Each user under OS X can have his own user password, which is used by the FileVault feature to encrypt the contents of their home folder ("directory" in classic UNIX). This is where a user's documents and the like are stored. The administrator also has a master password that can be used if needed. FileVault uses AES with a 128-bit keylength for encryption. The actual encryption is performed 10 times on the data, with the output of each pass used as the input for the next pass. The same technique can be used on data to be sent to others via the Disk Utility program, which can save the encrypted output to disk or other media, as shown in the following figure.
Sensitive data can be stored in keychains. This data structure can be accessed from programs (after it has been unlocked with a single sign-in by the user) so that authentication to various services (such as websites or FTP servers) can be performed automatically.
Password data is protected using the Triple Digital Encryption Standard (3DES), and the password is automatically locked when the user logs out. Even if the keychain is stored on a network server, security is maintained because all decryption is done locally as applications request the data. The data is not sent "in the clear" over the network, which might allow eavesdroppers to detect and use it.
Deleted files are usually handled by removing their entry in the master disk directory. OS X also allows for a secure delete that overwrites data in a seven-step process that alternates between zeros, ones, and a random character. This protocol is the same as required by the Department of Defense for sanitation of magnetic media.