Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Encryption on new Mac

OldMarketMeg

OldMarketMeg

macrumors member
Original poster
Dec 19, 2016
83
3
Omaha
I have some questions about turning on full disk encryption on a new Mac...

1.) Can I turn on FDE early in the setup process and let it run while I am doing lots of other set up and rebooting, or does FDE need to be turned on and then left alone until it is done?


2.) If I use Carbon Copy Cloner to clone my Mac to an external drive before FDE is done encrypting my internal drive, how will that impact my clone to the external drive?


3.) If my internal drive is fully encrypted, and then I use CCC to clone my internal drive to an external drive, will my external drive have FDE on it by virtue of being a clone of an already fully encrypted internal drive?


4.) Any other advice on this topic?
 
CoastalOR

CoastalOR

macrumors 68040
Jan 19, 2015
3,022
1,147
Oregon, USA
1). https://support.apple.com/en-us/HT204837
2). http://bombich.com//kb/ccc4/working-filevault-encryption
3). see 2
4). Automatic login is disabled

Password required after sleep or screen saver can not be disabled for Mavericks or earlier. Note: With FileVault enabled, if your Mac is configured to sleep automatically after a given interval—and a password is required to wake it up, then software that runs on a schedule will not be able to run unattended.

Can't reset user password with an Apple ID if FileVault is enabled.

Boot Camp partition will not be encrypted.

It used to be only passwords could be used for authentication (no biometrics), but I'm not sure about the new Touch ID for the new MBPs and I do not have one to test.

FileVault volumes accessible only on Macs, that means no connecting drive to PC or Linux.

Third party theft recovery software can not run until your drive is unlocked. Only Apples Find My Mac will be available.

Can not remotely reboot the Mac since you will not be able to enter the FileVault password to finish booting.

No S.M.A.R.T. monitoring. the Apple’s Disk Utility ability to report the S.M.A.R.T. status for internal drives is disabled for FileVault-encrypted drives.

Recovery HD volume not shown in Startup Manager (boot with option key held down).You'll have to boot in to Recovery holding down command+r at startup.
 
  • Like
Reactions: 997440, OldMarketMeg and Weaselboy
OldMarketMeg

OldMarketMeg

macrumors member
Original poster
Dec 19, 2016
83
3
Omaha
@CoastalOR,

Thanks for the info. I looked at everything, but am not sure that answers my questionss.

On my older Mac, with an older version of CCC, this is what I recall...

My laptop already had FileVault2 enabled, and so my entire hard-drive was encrypted. If I plugged in an external hard-drive that was formatted, and created a clone of my laptop onto this external drive, then I did not have to run FileVault2 on the external drive, because the encryption carried over.

That is what I remember to be true, but the link you provided makes it sound like I would have to run FileVault2 on both my laptop and on any externally cloned hard-drives, right?

Are my memories wrong on this, or have things changed?
 
Intell

Intell

macrumors P6
Jan 24, 2010
18,955
509
Inside
CoastalOR said:
No S.M.A.R.T. monitoring. the Apple’s Disk Utility ability to report the S.M.A.R.T. status for internal drives is disabled for FileVault-encrypted drives.
Click to expand...

Disk Utility and other programs that access SMART can still access a FileVault encrypted drive's SMART status.
 
CoastalOR

CoastalOR

macrumors 68040
Jan 19, 2015
3,022
1,147
Oregon, USA
OldMarketMeg said:
I looked at everything, but am not sure that answers my questionss.
On my older Mac, with an older version of CCC, this is what I recall...
My laptop already had FileVault2 enabled, and so my entire hard-drive was encrypted. If I plugged in an external hard-drive that was formatted, and created a clone of my laptop onto this external drive, then I did not have to run FileVault2 on the external drive, because the encryption carried over.
Click to expand...
Incorrect. I can't speak about past versions, but I believe it never worked that way. I'm only referring to current CCC.

Once you have unlocked the internal FileVault encrypted drive and then do a clone with CCC then the external drive is NOT encrypted. CCC clones the data from your unlocked internal drive to the unencrypted external. CCC does not encrypt. You have to follow the steps I posted in the Bombich link if you want an encrypted external drive.
OldMarketMeg said:
That is what I remember to be true, but the link you provided makes it sound like I would have to run FileVault2 on both my laptop and on any externally cloned hard-drives, right?
Click to expand...
Correct.
 
  • Like
Reactions: Weaselboy and OldMarketMeg
OldMarketMeg

OldMarketMeg

macrumors member
Original poster
Dec 19, 2016
83
3
Omaha
CoastalOR said:
Incorrect. I can't speak about past versions, but I believe it never worked that way. I'm only referring to current CCC.

Once you have unlocked the internal FileVault encrypted drive and then do a clone with CCC then the external drive is NOT encrypted. CCC clones the data from your unlocked internal drive to the unencrypted external. CCC does not encrypt. You have to follow the steps I posted in the Bombich link if you want an encrypted external drive.

Correct.
Click to expand...

Maybe where I am confused is that after my external drive was encrypted, I never had to set up FileVault again. In other words, whenever I did a backup, I could just run CCC and when it was done, know that my external drive was safe.

According to you, I must have used my Mac's utilities to encrypt the external drive the first time, huh?

Hmmm, I was certain that CCC did that for me.
 
CoastalOR

CoastalOR

macrumors 68040
Jan 19, 2015
3,022
1,147
Oregon, USA
OldMarketMeg said:
Maybe where I am confused is that after my external drive was encrypted, I never had to set up FileVault again. In other words, whenever I did a backup, I could just run CCC and when it was done, know that my external drive was safe.

According to you, I must have used my Mac's utilities to encrypt the external drive the first time, huh?
Hmmm, I was certain that CCC did that for me.
Click to expand...
How do you know/confirm that the CCC external drive was encrypted?

When you enable FileVault in System preferences the Mac OS only encrypts the drive that is running the Mac OS.

EDIT: BTW, it is not according to me. It is according to Bombich, the makers of CCC. They should know how their product works. You could contact them if you need more information.
 
Last edited:
OldMarketMeg

OldMarketMeg

macrumors member
Original poster
Dec 19, 2016
83
3
Omaha
CoastalOR said:
How do you know/confirm that the CCC external drive was encrypted?

When you enable FileVault in System preferences the Mac OS only encrypts the drive that is running the Mac OS.
Click to expand...

It's tough getting old... :oops:

Part of the reason for my questions is that I haven't had to worry about any of this in maybe 4-5 years.

When I got my last Mac and learned about cloning to an external, I thought that I just ran CCC to my external hard-drive and when it was done, things were encrypted.

How did/do I know my external drive is encrypted? Because when I plug it into my usb port, I get a FileVault prompt asking for a password. If I don't enter it at that time, then the drive won't even appear in Finder.

I just don't recall having to run Mac's encryption program a 2nd time on my external drive, but it could be that my memory is failing!

I have not used the latest version of CCC, and guess I will have to buy it shortly.

BTW, all of this probably isn't that big of a deal, but I am asking because I am still writing my install guide, and I want to know the right time to tell people when to use CCC and when to encrypt.

Based on your earlier post, it sounds like you could turn on FileVault right awway, and then let it run in the background as you set up your Mac.

And it sounds like I was wrong, and after you use CCC to create a clone on an external drive, then you have to encrypt it the first time using Mac's FileVault (because apparently CCC is not transferring that part over).

Thanks for my senile questions! :)
 
CoastalOR

CoastalOR

macrumors 68040
Jan 19, 2015
3,022
1,147
Oregon, USA
There are a couple of other methods (Disk Utility during format and Finder) to encrypt a external drive without booting into Mac OS on the external and enabling FileVault.
These other methods are useful if you want an encrypted external drive for storage of sensitive information, but the external is not bootable.

Disk Utility format:
http://www.informationweek.com/desktop/how-to-encrypt-external-drives-in-os-x-lion/d/d-id/1098736

Finder:
http://www.theinstructional.com/guides/encrypt-an-external-disk-or-usb-stick-with-a-password
 
  • Like
Reactions: OldMarketMeg
OldMarketMeg

OldMarketMeg

macrumors member
Original poster
Dec 19, 2016
83
3
Omaha
CoastalOR said:
There are a couple of other methods (Disk Utility during format and Finder) to encrypt a external drive without booting into Mac OS on the external and enabling FileVault.
These other methods are useful if you want an encrypted external drive for storage of sensitive information, but the external is not bootable.

Disk Utility format:
http://www.informationweek.com/desktop/how-to-encrypt-external-drives-in-os-x-lion/d/d-id/1098736

Finder:
http://www.theinstructional.com/guides/encrypt-an-external-disk-or-usb-stick-with-a-password
Click to expand...

I guess the best was to learn is to buy a new version of CCC and start playing around with things again.

If you had to guess, how long should it take to clone a new 1TB SSD?

How long should it take to encrypt my internal 1TB SSD?

And how long to encrypt an external 1TB SSD using a USB3 connection?

Thanks.
 
CoastalOR

CoastalOR

macrumors 68040
Jan 19, 2015
3,022
1,147
Oregon, USA
OldMarketMeg said:
I guess the best was to learn is to buy a new version of CCC and start playing around with things again.

If you had to guess, how long should it take to clone a new 1TB SSD?

How long should it take to encrypt my internal 1TB SSD?

And how long to encrypt an external 1TB SSD using a USB3 connection?
Click to expand...
Unfortunately I do not have a exact answer for you, just some more general information.

Clone a new 1TB SSD: I would guess about 30 seconds per 1 GB. CCC only clones the amount of data on the drive, so 90 GB on the drive would take about 45 minutes.

Encrypt my internal 1TB SSD: Encryption does have to do the entire drive of 1 TB. The good news is that your internal drive is fast. I would guess a 2-4 hours depending on if the machine is idle or you're doing some tasks during the encryption.

Encrypt an external 1TB SSD: Longer than the internal drive because the external SSD is slower than the internal flash drive.
 
  • Like
Reactions: OldMarketMeg
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom