Does Monterey's external drive encryption encrypt "unused" blocks too?

Yep, that’s the question.

Monterey has this great feature where you can just right-click any external APFS volume and it will offer up to encrypt it for you right there on the fly, no formatting required and all data on it preserved. This is quite awesome because it means folks can encrypt drives after potentially extended use with just one click even if those disks were not initially formatted as encrypted.

The question to me now is how thorough that encryption process is. Obviously, you’d expect any blocks containing in-use data to be encrypted. But what about blocks that are basically free space, but contain data that was once written to them before their space was freed up. Are they encrypted as well even though they contain no “in-use” data?

Depending on how that question is answered, people who desire to securely erase their old disks by simply throwing away the encryption key, might have to reconsider.

That’s been there at least since mountain lion. I don’t know if it encrypts unused blocks; I’d hope that it does whatever turning on Filevault for the system volume does, which I think does encrypt unused blocks but not blocks that have been deallocated. You might be able to tell by experimenting with how long it takes on drives with lots or little data.

But, I’ve found it to be not just buggy, but potentially dangerously buggy if you really need the stuff to be encrypted. Finder will tell me that a volume has been encrypted and I have to enter a password to mount it, but if I check via the command line, the encryption is rarely complete. It’s not just me (across multiple system versions, different hardware), I’ve found a fair number of other people over the years with the same problem. So when it works, it works, but at least as of mojave it’s hit and miss and you have to monitor it. Having Disk Utility do the encryption always succeeds, but it does mean erasing the drive.

diskutil cs list

or for an apfs volume

diskutil apfs list

You want to look for a section like this for each encrypted volume:

  Encryption Type:         AES-XTS
  Encryption Status:       Unlocked
  Conversion Status:       Complete
  High Level Queries:      Fully Secure
  >                        Passphrase Required
  >                        Accepts New Users
  >                        Has Visible Users
  >                        Has Volume Key

If it doesn’t say Conversion Status: Complete, it’s not fully encrypted.

Yeah, was thinking about that. But before I sink a lot of time into that I was hoping somebody here might already know the details.

I’m pretty sure that the entire drive is encrypted…at least with Filevault2…not sure about a non boot drive though. Apple’s normally pretty smart about that sort of thing so I would guess it’s the whole drive since without entering the password the drive won’t mount…at least on a Mac.

That is of course true. The situation I’d be concerned about is rather somebody reading low-level block by block and bit by bit (think disk recovery or forensic recovery). The parts of the drive that are encrypted are just gibberish without the key so no problem there. But the parts that aren’t encrypted (if there are any, hence my question) could contain actual information that could be read out and pieced together without that key.

Now in the old days of HDDs this is what we used multiple passes of random writes and zeros for (DOE or DOD compliant erase). But these days with SSDs and their wear leveling that has become much more difficult to implement properly—especially if you’re not on Windows where there are some tools by some manufacturers that will allow you to employ controller-level purge commands that should actually remove all traces, even blocks that have been mapped out by the controller. In light of all that, the simplest and best recommendation these days is really to encrypt from the start. That way the clean erase becomes as simple as throwing away the key.

The reason I ask this question is that some people did not encrypt their drives from the start. We can advise them to encrypt them now, but depending on the answer to my initial question, for those people a secure erase some point in the future will involve more than just throwing away the key. And since not everybody has an industrial grade shredder at home… :wink:

(Now I’m aware, a 45 or a drill will get the job done too. :laughing: Still curious.)

1 Like

A lot of this will come down to “how much security do you require?”

Writing zeros to every logical block of an SSD will make your data inaccessible to anything accessing it via the normal SATA/NVMe interface.

What it won’t protect against is if someone installs custom firmware into the SSD controller chip or removes the flash chips from the SSD to rip their contents directly.

These are pretty expensive and difficult procedures. It is unlikely that a random person buying old parts will bother to go through all the effort, just in case there is something valuable to extract. Especially since the extraction process would pretty much ruin the SSD (so it will have no value other than the extracted data) and the deleted data will be erased and garbage collected over time anyway (so the thief would pretty much have to get it soon after you encrypted it.)

And if the SSD’s controller performs its own internal encryption (like what Apple’s T2 does), then even that isn’t going to produce anything useful.

In other words, unless you’re storing highly sensitive data that a large organization (like a government) might specifically target you over, I don’t think you have to be too worried.

You’re missing the point.

This question essentially determines if “writing zeros to every logical block of an SSD” is necessary at all. That’s a lengthy process on a multi-TB disk. You only do it if you really need to.

Back in the day…I worked for one of those in the closet defense programs and even in downtown DC it took 2 of us with loaded .45 1911 pistols to take the dead driver platters out to a local foundry to be melted down and poured out so we could verify that they were gone.

The DC cops pulled us over one time and were quite amazed that we had firearms…this was before their no guns law got tossed out…and had to call in and verify that our federal permits were valid.