Drive Encryption

Been doing this a long time both on the Mac and in my former sysadmin life…and I’ve never encrypted any of my drives except for FileVault on the laptop and the internal SSD on my iMac…but got to wondering the other day whether it might be a good idea. Yeah…all of the really important stuff is in 1Password anyway but things like account numbers and such are on the iMac’s external drives and if they were stolen then there might be some data that the thief could get to…so I’m wondering if there are any drawbacks to encrypting external drives.

I would obviously need to remember the passwords and they can all be stored in the keychain so that when the machine is booted which requires a password they get automatically mounted…and keeping them in 1Password is pretty easy…but other than that are there any drawbacks to encrypting external drives that I should think about?

Do folks on the list generally encrypt external drives?

Thanks.

I encrypt all my external drives (my backups).
Pros:

  • I don’t have to worry about losing them or having them stolen
  • I don’t have to worry about them failing and someone retrieving data from a recycled/trashed drive
  • Data that is not “really important” is still vulnerable, e.g., birthdays in Contacts can facilitate identity theft

Cons:

  • I have to use the password (saved in 1Password)
  • Encrypting the first time is tedious and takes a loooong time (a couple days for multiple terabytes on a slow HDD)
  • Catalina cannot boot from an encrypted USB drive if that is what you want to do
1 Like

I think you can do this, but you must encrypt it by booting from the unencrypted USB drive and enabling FileVault (instead of simply choosing to encrypt it when it shows up as an external disk when booted from your internal drive).

I encrypt laptop internal drives, because the computer may get lost or stolen. I generally don’t encrypt devices on non-mobile computers (my desktop systems) or the external drives permanently attached to it.

If I travel with an external drive (not common these days), I won’t encrypt it, but I will make a point of creating an encrypted disk image on it for holding anything potentially sensitive, keeping only dont-care-if-someone-gets-a-copy files outside of the image.

Not the best security, but I’m not worried about someone breaking into my home and stealing the computers. If I lived a location where it was a serious concern, I would be a bit more secure with everything.

One advantage to encrypting drives (internal and external) is that disposal becomes a whole lot easier. Rather than being forced to run through x passes of random writes (which requires the drive be in working order), you just throw the drive out and enjoy peace of mind knowing your data can basically never be read out, not even with forensic tools. The latter will perhaps be able to grab data off the drive, but without the FV key it’s useless random 1s and 0s. :slight_smile:

1 Like

Definitely cheaper than paying someone to shred your old drives.

I’ve got a small stack of old drives in a closet. I was able to wipe most of them, but some don’t work enough to do that. I plan to eventually destroy them myself. It can be fun to remove the platters and either destroy the surface (steel wool works well for that) or use them to make works of art.

Sadly, there’s not a whole lot you can do with a dead SSD. You could probably drill a hole through an m.2 stick and use it for a key fob, but that’s about all I can think of.

1 Like

Sorry, I was not specific enough. My 2012-era Mac mini (new in 2014) will not boot from an encrypted external USB drive. See the Bombich Known Issues page:

“2012-vintage Macs can’t boot macOS Catalina from an encrypted USB device

“We have received several reports that the 2012 Mac mini and the 2012 MacBook Pro can initially boot from a non-encrypted external USB device, but then will fail to boot from that device when FileVault is enabled on the external device. This issue is not specific to CCC, we have confirmation that this occurs when installing Catalina directly onto an external device as well. This problem does not appear to be specific to any particular enclosure, rather it appears to be specific to the 2012 models of Mac mini and MacBook Pro.”

I found out the hard way. :expressionless:

1 Like

I do. My external drives contain client information, and if they were to be lost or stolen, the Information Commissioner would get very upset with me. She can levy fines of up to £5,000 per data breach, so losing a drive with information relating to 1,000 current and former clients, with each file potentially representing a separate data breach could turn out, er, quite pricey.

This is what I do. Is there any reason to look for some tool other than Disk Utility for creating an encrypted disk image?

I never considered a need for one. I create the image as 256-bit AES encrypted and make a point of not storing the password in the keychain, so someone getting access to my computer won’t get access to the contents of the image.

Ouch, I wasn’t aware of that issue. Thanks for explaining.

Thanks. Disk Utility has always satisfied me, but I wondered if I was missing something.

Hey, that’s what I do! It sounds like I got something right!

I worked for one of those high security Navy programs once upon a time…and we had to to take the platters out of the drives and take them out to a foundry while both of us carried loaded .45 pistols and melt them. We had a shredder that would shred an entire computer…think tree grinder writ larger…but for certain levels of classification that was considered inadequate even though the shreds were less than 1/8 inch and mangled beyond recognition…would be impossible to tell the platter shreds from the chassis shreds.

And here I thought you were going to shoot the platters full of holes for target practice… ;-)

As I understand it, 2.5" (laptop) hard drives typically have glass platters. So any hard impact (like a hammer or a bullet) to the bare platter should cause catastrophic damage. I don’t think even major government agencies could recover data after that.

Or microwave it until the glass melts:

Nah…they were already beaten up with a sledge hammer to get the platters out and were all bent up…but that wasn’t good enough. Turns out that if you’re willing to spend enough money…even a multi pass overwrite isn’t sufficient to keep certain 3 letter agencies from looking at the platters with an electron microscope and figuring out what they used to have on them. I have no idea beyond that how they did it but the rules said to melt them for that particular level of classification.

The guys at the foundry were quite surprised that we showed up with loaded weapons…and this was in DC where until the Heller decision handguns were basically illegal. We had our classified material courier cards with us but I wonder what would have happened if the DC cops had pulled us over.

Thanks all…I think I’m going to go ahead…probably…and encrypt the various drives attached to my server…except for the OWC RAID which uses SoftRAID and it doesn’t support encryption. All of the really secret stuff like passwords and the like is in 1Password anyway but I wouldn’t want anybody to get the rest of the data.

Agencies like this are (maybe necessarily) paranoid. I have been reading up on stuff like this for some time. Although a magnetic force microscope can detect magnetic afterimages, there hasn’t been a single paper published claiming that this has been used to retrieve actual data.

If anyone is seriously claiming that these agencies actually have the ability to recover data from multi-pass-erased drives (or even moreso, drives where the data was encrypted and where the platters have been shredded afterward), I will want to see evidence before I believe them. And “sorry, it’s classified” isn’t evidence of anything.

I think what they’re really saying (without directly saying so) is that the data is so sensitive that they can’t accept the million-to-one chance that some government somewhere might have developed a technique that nobody else has heard of, not that they believe the capability actually exists.

1 Like

Terry Pratchett, speaking of million-to-one chances, would probably refer to xkcd: Security.

1 Like