How does encryption work?

FileVault 2 keeps all data on the hard drive secure with XTS-AES-128 data encryption at the disk level. The algorithm has been optimized for 512-byte blocks. The conversion from plaintext to ciphertext and back is performed on the fly with low impact on the user experience since it is given a lower priority.

One traditional obstacle to usability with full disk encryption is that it was necessary for the end user to authenticate twice: once to unlock the encrypted boot volume (POA), and the second time to log on to the user desktop.

However, this is no longer necessary. Users enter their password at the pre-boot logon and the system initiates password-forwarding when the operating system is up and requiring logon credentials. Password-forwarding eliminates the need for users to log on twice after a cold boot.

Users are able to reset their passwords at any time without the need to re-encrypt the volume. The reason is that a multi-level key system is employed. The keys shown to the users (for example logon keys and recovery keys) are derived encryption keys and therefore can be replaced. The true volume encryption key will never be given to a user.

For further information on FileVault 2 see Apple Technical White Paper - Best Practices for Deploying FileVault 2 (Aug. 2012), which can be downloaded from the Apple website.