Disk Utility vs. FileVault for external drive encryption?

Disk Utility vs. FileVault - what’s the difference for external drive encryption?

More precisely…

I bought an external HDD drive (enclosure with 2x HDDs in it) from Ebay at a really great price, as a newer model has replaced it now (got this one: 40TB SanDisk Pro G-RAID 2). Using it for mass storage (and another older one for backups).

But I’m wondering how to encrypt it or not. Should I use Disk Utility or FileVault? What are the pros and cons of each, or are they the same?

Googling has left me unclear on it, hence me asking the great Apple tech folks on here! ;-)

EDIT: FWIW, using all Apple Silicon Mac’s now, and its connection is Thunderbolt 3.


Some links found, but still stuck as confusion reigns out there…

1 Like

FileVault is only for the boot disk. For an external drive you’ll always use Disk Utility. I’m fairly sure the underlying technology is the same for both, in that if you encrypted a boot disk externally (at least for Intel, probably much more complex for Apple Silicon) you’d then still be able to boot it, and vice-versa—but I’m happy to be educated on that and it honestly wouldn’t surprise me to learn that there were subtle differences even then.

3 Likes

Mmm. Are you sure externals are not done when FV is turned on, on your Mac?

The Apple Support links above are inconclusive on the whole issue. Hrrrumph!

Unless there’s been a recent change, I’m certain. FV doesn’t affect externals in any way. If you want encryption for an external disk then you format a filesystem with encryption. If you use Time Machine there is a control when you choose the disk for whether you want encryption for the backup volume.

@Sebby is correct.
I’ll add that you can encrypt/decrypt APFS even after the initial format. In Finder right-click on a disk.

2 Likes

I hope this actually works on the modern systems and/or with apfs, but I can’t test it. But for years it was a recipe for not actually protecting your data. You think it worked because it starts asking for a password at mount, but it sometimes to often never actually completes the encryption. I discovered this back in el capitan, and have seen it happen through catalina. I haven’t tried it with apfs volumes, only hfs+, but if you do it, be sure to check that it finishes. I’ve had a test disk that held all of about 20 GB not complete in over a month, and I’ve had so few completed vs got-stuck over the years that I don’t try anymore. I copy data to a disk utility encrypted empty disk then erase the unencrypted disk by erase/encrypting it in disk utility.

In terminal, type

diskutil cs list

a ton of stuff will appear. Find the drive you’re encrypting in the mess then the Encryption Status: section. Note especially the Passphrase Required, Fully Secure, and Conversion Status lines. Also look in the Disk: section for progress. Asking for the password gets completed immediately. Real protection, not so much.

While it’s still encrypting

Encryption Status: Unlocked
Encryption Type: AES-XTS
Conversion Status: Converting
Conversion Direction: forward
Has Encrypted Extents: Yes
Fully Secure: No
Passphrase Required: Yes

Disk: disk3
Status: Online
Size (Total): 569869340672 B (569.9 GB)
Size (Converted): 231454277632 B (231.5 GB)

After the disk is fully protected:

Encryption Status: Unlocked
Encryption Type: AES-XTS
Conversion Status: Complete
Conversion Direction: -none-
Has Encrypted Extents: Yes
Fully Secure: Yes
Passphrase Required: Yes

4 Likes

Yes, exactly, and on modern systems the on-line conversion process is using APFS encryption instead of migrating to CoreStorage. So essentially the same thing but the command you’ll use is “diskutil apfs list”. The MacWorld article actually explains this very well. I have never used this process, but I hope it’s now more reliable than before.

3 Likes

May be off topic, sorry, but what about partitions on an internal Intel SSD? Does using FileVault on the boot partition automatically encrypt all other partitions on the same drive, or do they need to be done separately? What about Disk Utility? Thanks.

No. Encryption is on a per-volume basis. Even when APFS is used (where all volumes sharing a container share the same pool of free space), encryption is applied per-volume.

So you can choose to encrypt some and leave others open.

WRT your specific questions:

  • Everything connected to a modern Mac’s internal SSD is encrypted. That’s what the T2 chip (for Intel Macs) or the SSD controller in Apple Silicon is meant for.
  • When FileVault is not running, the T2 (or Apple Silicon) SSD controller automatically unlocks every volume. So you don’t even realize there is encryption - the goal being to prevent a third-party from accessing the storage if it is removed and installed in another computer.
  • When FileVault is used, very little changes, but the SSD controller won’t unlock the system volume(s) without valid credentials (the FileVault password or a login to an account authorized to unlock the volume).
  • As others have said, FileVault will not touch other volumes. You have to manually turn encryption on/off with Disk Utility or its command-line equivalent.

I think (haven’t actually tried it) that turning encryption on for a volume on internal storage should be very fast. It will basically associate a password with the keys already stored in the SSD controller.

Turning encryption on for an external volume will cause your Mac to encrypt the device, which might take a while to complete.

4 Likes

Thank you, David. I suspected that partition volumes would have to be encrypted individually, but thanks for confirming. I have an older Intel Mac that does not have a T2 chip, so looks like Disk Utility per volume is the way to go.

On a Mac without a T2, then nothing is encrypted until you turn it on. And there will be a (hopefully small) performance hit, since the encryption will be done in software.

I think (need to confirm this) that if you turn on FileVault on such a system, the signed system volume will not be encrypted (assuming you’re running a version of macOS new enough to have an SSV). But that is actually a good thing. Since the SSV should contain only OS-distribution files from Apple, with nothing personal, encrypting it would only slow down the system without adding any security.

Thank you, David. This is helpful information. My system does not have an SSV. I keep most of my documents (including financial data) on a partition separate from the boot volume. It contains a few encrypted disk images I’ve made, but I don’t know how to encrypt the entire partition short of turning it into a disk image – and it’s over 300 GB!

What version of macOS are you using? Depending on the version, you may be able to just enable/disable encryption for non-boot with Disk Utility. Or if it’s an old version, you may have to make a backup, reformat the volume with encryption, and then restore your files.

But I think enabling/disabling encryption on the fly only works for APFS volumes. If you want to encrypt an HFS+ data volume, you may have to take the backup/erase/restore approach.

At this point, I’m doing web searches and there doesn’t seem to be a lot of talk about on-the-fly disk encryption outside of the context of FileVault.

Something is making my spidey-sense tingle here about trying to encrypt external volumes. I’m remembering something about Apple disabling the ability to encrypt HFS+ volumes. IIRC, I tried this on a HFS+ volume and found that the HFS+ volume got converted to APFS.

2 Likes

Yes. I think the Finder support for encrypting a disk will always use APFS now, regardless of the source volume type.

Of course, if someone gets up the gumption, they could empirically verify this … :smile:

If you use the “diskutil” CLI tool, you should get more control over the process. You could use “diskutil cs” subcommands to convert to CoreStorage, and “diskutil apfs” to work with APFS volume encryption. Both are viable paths up for a JHFS+ volume.

1 Like

Yes, this is the case from MacOS 10.15 Catalina :sob::

Unfortunately not. There is literally no way to create an encrypted HFS+ volume from 10.15 Catalina onwards, even using diskutil cs.

No, encrypting/decrypting on the fly works for HFS+ volumes as well (ctrl-/right-clicking on the volume in the Finder and choosing Encrypt or Decrypt as appropriate). The catch is that to encrypt and keep it in the HFS+ format, you need to use a version of MacOS that supports creating encrypted HFS+ volumes – 10.14 Mojave or earlier.

3 Likes

@jzw – Thank you! I’m using HFS+ on macOS 10.13 and “ctrl-/right-clicking on the volume in the Finder” does offer encryption without converting to APFS. I never thought of just right-clicking! Another good excuse to stick with 10.13 :laughing:

3 Likes