only possible way to decrypt a FileVault-encrypted drive, or
B) You can choose to set up FileVault with a Recovery Key. If you forget the machine’s password, Apple can decrypt the FileVault-encrypted drive, but only if you provide them with your Recovery Key.

If you forget the login password and you don’t enable the recovery key feature, the data on the drive cannot be accessed.
If you forget the login password and you lose the recovery key, the data on the drive cannot be accessed.
Thanks. But where does the iCloud based recovery process fit in in here? I would like to avoid having to store anything in physical form if I can.
 
Thanks. But where does the iCloud based recovery process fit in in here? I would like to avoid having to store anything in physical form if I can.
FileValue recovery key and iCloud recovery key are similar, but they are completely separate. In both cases, you protect your data with a password known only to you. If you forget the password, the recovery key allows you to recover the data, ***IF*** you set up a recovery key AND if you have the recovery key.

It's important to understand these things in case your computer or phone are lost or stolen. You can read more about it at MacWorld.
 
FileValue recovery key and iCloud recovery key are similar, but they are completely separate. In both cases, you protect your data with a password known only to you. If you forget the password, the recovery key allows you to recover the data, ***IF*** you set up a recovery key AND if you have the recovery key.

It's important to understand these things in case your computer or phone are lost or stolen. You can read more about it at MacWorld.
Sure. But if i only rely on iCloud, and if i forget that password, then I can recover the iCloud password first, and then use that to reset my computer's password. Correct?
That way I won't have to think about keeping any paper etc. lying around with details of the recovery key.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.