How to Encrypt Files on Mac (Built-in vs Third-Party)
July 4, 2026
Picking the wrong tool for your specific threat model can leave you with a false sense of security, so it's worth understanding the actual differences before deciding.
"How do I encrypt files on Mac" has more than one correct answer, because macOS offers several genuinely different encryption tools, each built for a different scope and use case. Choosing the wrong one for your actual need is a common mistake — here's a clear breakdown of what each option actually protects, and which one fits which situation.
Option 1: FileVault — full-disk encryption
FileVault (System Settings → Privacy & Security → FileVault) encrypts your Mac's entire startup disk using XTS-AES-128 encryption. It protects everything on your Mac, but only while the Mac is powered off, restarted, or locked with the screen requiring a password — once you're logged in, all your files are fully accessible, exactly as if FileVault weren't enabled at all. This is the right tool specifically for protecting against physical theft or loss of the device itself: if someone steals your Mac while it's shut down, FileVault prevents them from removing the drive and reading its contents on another machine. It does nothing to protect specific files from someone who's already logged into your account, whether that's another household member sharing the same login or an attacker who's compromised your active session.
Option 2: Encrypted disk images — for a specific folder or set of files
Disk Utility can create an encrypted .dmg disk image (File → New Image → Image from Folder, with 128-bit or 256-bit AES encryption selected), which behaves like a password-protected, mountable virtual drive. This is the right tool when you want a specific folder — not your entire disk — protected independently, accessible only when you enter its password to "mount" it, and locked again the moment you "eject" it. Unlike FileVault, this protects that specific content even from someone else logged into the same Mac account, since mounting requires the disk image's own separate password regardless of whether the Mac itself is unlocked.
Option 3: Password-protected archives — for sharing and portability
Compressing files into a password-protected ZIP or 7Z archive is the right tool specifically when you need to send protected content to someone else, or want a portable, cross-platform-compatible protected file rather than something tied to macOS specifically. Unlike an encrypted disk image (a Mac-specific format), a password-protected 7Z or ZIP opens on Windows, Linux, or any other platform with compatible extraction software, making it the correct choice whenever the protected content needs to leave your own Mac.
Option 4: App-level encryption for specific document types
Some apps offer their own built-in password protection for their specific file formats — Preview can add a password to a PDF, Pages and Numbers can password-protect their native documents. This is convenient when you're already working within that specific app and don't need a separate encryption step, but it's narrower in scope than the other options, applying only to that one file rather than a folder or arbitrary collection of files.
Choosing the right tool for your actual situation
- Protecting your whole Mac from theft: FileVault
- Protecting one specific folder from others with access to your logged-in Mac: encrypted disk image
- Sending protected files to someone else, or needing cross-platform compatibility: password-protected archive (ZIP or 7Z)
- Protecting a single document you're already working on in a specific app: that app's built-in password feature, if available
Can you combine these approaches?
Yes, and for genuinely sensitive data, layering protection is a reasonable practice rather than overkill. FileVault protecting your whole disk, combined with a password-protected 7Z archive for your most sensitive specific files, means an attacker would need to defeat both layers — physical access plus disk decryption, and then the archive's own independent password — rather than just one. This isn't necessary for everyday files, but for genuinely high-stakes data (legal case files, medical records, financial account details), defense in depth is a legitimate, low-cost additional precaution.
A realistic scenario: a small business owner handling client data
Picture a small business owner who stores client contracts and financial records on a laptop that travels between home, office, and client sites. FileVault protects against the laptop being lost or stolen while off. An encrypted disk image or password-protected archive for the specific client folder adds a second layer, protecting against someone else who might gain temporary access to an unlocked laptop — a shared coworking space, a moment left unattended in a client's office. And when specific documents need to go to a client or accountant, a password-protected 7Z archive handles that transfer securely, independent of whichever protection is already applied locally. Each layer addresses a genuinely different threat scenario, which is why using just one in isolation leaves real gaps.
Recovery: what happens if you lose access to each method
Each of these encryption methods handles lost credentials differently, worth knowing before you commit to one for something important. FileVault offers a recovery key generated during setup — store this somewhere safe, since without either your login password or this recovery key, FileVault-encrypted data is genuinely, permanently unrecoverable by design. Encrypted disk images have no built-in recovery mechanism at all; forgetting the password means the contents are lost with no official recourse, the same way a forgotten archive password is unrecoverable against properly implemented AES encryption. Password-protected archives behave identically — no backdoor, no recovery option beyond whatever you've separately saved in a password manager. This consistent "no recovery without the credential" pattern across all methods is a direct consequence of the encryption actually being strong; a recoverable backdoor would represent exactly the same weakness an attacker could exploit.
What none of these options protect against
It's worth being honest about the limits. None of these encryption methods protect against malware already running on your unlocked, logged-in Mac with access to your files in their decrypted state — encryption protects data at rest (while a device or archive is locked/off), not data actively being processed by software you're running. They also don't protect against phishing or social engineering that tricks you into voluntarily providing a password. Encryption is one layer of a broader security posture, not a complete solution on its own.
Understanding "at rest" versus "in use" encryption
This distinction, mentioned briefly above, is worth expanding on since it explains why encryption alone never fully solves security. "At rest" refers to data sitting on disk, unaccessed — this is exactly the state FileVault, encrypted disk images, and password-protected archives all protect, since the encryption is only meaningful while the data is locked and not being actively read or written. The moment you unlock FileVault by logging in, mount a disk image with its password, or extract a password-protected archive, that data transitions to "in use" — decrypted, readable, and no longer protected by that specific encryption layer for as long as it remains open or extracted. Understanding this transition matters practically: extracting a password-protected 7Z archive into a regular, unprotected folder means the extracted copy has none of the original archive's protection, even though the original archive file itself remains encrypted. If you need the extracted content to stay protected too, it needs its own separate encryption (an encrypted disk image, for instance) rather than assuming protection automatically carries over.
A note on cloud storage and encryption
A common point of confusion: many cloud storage services (iCloud Drive, Dropbox, Google Drive) encrypt data during transfer and while stored on their servers, but this is encryption the service itself controls and can technically access — it protects against external attackers intercepting the connection or breaching the storage provider's infrastructure, but doesn't protect against the provider itself, or anyone who compromises your account credentials, from accessing the actual content. For files where you specifically don't want even the cloud provider able to access the content, applying your own independent encryption (a password-protected archive, or an encrypted disk image) before uploading is the only way to ensure that layer of protection, since it doesn't depend on trusting the storage provider's own security practices or internal access policies.
Frequently asked questions
Is FileVault encryption slow or does it impact performance? Modern Macs with dedicated encryption hardware (all Apple Silicon Macs) show negligible performance impact from FileVault — this was a more meaningful concern on much older hardware without hardware-accelerated encryption.
If I forget my FileVault password, is my data permanently lost? Apple provides a recovery key option during setup specifically for this scenario — store it somewhere safe (a password manager, or Apple's iCloud-based recovery option) since without either the password or recovery key, the data is genuinely unrecoverable.
Do I need all four of these encryption methods, or is that excessive? For most personal use, FileVault alone plus occasional password-protected archives for sharing covers the realistic threat model. The full combination is worth it specifically for professionally sensitive data with genuine legal or financial stakes.
The bottom line
macOS's encryption options aren't redundant — each protects a genuinely different scope and threat scenario, from whole-disk theft protection to portable, shareable file security. Unzipr handles the portable, cross-platform layer with password-protected ZIP and 7Z archives, including AES-256 header encryption for 7Z when filenames themselves need to stay hidden, plus a Password Vault so you're never stuck choosing between strong passwords and passwords you can actually remember.