Using encryption on Mac
The Encryption module provides full disk encryption on your Mac through policies applied by your security administrator. The security agent operates FileVault to encrypt the Mac’s boot drive and the diskutil command-line utility to encrypt any non-boot drive. Removable drives are not encrypted.
Encrypting volumes
When an encryption policy is applied on your Mac:
For boot drives:
A dialog window prompts you to enter your system username and password.
Click the OK button. The encryption process starts immediately.
If you click the Not now option, the encryption process is postponed, but the dialog window will appear after a time. The dialog window will continue appear as long as the encryption policy is active on Mac.
After the Encrypt with FileVault window closes, Bitdefender Endpoint Security Tools ("fdesetup") will require, in an additional window, your approval for enabling FileVault.
Click the OK button to start encryption.
If clicking Don't Allow, Bitdefender Endpoint Security Tools will not start encryption and it will ask you for approval every couple of minutes.
Note
In case of dual-boot systems, the other boot volume will not be encrypted.
For non-boot drives:
A dialog window prompts you to configure a dedicated password to encrypt each drive. This password is only necessary to unlock a specific non-boot drive.
Click the Save button. The encryption process starts immediately.
If you click the Dismiss option, the encryption process is postponed. The dialog window will appear after a time and it will continue appear as long as the encryption policy is active on Mac.
If the Mac has more than one drive, the dialog windows for encryption for all drives will appear at the same time.
Decrypting volumes
When a decryption policy is applied on your Mac:
For boot drives:
A dialog window prompts you to enter your system username and password.
Click the OK button. The decryption process starts immediately.
For non-boot drives:
A dialog window prompts you to enter the encryption password.
Click the Save button. The decryption process start immediately.
If you click the Dismiss option, the decryption process is postponed. The dialog window will appear after a time and it will continue appear as long as the encryption policy is active on Mac.
If the Mac has more than one drive, the dialog windows for decryption for all drives will appear at the same time.
Changing the recovery key
After the encryption process starts, Bitdefender Endpoint Security Tools sends a recovery key to the security administrator's management console. The recovery key is useful for your security administrator in case you forget your login credentials or the encryption passwords and you are unable to unlock the drives, or in case the Mac has another user who cannot access one of the drives.
You can change the recovery key for the boot drive without needing to change your login credentials.
To change the encryption recovery key for the boot drive:
Click the encrypted boot drive in the main window of Bitdefender Endpoint Security Tools.
Click the Change recovery key option.
Enter your system username and password.
Click the Save button.
The option to change the recovery key is only available if an encryption policy is applied to your Mac.
In case you change the system password, the encrypted boot drive remains as it is, with no action from you required.
Changing the encryption password
You can change the encryption password for non-boot drives from the BEST user interface. After changing the password, Bitdefender Endpoint Security Tools will send a new recovery key to the security administrator’s management console.
How to change the encryption password for a non-boot drive:
Click the encrypted disk name in the main window of Bitdefender Endpoint Security Tools.
Click the Change password option.
In the Change encryption password window, configure the new password.
Click the Save option.
The option to change the encryption password is only available if an encryption policy is applied to your Mac.
Note
The Encryption module bypasses the silent module on macOS. Therefore, even if you disable notifications in the policy active on endpoints, users will still be prompted to take action if the case.