Skip to content

Data Encryption

Updated May 26, 2025

FileVault Encryption on macOS

Tip

The data encryption on iPhones and iPads is always on and not optional.

In our continued effort to protect sensitive data and ensure compliance with industry best practices, our organization uses FileVault, Apple’s built-in full-disk encryption technology on macOS devices. This article explains what FileVault is, why we enable it, its key advantages, and how it ensures that erased devices are truly secure.

What Is FileVault?

FileVault is a full-disk encryption feature designed by Apple for macOS. When enabled, it encrypts the entire contents of the startup disk using XTS-AES-128 encryption with a 256-bit key. This means that all files, applications, and system data are unreadable without the proper decryption key.

Why Do We Use FileVault?

Data security is a top priority. Devices can be lost or stolen, and sensitive data—emails, documents, customer records, and credentials—must not fall into the wrong hands. FileVault helps ensure that even if someone has physical access to a Mac, they cannot access its data without the correct credentials.

Advantages of Using FileVault

  • Confidentiality: Data is inaccessible without the proper credentials.
  • Peace of Mind: Lost or stolen devices do not pose a data leak risk.
  • Compliance: Supports data protection laws and frameworks.
  • Low Overhead: Minimal performance impact.
  • No User Action Required: Encryption is automatic once enabled.

Encryption on Startup

When a Mac with FileVault is powered on, it displays a login screen that looks normal. However, what’s happening behind the scenes is that the system is authenticating the user and unlocking the encryption key required to decrypt the disk on the fly.

Encryption Key

The actual encryption key is stored securely on the device but is itself encrypted using a key derived from the user’s login password or a secure token stored in the system. Without this password or key, access to the encrypted data is impossible.

Time Machine backups

If your computer is backed up by or you wish to start using a Time Machine device of any kind, encryption must be enabled at all times. Use your user account password or any other password of your choice that you can store in 1Password.

Compliance and Best Practices

FileVault helps us meet compliance standards such as GDPR, HIPAA, as well as policies from our major partners, Apple and Google. It’s a foundational tool in our endpoint security strategy.

More information

What happens when the Mac is reset?

One of the most powerful features of FileVault is how it handles data destruction. When a Mac is wiped using Erase All Content and Settings or via recovery mode, the encryption key is securely deleted. Without the key, the data on the disk remains scrambled and inaccessible—even if the disk contents remain physically intact.

Also, When IT wipes a Mac using Apple’s secure erase tools, the Secure Enclave invalidates the key that unlocks the disk. The disk remains encrypted, but there’s no longer a key to unlock it—making the data effectively destroyed.

Can the Data Be Recovered?

No. Without the encryption key, FileVault-encrypted data cannot be decrypted. Not by Apple, not by forensics teams, and not by attackers. This makes FileVault an extremely effective tool for secure device retirement.

What About External Drives?

FileVault only protects the internal startup disk. For external drives, macOS offers FileVault-like encryption using Disk Utility. Users can right-click on an external drive and choose “Encrypt” to apply similar protection.

Password Importance

Because login credentials are tied to the encryption key, strong password hygiene is essential. If a user’s password is compromised, so is the encryption key—though additional security layers like biometrics and two-factor authentication help mitigate this.

Final Thoughts

Encryption is no longer optional—it’s expected. FileVault gives us confidence that our data is safe, our devices are compliant, and our information is protected even in worst-case scenarios. As part of our commitment to security, we will continue using FileVault on all company-managed macOS devices.

1Password

1Password is a password manager designed with strong encryption at its core. For anyone unfamiliar with how it works, here’s a quick overview of how it keeps sensitive information safe from unauthorized access—even from 1Password itself.

End-to-End Encryption by Design

All information stored in 1Password—passwords, notes, documents, and other secrets—is protected with end-to-end encryption. This means data is encrypted on your device before it ever leaves your computer or phone, and it can only be decrypted by you. No one—not even 1Password’s servers—can read what’s stored in your vault.

AES-256 and the Secret Key

1Password uses AES-256, a military-grade encryption algorithm considered practically unbreakable with today’s computing power. But it doesn’t rely on your master password alone. It also uses a unique Secret Key—a randomly generated 128-bit key created when you first set up your account. Both your master password and Secret Key are required to unlock your vault, and neither is ever sent to 1Password’s servers.

What Gets Encrypted?

Everything. This includes not just passwords, but usernames, URLs, attachments, credit card numbers, and even metadata like item titles. All of this is encrypted using a key derived from your master password and Secret Key via a key derivation function called PBKDF2, which helps defend against brute-force attacks.

Zero-Knowledge Architecture

1Password is built with a zero-knowledge architecture. This means the company has no access to your vault’s contents, your master password, or your Secret Key. Even if someone breached 1Password’s servers, the encrypted data would be useless without your credentials.

Authentication and Device Trust

When logging in, your device uses both your master password and the locally stored Secret Key to authenticate. This two-part credential system ensures that even if someone steals your password, they still can’t access your data without also having your device or backup of the Secret Key.

Integrity and Tamper Resistance

To ensure the data hasn’t been tampered with, each encrypted item includes message authentication codes (MACs). These codes verify the integrity of your vault’s contents and prevent attackers from inserting or altering data without detection.

Google Workspace

Google Workspace is more than just Gmail and Docs—it’s a platform built with security at its foundation. For those new to enterprise cloud tools, this article breaks down how your data is protected while using Google Workspace.

Encryption at Rest and in Transit

Google encrypts your data at rest and in transit by default. When you send an email, upload a file to Drive, or edit a document, that data is encrypted as it travels between your device and Google’s servers (using TLS, or Transport Layer Security). Once it reaches Google’s infrastructure, it’s encrypted again while stored on disk using AES-256 or AES-128, depending on the data type.

Zero Trust and Access Control

Google follows a Zero Trust model, which means no user or device is inherently trusted. Every request to access data is evaluated based on identity, device status, location, and more. Access to Google Workspace tools and data is gated through robust identity management, including 2-Step Verification, OAuth tokens, and Context-Aware Access.

Hardware-Level Security

Google’s data centers use custom security chips (Titan chips) and custom-built servers with verified boot processes to prevent firmware and boot-level attacks. Every layer of the stack—from hardware to application—is tightly controlled and monitored.

Data Isolation and Tenant Separation

If you’re wondering whether your organization’s data is ever mixed with others’: it’s not. Google Workspace uses logical data separation to keep each organization’s information siloed and isolated, even though it’s stored on shared infrastructure.

GitHub

GitHub is the most widely used platform for hosting and collaborating on code, but it’s also a platform with robust security architecture built to protect your source code, secrets, and workflows. Whether you’re a developer or just interacting with repositories occasionally, here’s how GitHub keeps your data safe.

Encryption in Transit and at Rest

All data sent to and from GitHub is encrypted using HTTPS and TLS. This includes repository content, credentials, API traffic, and webhooks. Once data reaches GitHub’s servers, it is encrypted at rest using AES-256 encryption, ensuring that even if disks were physically compromised, the data would remain unreadable without the encryption keys.

Zero Trust Architecture

GitHub adheres to Zero Trust principles, especially at the enterprise level. Every request to access resources is authenticated and authorized in context. Logs and audit trails allow admins to trace access, deployments, and actions, enhancing accountability and incident response.