macOS: FileVault Disk Encryption (some clarification)
Friday, January 30, 2026
Recently news broke that Microsoft handed over Bitlocker recovery keys to the FBI. Microsoft was able to hand over the keys because Windows 11 by default uploads the Bitlocker recovery key to a Microsoft account. On Windows 11 Home it is also the only option for saving that Bitlocker recovery key.
On macOS, Apple prompts you to enable FileVault disk encryption during Apple Setup Assistant and asks whether you would like Apple to keep a copy of the recovery key or whether you want to store it yourself. If you choose to store it yourself, you must keep it safely stored away in a place you know you have access to. Note that Apple does not have access to your recovery key, even if you store it with them, because they use end-to-end encryption to protect it — unlike Microsoft. But in case you want to be absolutely certain of that, then you can also enable Advanced Data Protection, which encrypts your entire iCloud account end-to-end.
There is also a key difference between disk encryption on Windows and macOS devices. Every Mac comes with their SSD encrypted out of the gate. You also cannot simply remove the SSD and stick it in another Mac and expect it to work — this is because that SSD is hardware-bound to that device. The Secure Enclave ensures this is the case. This also means that a thief would not be able to read any data off the SSD.
Why then does Apple prompt you to enable FileVault? Because enabling FileVault means that only authorized users on the device can unlock the encrypted disk. Authorized users are any user that has received a Secure Token and is a Volume Owner. Any user account that does not possess these traits will not be able to unlock the disk. (Example: if you have multiple accounts on the device, but only one is authorized for FileVault, only that user will be able to sign into the Mac from a cold start).
Without FileVault enabled, anyone can reboot the device into recoveryOS and use the recovery utilities (including resetpassword, with which anyone can reset the password of any user on the device). With it enabled, however, you must provide the FileVault recovery key if you want to do anything to that disk after booting into recoveryOS.
So the enablement of FileVault is really an additional security measure to ensure that only trusted users can access the disk.
And remember, an Apple a day keeps Windows away.