rusl.net
Macintosh full disk encryption revisited
2016-04-10

I bought a new (used) Macintosh laptop and wanted to set it up with full disk encryption such that it had a disk password different to the login password for my user account. I wrote a tutorial about this in 2014 called Macintosh full disk encryption, but things have changed since I wrote that.

Starting with an unencrypted hard disk called MacintoshHD we first need to boot into the recovery partition of the computer. Do this by restarting the computer and holding down the command and R keys until the Apple logo appears. Release the keys and wait a moment. When the computer finally boots up from the recovery partition you are presented with several options in a dialog box in the middle of the screen titled OS X Utilities. Ignore this and instead select Utilities menu > Terminal.

Now you need to type in a command that takes your regular Journaled HFS+ volume (the hard disk of your computer called MacintoshHD) and converts it to an encrypted coreStorage logical volume.
diskutil corestorage convert MacintoshHD -passphrase

Enter the desired disk password when prompted then wait a moment. Once the terminal says that encryption is in progress you’re good to restart the computer (Apple menu > Restart…). You’ll be prompted for the disk password followed by your username and password.

The disk is not fully encrypted at this point since the encryption is a background process. You can check the progress in the Apple menu > System Preferences > Security & Privacy > FileVault tab. No further action is necessary but you might want to leave the computer powered up until it finishes.