Encrypted Volumes
FileVault, APFS volumes, encrypted DMGs, and encrypted externals — which protects what.
Encrypted Volumes
macOS gives you four different encryption tools and they solve different problems. Picking the wrong one leaves you with either less protection than you think or so much friction that you stop using it.
Analogy
Think about physical valuables. FileVault is locking the front door of your entire house — everything inside is protected the moment you leave, but once you're home and unlocked, every room is open. An APFS encrypted volume is a bolted strongbox inside a bedroom closet: even while you're home and walking around, the strongbox stays locked until you work the combination separately. An encrypted DMG is a sealed, tamper-evident courier envelope — perfect for mailing one specific stack of documents to a recipient, but you wouldn't use it as your daily planner since you have to unseal and re-seal it every time. An encrypted external drive is a locked briefcase you carry on the train: it protects its contents regardless of which house the briefcase is currently in.
FileVault — the whole disk
FileVault encrypts the entire startup volume. When the Mac is off, the contents are unreadable; when you log in, macOS unwraps the volume key using your password and mounts the disk transparently. Every file — yours, other users', /tmp, swap — is encrypted at rest.
sudo fdesetup enable # turn it on (prompts for a recovery key)
fdesetup status # is it on?
Turn this on. If your Mac is ever lost, stolen, or sent for recycling with a failed drive, FileVault is what keeps your data out of the wrong hands.
APFS encrypted volume — a single partition
APFS containers hold multiple volumes. Each volume can independently be encrypted with its own password, separate from FileVault. Useful when you want a locked-per-session folder — Work, side projects, financial records — that stays encrypted even while you're logged in elsewhere on the same machine.
# Add a new encrypted volume
diskutil apfs addVolume disk1 APFS "Work" -passphrase
# Encrypt an existing volume in place
diskutil apfs encryptVolume disk1s4 -passphrase
This is also how you get separate-password access on a shared family Mac without creating a separate user account.
Encrypted DMG — a portable file
A .dmg is a disk image: a single file that mounts like a volume. Disk Utility → File → New Image → Image from Folder, pick "read/write" and AES-256, and you get a file you can email, drop in Slack, or share via Dropbox. Recipient opens it, enters the password, and the folder mounts on their Desktop.
hdiutil create -encryption AES-256 -srcfolder ~/Confidential \
-format UDRW -size 100m -volname Confidential ~/Desktop/confidential.dmg
Great for sharing. Terrible as a personal working directory — every commit to a file means opening, editing, unmounting.
Encrypted external drive
Plug in a USB stick. Open Finder → right-click → Encrypt. macOS reformats it as APFS Encrypted and asks for a password. The drive stays locked between sessions and refuses to mount on any Mac without that password.
Or from the CLI:
diskutil apfs eraseDisk APFS MyStick disk4
diskutil apfs encryptVolume /Volumes/MyStick -passphrase
This is orthogonal to FileVault. Encrypting an external doesn't touch the internal drive; enabling FileVault doesn't protect USB sticks.
Picking the right one
| Use case | Tool |
|---|---|
| Protect everything on my Mac if it's stolen | FileVault |
| Share confidential files with a specific recipient | Encrypted DMG |
| Travel with sensitive files on a USB | Encrypted external drive |
| Keep one folder on my internal drive locked even while logged in | APFS encrypted volume |
Where the key actually lives
FileVault uses your login password to unwrap a volume encryption key that lives on-disk. If you change your login password, the volume key stays the same — only its wrapping changes. If you lose both password and recovery key, the data is gone. There is no backdoor.
Enterprise deployments often use MDM key escrow so IT can unlock a FileVault-protected Mac after an employee leaves. At home, treat the recovery key like any other irreplaceable credential: put it in 1Password or a safe.
Why this matters
Encryption is one of the few places where "good enough" and "wrong" look identical. A USB stick that is "encrypted" with a zip password falls to a GPU in minutes. FileVault's hardware-accelerated AES-XTS on a machine with a T2 or Apple silicon chip is effectively unbreakable. Know what you're turning on and what it actually protects.