Turn off Mac after use?

This might sound silly, but let’s see which school is yours. Do you turn off your Mac after use/work?

I use MacBooks (Pro for work and 12” Retina for travel). I always turn them off when transporting them (they both travel to and from work with me each day): Filevault depends on the machines being powered down to be completely effective.

Please clarify what you mean by this statement.

I don’t know if it’s the case with Macs that have T2 chips, but for others the encryption keys are stored in RAM when a drive is unlocked. It is (at least in theory) not impossible to recover those keys from a running, but sleeping computer.

The chance that this would happen is small, but it makes the difference between my being able to say that a stolen computer has a fully encrypted drive and the data on it cannot* be accessed and it’s probably okay but we can’t be sure.

(*As always, flaws in cryptographic systems, or their implementations, or weak passphrasses/secrets can weaken the “cannot” assertion, but that’s always the case for any cryptographically protected data)

Please clarify what you mean by this statement.

Was I not clear enough? If a machine is not powered down, it’s possible (at least in theory) to read the contents of the drive, even if Filevault has been enabled.

Don’t feel inclined to Google for the details, but if you statement would be true, that would be a major design flaw and security issue. So I seriously doubt it. FileVault encrypts the data on your disk. That encryption is active whether you Mac is powered on or off.

To get back to the topic. I only switch my machine off if I’m not using it for a longer period of time, let’s say 24 hours. Besides, I don’t have an on/off switch in my current setup (MBP in clamshell mode) so it’s a bit of a hassle to power it on: pulling plugs, opening the lid, etc. But even my previous Mini was basically on all the time.

It’s not really a design flaw; it’s a property of software based full-disk encryption systems: the keys have to be available in RAM when the system is on. There are methods to retrieve them if the system isn’t turned off completely. They are (at the very least) highly non-trivial, and require physical access to the computer.

And on-topic, my MBP is docked, locked, and left running even as write this on my iPad :slight_smile:

1 Like

I hope you will not find this remark rude, but if I felt you were clear enough I wouldn’t have asked for clarification.

If I understand your argument, you are referring to the feature that requires a password to “unlock" (if that is the correct term) the disc when the machine is powered up.

I submit that there are highly non-trivial methods, requiring physical access to the machine, that can be employed to read the disc with or without this feature.

In short, I believe that if a sufficiently motivated individual has physical access to your machine for an extended period of time, you should consider your data to be completely compromised and take steps accordingly.

On topic, I power my iMac down only when I am not going to be using it for an extended period and I am going to be physically absent.

We’ll leave the question of my opinion on civility for a different time :slight_smile:

The purpose of encryption is to make the cost of unauthorized access exceed the value of the data. Well designed and implemented cryptographic systems have that property.

Attacks on a locked, but running (or sleeping) computer bypass the protections offered by encryption. They are feasible, at least to well motivated adversaries. Attacks on FileVault due to flaws in its implementation are also feasible, but far less likely, and currently not publicly known. Attacks on AES based on its design are far, far, far less likely, but history tells us that will probably not be the case forever.

If you care enough about the data on your computer to turn on FileVault, you should probably turn off the computer when there is a reasonable risk of its falling into the wrong hands.

We don’t have to agree, but that is advice that I give to those who pay me to give it, and I am far from alone in holding that opinion among those who’s job is is to hold such opinions.


Source? Where did you pick that up?

I think he is referring to a so called Cold Boot Attack, see for details on TechCrunch.

Despite this highly theoretical attack I don’t shutdown my MacBook Air. I let it sleep by closing the lid. I don’t do this with my iMac, during weekdays I shut it down when I go to bed and the next day, when I come back from work I restart it again. When I’m not away from home in the weekends I also let my iMac sleep after use.

Yeah, cold boot attacks are one method (and they’re not only theoretical). There’s also a history of DMA based attacks, the most recent publicly known of which was published only 2 years ago (and fixed with a MacOS update).

Anyway, the question was whether or not we shut down our machines and my answer was that I do when I transport them. That’s my main reason for doing so.

My old Mini runs 24x7. It is primarily used to sync files, run backups, etc. Sensitive data is kept offline or in encrypted sparsebundles.

At work I had some that were used as email servers, etc. that ran for years with only the occasional reboot for updates.


My MBP is usually clamshelled, so I just leave it on and let it sleep. I turn it off maybe a couple of times a year, for reasons I can’t recall - maybe going on a trip. It also occasionally runs down, like when I’m teaching a lab.

1 Like

My iMac is always on (sleeping when not in use). I find it extremely useful as I can use Screens to remote back into my iMac from my iPad whenever I need to. Zero desire to ever shut down my iMac.


I shut all my machines down at night every day. Also shut the portable down if I am moving it from place to place

FileVault’s potential vulnerability has been well-known for years. Whether or not its a realistic concern is debatable, like pretty much everything security related.

The issue is that the drive is decrypted on boot, so when it’s put to sleep, it is not encrypted.

There is a way to have the Mac “throw away” the decryption key on sleep, which should mitigate the problem.

From 2013:

See also (from 2014):

If the T2 chip does change this, I haven’t heard of it (which isn’t conclusive proof of anything, of course).

1 Like

My iMac is only being shut down when I go on a trip for more than two days,

Same here. I’ll shut my iMac down if I’m going to be traveling. Otherwise it runs 24/7.

The Mac mini that functions as my work desktop gets shut down every weekend.