Encryption can take many hours. With an SSD it will be much faster.
Don’t store your FileVault recovery key in iCloud, as that makes it potentially more vulnerable to outside extraction.
Make sure to select and set up all the user accounts who need to be able to log in after the Mac reboots from a shutdown state. FileVault uses the Recovery Disk to boot. User logins set up for FileVault are stored on the Recovery Disk, and the password to the account is used to unlock the encryption key that scrambles the main startup partition.
Jonathan Zdzriarski, a security guru and maker of the file-access monitoring tool Little Flocker, notes that FileVault encryption isn’t tied to hardware, even with the new MacBook Pro with Touch Bar models.
Enable encryption on individual drives.
FileVault doesn’t encrypt other drives you use, and if you’re using any local backup options, including Time Machine, you need to encrypt those drives too. You can right-click any mounted drive or partition and select Encrypt “Drive Name.” However, you need to create a password for it and save that password separately, or be at risk of getting locked out of the drive.
You’ll also need to enter the password whenever the system restarts or you unmount and remount the drive. You could use Keychain to store the password so long as you’re not syncing Keychain via iCloud and you have a strong macOS password. (iCloud Keychain sync is quite secure, but it results in your secrets being accessible from more devices.) Better, use a third-party password tool, like 1Password, which I’ll write more about in the future.
Whenever your Mac is active and drives are mounted, your data is susceptible, even if you’ve locked the system. You need to power down when away from your computer, which means scheduling backups while you’re working.
A strong password and giving up Touch ID
Apple encourages the use of Touch ID as a personal security measure. Because Touch ID is susceptible to physical coercion—someone grabbing your hand and placing fingers on the sensor—it lacks the protection of the human mind. You don’t even have to be conscious.
If you believe the state no longer provides an effective counter, then Touch ID is a bad idea to enable for most people. Zdzriarski says to manage Touch ID, you have to be able to shut down an iOS device “if you suspect you’re about to have a law enforcement or customs encounter, power cycle and leave mobile devices locked (without passcode) at night so the fingerprint reader is inactive,” and so on. He also suggests using a non-obvious finger (not your thumbs or index fingers). “While your fingerprint can be compelled, it’s arguable whether or not they can compel you to tell them which finger you used,” at least under current U.S. law.
Sign up for CIO Asia eNewsletters.