I recently moved my server from a Mac Pro Server (2012) running High Sierra to a M2 Pro Mac Mini running Ventura. I manage the servers using screen sharing.
I managed the Mac Pro locally using Share Screen and remotely using Chrome Remote Desktop (CRD). There is one difference in the behaviour of the Mac Mini which I can not figure out. If I restart the machine (using screen sharing) I can not use Share Screen or CRD to connect to the M2 Pro Mac Mini and I physically have to connect a keyboard. I used to be able to screen share at restart using the Mac Pro. Is there something I need to enable on the Mac Mini or is this just a feature of Ventura?
One way of dealing with this is to create two volumes: a boot volume and a volume to store your files. You can then leave FileVault off on the boot volume, but turn encryption on on the volume that has your files. This way your data is encrypted but you don’t risk getting locked out of remote access (eg if there’s a power cut or crash or some other reason the Mini reboots).
I guess this is a common issue/challenge for Mac Mini users who use the machine as headless servers, which I had not previously encountered (not having used FileVault). I will have a look at setting up a bootable volume and how that works. Presumably I will be able to access both volumes when I log in, but one will simply not have FileVault. I assume that when you have two volumes FileVault gives you the option of enabling on each volume?
I assume that when you have two volumes FileVault gives you the option of enabling on each volume?
Adjust the following if needed, I don’t have anything more recent than Catalina and I mostly use HFS format.
For an external disk you’ll need to use Disk Utility. Start with an erased drive. You can in principle use the Finder, right-click on the drive and select Encrypt “Volume name”, but at least though Catalina, I’ve seen that fail more often than succeed. It will start asking for a password, but encryption never finishes, with no notice to the user. There’s also some question about whether it also encrypts unused blocks, which could potentially leak data if the drive wasn’t erased first. To check on progress (don’t use the drive until it says “Conversion Status: Complete”:
diskutil cs list | grep -e "Conversion" -e "Volume Name"
The actual volume name seems to be irrelevant though it needs to be there - I get a list of all encrypted disks regardless.
Once the external is encrypted, you can save it’s password in the keychain, and it will mount automatically after that (usually…). Keep an eye on any apps or services that use the external files, because it can take the drive awhile to mount compared to the time it takes to launch apps, and things that try to access the disk immediately will fail or just start using the internal instead. I expect that you could use something like Keyboard Maestro to check to see when the drive mounts, then launch what you need. Built in services could be a nuisance, though.
FileVault is essentially the name for having an encrypted boot volume – there needs to be extra logic/UI to allow the volume to be decrypted before the Mac can boot. So FileVault only ever applies to the boot volume. Other volumes, be they on the internal drive or and external disk or USB stick, can also be encrypted but this is not called FileVault and doesn’t fall under that feature. They are simply called encrypted volumes and can’t be created from System Preferences.
Unlike @gastropod, I’ve had no problems encrypting volumes by right/control-clicking on it in the Finder and choosing Encrypt [Volume Name]. That would be my recommendation if encrypting a volume that has data on it, as it’s less disruptive because you don’t have to erase the disk and copy the files back on. However, if you’re setting up a new volume it makes sense to format it as encrypted in Disk Utility to start with.
As above, neither will have “FileVault”, but the non-boot volume will be encrypted. However, as @gastropod says the first time you mount the encrypted volume you can save the password in your keychain, so in the future it will just appear after login with no further interaction on your part. I wouldn’t expect there to be a delay since it’s on the internal drive, but worth checking as @gastropod says.
With this setup, on boot the Mac Mini will see the unencrypted internal boot volume and start up either to the login screen or to the desktop (depending on whether you have automatic login enabled). But even if just to the login screen, the screen sharing server will be running by that point, so you can remote screen share and login, etc. When you login or on auto login, the Finder will mount the encrypted data volume using the password stored in your keychain. I think there is a way to get the encrypted data volume to mount at the login window stage, but that would be a more involved setup, so assuming you don’t need to I would keep it simple. If however you want to store home directories on the encrypted volume, that will require a bit more investigation into mounting encrypted volumes before login.