Sekura vs. FileVault: Why Full Disk Encryption Isn’t Enough
If you use a Mac, you likely have FileVault enabled. That is a good thing. In fact, it is an essential first step for digital hygiene. But there is a dangerous misconception among many Mac users that because FileVault is “on,” their data is completely secure.
Here is the reality: FileVault is designed to protect your hardware, not your specific files.
Think of your digital life like a physical house. FileVault is the heavy-duty lock on the front door. It stops strangers from getting in if the house is moved (i.e., your laptop is stolen and powered off). But once you unlock that front door—by logging into your Mac—every room, drawer, and safe in the house is wide open.
This is what security experts call the “Soft Center” problem. According to NIST Special Publication 800-111, “Full-disk encryption… is not a silver bullet. Once the user logs in… data is transparently available.”
To truly secure sensitive data, you need a safe inside the house. That is where File-Level Encryption (FLE) tools like sekura.app come in. While FileVault secures the device, Sekura secures the information itself, protecting it from theft, malware, and accidental sharing even when your computer is unlocked.
At-a-Glance: The Core Differences
If you are wondering why you need third-party encryption when macOS comes with built-in security, it comes down to scope and portability. FileVault handles the drive; Sekura handles the data.
| Feature | FileVault (FDE) | Sekura (FLE) |
|---|---|---|
| Encryption Type | Full Disk Encryption (FDE) | File/Folder Level Encryption (FLE) |
| Protection Scope | Entire Hard Drive | Specific Files & Folders |
| When it Protects | Only when powered off/locked | At all times (even when logged in) |
| Cloud Protection | None (files uploaded as plaintext) | Full (files remain encrypted in cloud) |
| Sharing | Cannot share encrypted state | Securely shareable (Cross-platform) |
| Technology | Proprietary Apple | Open Standard (AES-256) / Tauri Architecture |
Deep Dive 1: The “Logged-In” Vulnerability (Data at Rest)
The biggest limitation of FileVault is that it is transparent to the user. When you type your login password at startup, your Mac decrypts the entire drive. From that moment until you shut down, your files are technically “at rest,” but they are completely readable by any application, script, or person with access to your machine.
This creates a massive window of vulnerability. IBM Security reports that it takes organizations an average of 292 days to identify and contain a data breach. If a hacker gains remote access to your logged-in Mac during those 292 days, FileVault does nothing to stop them from copying your documents, because the drive is already unlocked.
Consider the physical risks as well.
The “Coffee Shop” Scenario
Marcus, a freelance financial consultant, works from a busy coffee shop. He uses FileVault on his MacBook Pro. He steps away to grab a napkin, leaving his laptop open and logged in. In those few seconds, a thief snatches the device.
Because FileVault only protects data when the computer is powered off, the thief has immediate, full access to Marcus’s unencrypted client tax returns and bank statements. If Marcus had used sekura.app to encrypt those specific folders, the thief would still need a separate decryption key to open the sensitive files, even on the unlocked machine.
This is why relying solely on disk encryption is risky for freelancers and professionals. Sekura ensures that even if the physical perimeter is breached, the data itself remains locked.
Deep Dive 2: Data in Motion (Cloud & Sharing)
FileVault’s encryption is married to your specific hardware. It does not travel with your files. The moment you drag a file from your desktop to an email, Google Drive, or a USB stick, macOS automatically decrypts it.
This means your files are stored on cloud servers in plaintext (readable by the cloud provider) or sent over the internet without protection. As the International Association of Privacy Professionals (IAPP) notes, “Encryption of data at rest does not protect data in transit.”
The Shared Dropbox Link
Dr. Elena Vance needs to send a patient’s diagnostic history to a specialist. She relies on FileVault for her office Mac, but when she uploads the PDF to a shared Dropbox folder, the encryption is stripped away. If her Dropbox account is compromised, the patient data is exposed.
By using sekura.app, Elena could encrypt the individual file before uploading. The specialist receives a secure container that remains encrypted in the cloud and during transit, only unlocking with the specific passkey.
Furthermore, FileVault creates compatibility silos. If you encrypt a USB drive with Apple’s tools, a Windows user cannot read it.
The Cross-Platform Contractor
Liam is a developer on a Mac working with Sarah, who uses Windows. Liam cannot send Sarah a FileVault-encrypted drive because her OS cannot read it. He is forced to decrypt the code to send it, leaving it vulnerable.
Because sekura.app is built on the modern Tauri/Rust architecture, it is lightweight and cross-platform. Liam can create a securely encrypted archive that Sarah can decrypt on her Windows machine instantly, maintaining security across different operating systems.
Deep Dive 3: Compliance & Ransomware Defense
For professionals in healthcare, finance, or law, the stakes are financial and legal. “Good enough” security often fails compliance audits.
In the healthcare sector, the American Medical Association (AMA) warns that penalties for “Willful Neglect” of HIPAA standards can range from $50,000 to $1.5 million annually. Crucially, leaving patient files unencrypted on a logged-in device (relying only on FileVault) can be interpreted as a violation if that device is accessed by unauthorized personnel.
The costs of failure are staggering. According to IBM’s 2024 report, the average cost of a healthcare data breach has hit $9.77 million.
Beyond theft, there is the threat of extortion. Verizon’s 2025 Data Breach Investigations Report indicates that 44% of breaches now involve ransomware.
FileVault cannot distinguish between you opening a file and a ransomware script opening a file. If you are logged in, ransomware can read, steal, and lock your data. However, files encrypted with Sekura are opaque blobs of data to the operating system. Ransomware cannot access the content of a Sekura-encrypted file to threaten you with exposure, adding a vital layer of immunity against extortion.
For more on protecting sensitive medical data, read our guide on healthcare data security.
Usability Battle: Native Tools vs. Sekura
Advanced Mac users might point out that you can create encrypted folders using Apple’s native “Disk Utility.” While true, this process is fraught with friction.
To use Disk Utility, you must:
- Open the app and navigate through menus to “New Image from Folder.”
- Select specific encryption settings (AES-128 vs 256).
- Define a fixed file size (which you cannot easily change later).
- Mount and unmount the virtual drive every time you want to use it.
This complexity creates a barrier. When security is difficult, users skip it.
sekura.app was built to close this usability gap. It uses a drag-and-drop interface that feels native to macOS but handles the complex cryptography in the background. You don’t need to understand partition sizes or disk images. You simply drag your files in, set a password, and you are done. It offers the strength of AES-256 encryption without the technical headache of legacy tools.
Verdict: When to Use Which?
The debate between Sekura and FileVault isn’t about choosing one over the other. It is about implementing “Defense in Depth”—a core concept championed by CISA (Cybersecurity & Infrastructure Security Agency).
You should use FileVault to:
- Protect your physical device from theft or loss.
- Ensure basic operating system security.
- Prevent someone from wiping your password and logging in.
You should use Sekura to:
- Protect specific sensitive files (tax returns, IP, patient records).
- Share data securely via cloud or email.
- Defend against malware and ransomware while you are logged in.
- Collaborate with Windows users without decrypting data.
FileVault protects the machine. Sekura protects the data. To be truly secure, you need both.
Frequently Asked Questions
Does FileVault protect my files if I leave my Mac logged in? No. Once you log in to your Mac, FileVault decrypts your drive so you can access your files. This means anyone who accesses your computer while it is awake—whether a thief or malware—can read your data.
Can I share a FileVault-encrypted folder with a Windows user? No. FileVault is proprietary to macOS. If you send a FileVault-encrypted drive to a Windows user, they will not be able to read it. You need file-level encryption like Sekura to share encrypted data across different operating systems.
Does FileVault encrypt files uploaded to Google Drive? No. When you upload a file to Google Drive, Dropbox, or iCloud, macOS decrypts the file as it leaves your computer. The file is stored on the cloud provider’s server in a way that they (or hackers who breach them) can access.
Is FileVault enough for HIPAA compliance? It depends. FileVault satisfies requirements for “Device Encryption,” but it often fails requirements for “Data Transmission” and access control. If you email patient records or share them via the cloud, FileVault does not protect that data, potentially leading to a violation.
Protect your files with sekura.app
AES-256 encryption for your sensitive files. Simple drag-and-drop interface, works on Mac and Windows.
Download Sekura FreeSekura is listed on