Back to the Blog
Apple Ecosystem

Apple IT Security Features: FileVault 2 and XTS-AES Encryption

Mark Lukehart

Smiling Businesswoman in Meeting

Apple IT Security Features – Part 3: FileVault 2 and XTS-AES Encryption

In this 3-part series, we are exploring some of the built-in security features that come standard with today’s Apple computer and mobile device models. These features have a positive impact on an organization’s data security requirements and act as additional layers of protection against threats.

FileVault 2 and XTS-AES Encryption

FileVault 2 is Apple’s newest built-in disk encryption software designed to prevent unauthorized data access stored on a Mac. FileVault 2 protects the entire drive by using XTS-AES 128 encryption.

What is XTS-AES Encryption?

Stay with me; this is interesting.

Let’s start with the AES part. AES stands for Advanced Encryption Standard. The National Institute of Standards and Technology (NIST) established AES in 2001, which has been adopted by the U.S. Government. AES is a method of encrypting text using an algorithm and cryptographic key (called symmetric block cipher, which means encrypting a block of text at one time, rather than encrypting one bit at a time) implemented into software and hardware to encrypt data.

XTS is simply the newest mode of AES, providing more robust data protection over previous modes (Electronic Code Book [ECB] and Cipher Block Chaining [CBC]). XTS eliminates potential vulnerabilities associated with more sophisticated attacks by using two AES keys instead of just one. The 128 refers to 128-bit – the length of the key. Over time, Apple will most likely increase the bit length, which will increase the security strength.

That wasn’t too painful, right?

FileVault 2 is one of the steps in the setup assistant when setting up the Mac for the first time. If the computer has already been set up, it can be activated in System Preferences. Once enabled, FileVault encrypts all existing and new data stored on the Mac.

Main Benefit of Using FileVault

  • Best-in-class encryption that no hacker or government has yet to penetrate, so you can rest assured your data is secure

Main Disadvantage of Using FileVault

  • If you forget your password, it is impossible to retrieve your data.

You may be wondering if FileVault is the right choice for businesses with employees using Macs, or better for individuals using Macs as their personal computer. As a Managed IT Security Provider, as well as a Managed IT Service Provider, we believe Filevault is essential, for both individual and business-owned Macs. At Parachute, we recommend company-owned Apple devices be FileVault encrypted as part of the overall Mobile Device Management (MDM) policy. FileVault, along with the T2 chip discussed in the previous blog article [Apple IT Security Features Part 2: The T2 Chip and the Secure Enclave], prevents leaked company data if the device is ever stolen. As long as an MDM solution is in place (such as Jamf, Addigy, Mosley, etc.), the keys to unencrypt can be available to the business and the end-user. This provides flexibility and access to unlock the device if the employee has left the company.

If you would like to learn more about how Apple’s IT security features can have a positive impact on your business, give Parachute a call today. We are Apple IT Service specialists with a focus on Apple Ecosystem Administration for companies throughout the San Francisco Bay Area and the Sacramento Valley. Our team is happy to answer your questions and discuss your unique Apple support needs.