Encryption Options for Home Directory NOT on Startup Disk

My ancient iMac (Retina 5K, 27-inch, Late 2015) running macOS Monterey 12.6.2 has a small internal APFS SSD and a much larger internal Mac OS Extended (Journaled) HDD. I use the SSD as my Startup Disk and have my Home directory on the HDD. (No, they are NOT tied together as a Fusion drive.) FileVault is turned on for the SSD.

What are my alternatives for encrypting my internal HDD? Apparently FileVault is available for the Startup drive only.

I’m thinking that my only option for encrypting my HDD (or at least the portion devoted to my Home directory and its subdirectories) is to erase the drive by reformatting it as an encrypted drive and then restoring its contents from a backup. That’s a lot of work.

But if the HDD containing my Home directory is encrypted, won’t the drive have to be manually mounted before logging into my User account? It won’t mount automatically like a drive encrypted with FileVault, right?

So after restarting the computer, in order to log into my own User account, I’d have to:

  1. Log into another User account,
  2. Mount the HDD containing my Home directory,
  3. Optionally log out of the User account, and only then
  4. Log into my User account.

Wow. What a hassle.

Are there any other alternatives for encrypting a HDD is that is NOT used as the Startup Disk?

Thank you.

Are there any other alternatives for encrypting a HDD is that is NOT used as the Startup Disk?

You can use a script to mount the drive at startup…but it’s been going on 11 years since I retired from my IT job and I don’t remember enough Unix to recall the specifics on mount points. Also…the script would need the password to complete the mount…not sure how or if that’s needed in the script or what.

I suppose that there’s little risk in hardcoding the password to another drive within a script on a drive encrypted by FileVault. Or, am I being naive?

UPDATE January 16, 2023 6:02 PM

Apparently the secure way of scripting the encryption password is to put it on the system keychain and have the script access it from there.

Does anyone know how to find out whether this bug was fixed?

But before you restart, bear in mind that there appears to be a bug in the login process that will prevent a user whose home directory is on an encrypted (“locked”) secondary volume from being able to log in. It seems that whatever logic Apple applies to unlock volumes at login time is not applied early enough to allow the actual login to occur. This means that if you converted your secondary volume like I did, and it contains your home directory, you won’t be able to login.

I don’t know about the mount at startup issue, but you definitely wouldn’t need to do this :point_up:! You can easily encrypt any drive by ctrl/right-clicking on the drive in the Finder and choosing Encrypt from the context menu.

Note that this will also convert the drive to APFS. But so would reformatting it as an encrypted drive. To create an encrypted HFS+ drive you need to use an older OS. Mojave will definitely work, but not sure about Big Sur or Catalina. Same procedure to encrypt, no need to reformat the drive. It’s just that Mojave supports creating encrypted HFS+ and Monterey doesn’t (but Monterey can read and write to existing ones no problem).

I wouldn’t think there would be a problem with hard coding it…or perhaps if it runs as root (if you’ve turned that on) or as system it’s not necessary…but I was never unix smart enough to know how to do that back in the day and don’t know if you can do it on macOS either although I presume you can if standard unix allows it. Maybe just add the password to the system keychain so the system knows where to grab it from…but again that requires more than I know about doing it.

I’ve done this many times on APFS and it’s indeed a real treat.

But are you sure it can also do encryption on the fly (i.e. without reformatting) if that entails switching from HFS+ to APFS? I wasn’t aware changing the FS could be done on the fly for the the live boot partition without reformatting (assumed you’d have to at least boot from Recovery). Have you done this successfully yourself?

I’m NOT trying to encrypt the boot drive. My Home directory is NOT on the boot drive.

I’m trying to encrypt my Home directory that is on a drive other than my boot drive.

1 Like

Got it. Sorry about that. I had read that part originally but somehow missed it when reading @jzw’s reply.

1 Like