Encrypt your disk

Your vault data lives on disk. Full-disk encryption protects data at rest if someone walks away with the machine or copies the drive.

Why encrypt your disk

PrivateDocs AI keeps document processing on your hardware. If the storage is not encrypted, anyone who boots the drive from another OS or removes the SSD may be able to read files without your account password. OS-level encryption ties decryption to your login or recovery key so raw sectors stay opaque.

Encryption is not a substitute for locking your session

An unlocked, running computer can still be used by anyone at the keyboard. Combine disk encryption with locking the screen when you step away.

macOS (FileVault)

  1. Open System Settings (or System Preferences on older macOS).
  2. Go to Privacy & SecurityFileVault.
  3. Turn FileVault On and follow the prompts to choose a recovery method.
  4. Store your recovery key in a safe place separate from the Mac.

Apple documents FileVault in its support library; use the latest guide for your macOS version because menu names can shift slightly between releases.

Windows (BitLocker)

  1. Open SettingsPrivacy & securityDevice encryption or BitLocker (edition-dependent).
  2. Enable encryption for the system drive and any other fixed volumes that hold your vault.
  3. Back up the recovery key to your Microsoft account, USB, or printed backup as offered.

BitLocker requires Windows Pro, Enterprise, or Education on many setups; Home editions may offer device encryption when hardware requirements are met. Check Microsoft's documentation for your SKU.

Linux (LUKS)

Most desktop installers let you encrypt the entire disk with LUKS at install time. If you add a new volume later, you can create an encrypted partition or use encrypted home directories — the goal is the same: keys are required before file contents are readable outside a running, authenticated session.

  • Prefer full-disk or full-partition LUKS for simplicity.
  • Record passphrases and any recovery tokens offline.
  • After major distro changes, verify your vault path still lives on an encrypted volume.

Lost or stolen hardware

With encryption on and a strong login password, a powered-off or hibernating laptop is much harder to read. Report theft according to your organization's policy, rotate passwords for accounts that were signed in on that device, and revoke sessions where the product offers that control.