FileVault
Use the FileVault 2 (FileVault full-disk encryption) settings to use XTS-AES-128 encryption on the contents of a volume.
The following table describes the FileVault 2 settings:
| Policy setting | Description |
|---|---|
| Username | The user name of the Open Directory user that is added to FileVault. |
| Password | The password of the Open Directory user that is added to FileVault. Enable the User Enter Missing Information setting to prompt for this information. |
| Use Personal Recovery Key | A personal recovery key is created. Show Personal recovery key: The personal recovery key is displayed to the user after FileVault is enabled. |
| Use Institutional Recovery Key | An institutional recovery key is created.
Note: An institutional recovery key is used for command-line activities such as unlocking a
volume or disabling FileVault, and its use for organization is restricted, particularly in modern
MacOS hardware and software versions. Institutional recovery key cannot be used to access
RecoveryOS, nor can the volume be unlocked by connecting it to another Mac. As a result, Apple does
not encourage continued usage of institutional recovery key. Instead, a personal recovery key must
be use.
|
| Require user to unlock FileVault after hibernate | The user is required to unlock FileVault when the computer wakes from hibernation. |
| Path for recovery information storage | The location where the recovery key and computer information lists are stored. The path of the recovery keychain file on the Mac device is the same as the path provided in policy. |
| User Enter Missing Information | Missing user name or password field prompts are displayed for manual profile installs. |
| Max Bypass Attempts | The maximum number of times a user can bypass enabling FileVault before FileVault must be
enabled for a user to log in. If this value is set to 0, FileVault always prompts
for enablement until FileVault is enabled, even though you can bypass enablement. If you set this
value to -1, this setting is disabled. |