Skip to content

Glossary

FileVault

The macOS feature that gates the volume encryption key behind a user password. Disk is always encrypted; FileVault decides whether unwrap requires a user secret.

FileVault on a modern Mac is not a feature that encrypts your disk — your disk is always encrypted. FileVault is what gates the key behind a user password.

On macOS 10.13+:

  • Without FileVault: the Volume Encryption Key (VEK) is wrapped by a key derived from the hardware alone (no user secret). The kernel can unwrap it at boot without user input.
  • With FileVault enabled: the VEK is wrapped by a key derived from your password + hardware secrets in the Secure Enclave. The kernel needs your password to unwrap and access your files.

Either way, the AES encryption on disk is identical. Only the unwrap path differs.

This is why "turning on FileVault" is fast on a modern Mac — it doesn't re-encrypt anything, it just changes the VEK's wrapping.

The SEP is critical: your password never enters main-CPU memory. SecureKeyboardEntry routes keystrokes directly to the SEP, which derives the wrapping key, unwraps the VEK, and hands the VEK to the kernel. The password itself stays inside the SEP.

See also: Secure Enclave, APFS, and the APFS encryption article.