How can I encrypt my external disks?

[badlydrawnboy]

I just encrypted my boot drive on my desktop iMac with FileVault.

I have three external disks that I would like to encrypt, especially since they're a lot easier to steal than my iMac, which is bolted to an LCD arm on the wall.

I have the following disks:

• LaCie Little Big Disk Thunderbolt 2
• Newertech 4TB
• Newertech 6 TB

When I tried encrypting the LaCie, it said "You can’t convert an AppleRAID volume to Core Storage." The LaCie is a set of 2 PCIe SSDs preconfigured in RAID 0.

When I tried to encrypt the Newertech hard drives, I got this error message: "A Recovery System for the targeted disk is required."

How can I encrypt these external disks? There's not much point in having my iMac encrypted when I have backup drives sitting right next to it that are not encrypted and far easier to run off with if someone broke in to the house.

 

[Weaselboy]

I don't believe you can encrypt the RAID0 setup with Filevault.

On the others, as long as they are already formatted to Mac OS Extended format, you should be able to just right click the disk on the desktop/Finder and select encrypt.

That FileVault interface in Security - System Prefs is only used to setup encryption on the boot drive. For others you just right click and select encrypt.

 

[badlydrawnboy]

I don't believe you can encrypt the RAID0 setup with Filevault.

On the others, as long as they are already formatted to Mac OS Extended format, you should be able to just right click the disk on the desktop/Finder and select encrypt.

That FileVault interface in Security - System Prefs is only used to setup encryption on the boot drive. For others you just right click and select encrypt.

Thanks for your reply. Okay, I do see that encrypting one of the external Newertech disks is possible. It's going now.

The other Newertech disk has three partitions. When I attempt to encrypt one of the partitions, I get the "A Recovery System for the targeted disk is required" error.

Is there a third-party app that can encrypt drives set up with RAID0? Actually, now that I think about it, it's really only one folder on that drive that needs to be encrypted (has a bunch of financial and personal data on it). What's the best way of doing that?

 

[Weaselboy]

Thanks for your reply. Okay, I do see that encrypting one of the external Newertech disks is possible. It's going now.

Good deal!

The other Newertech disk has three partitions. When I attempt to encrypt one of the partitions, I get the "A Recovery System for the targeted disk is required" error.

What is the partition layout? From messing about with this myself, it seemed like the encrypted one wanted to be first and you could not have a non-encrypted volume followed by an encrypted one.

Is there a third-party app that can encrypt drives set up with RAID0? Actually, now that I think about it, it's really only one folder on that drive that needs to be encrypted (has a bunch of financial and personal data on it). What's the best way of doing that?

If it is just one folder, what I would do is make an encrypted sparse bundle image with Disk Utility and put that on the external then contents of that folder inside the encrypted image. Then to access it, you just double click and enter the password. You can even save the password in your Keychain if you like.

https://support.apple.com/en-us/HT201599

 

[Mr. Retrofire]

...Is there a third-party app that can encrypt drives set up with RAID0? Actually, now that I think about it, it's really only one folder on that drive that needs to be encrypted (has a bunch of financial and personal data on it). What's the best way of doing that?

Create an encrypted (AES-256) sparse disk image with Disk Utility or hdiutil. Then store the important data on the encrypted disk image.

Use srm (Terminal) or a similar tool to erase the unencrypted files. For example:

sudo srm -rszv <path-to-folder>

[doublepost=1468165425][/doublepost]

...then to access it, you just double click and enter the password. You can even save the password in your Keychain if you like.

https://support.apple.com/en-us/HT201599

He should not do that!

See also:

...The different cross-app and communication mechanism vulnerabilities discovered on iOS and OS X, identified as XARA weaknesses, include Keychain password stealing, IPC interception, scheme hijacking and container cracking. The affected apps and services include iCloud, Gmail, Google Drive, Facebook, Twitter, Chrome, 1Password, Evernote, Pushbullet, Dropbox, Instagram, WhatsApp, Pinterest, Dashlane, AnyDo, Pocket and several others...

and

...
The latest OS X malware exfiltrates passwords and keys stored in OS X’s keychain and creates a permanent backdoor.
...

There are probably other backdoors, regarding the OS X / iOS keychain.

 

[badlydrawnboy]

Thanks everyone. I used FileVault for my boot disk. I was able to use it for one of my external drive.

For the external drive with partitions, what about re-partitioning and using "OS X Extended (Journaled, Encrypted)"?

I use 1Password for password storage rather than iCloud Keychain.

 

[grahamperrin]

• … LaCie Little Big Disk Thunderbolt 2 …

When I tried encrypting the LaCie, it said "You can’t convert an AppleRAID volume to Core Storage." The LaCie is a set of 2 PCIe SSDs preconfigured in RAID 0.

Preconfigured with (soft) Apple RAID?

If the single enclosure can present its content, to the operating system, as two devices: do you want encryption to be coupled with an emphasis on performance?

 

[badlydrawnboy]

Preconfigured with (soft) Apple RAID?

Sorry, what does that mean / how would I do that?

 

[Weaselboy]

He should not do that!

I disagree. For either of these hypothetical hacks to work, OP would have to install the malware with his admin password then have that malware grab the sparse bundle password and send it off to some server presumably monitored somewhere. Then the person who now has that password (again hypothetically) would need to know where OP lives and drive to his house and steal the drive then enter the password.

Unless OP is Jason Bourne, I doubt that is going to happen.
[doublepost=1468167027][/doublepost]

For the external drive with partitions, what about re-partitioning and using "OS X Extended (Journaled, Encrypted)"?

That gives you the exact same end result as the right click and encrypt method. The only difference is the repartition option erases the drive where the right click method does not.

But if you reformatted the drive into multiple partition with the encrypted one up top like I mentioned, you would be able to have an encrypted and then a non-encrypted partition on the drive like I mentioned earlier.

 

[grahamperrin]

Disk Utility (Yosemite): Create a RAID set – in your case, that's the sort of thing that I associate with 'AppleRAID'.

I don't imagine LaCie preconfiguring a product in that way. Did you get the thing secondhand?

 

[Weaselboy]

Preconfigured with (soft) Apple RAID?

If the single enclosure can present its content, to the operating system, as two devices: do you want encryption to be coupled with an emphasis on performance?

Yeah... those are setup with software RAID. Lacie sells them as a 4TB drive, but it is really two 2TB in RAID0. I've helped a couple people on the forums who have accidentally broken the RAID setup and you can reconfigure it with Disk Util (pre-El Capitan and now in Terminal). They come from Lacie setup like this.

 

[badlydrawnboy]

I disagree. For either of these hypothetical hacks to work, OP would have to install the malware with his admin password then have that malware grab the sparse bundle password and send it off to some server presumably monitored somewhere. Then the person who now has that password (again hypothetically) would need to know where OP lives and drive to his house and steal the drive then enter the password.

Unless OP is Jason Bourne, I doubt that is going to happen.
[doublepost=1468167027][/doublepost]

That gives you the exact same end result as the right click and encrypt method. The only difference is the repartition option erases the drive where the right click method does not.

But if you reformatted the drive into multiple partition with the encrypted one up top like I mentioned, you would be able to have an encrypted and then a non-encrypted partition on the drive like I mentioned earlier.

For the record, the OP is not Jason Bourne—but is looking forward to the release of the Bourne remake film!

For whatever reason, as I mentioned right-clicking on the partitions wouldn't allow me to encrypt them. So I opened Disk Utility and re-partitioned only the two partitions I wanted to be secure. As you said, that erased them but I'm copying the data back over now.

The LaCie Little Big Disk is actually a 1 TB drive with 2x 500 GB PCI SSDs preconfigured in RAID 0. I am thinking that the best option here would just be to convert the files I need to protect into encrypted disk images.

 

[Weaselboy]

For the record, the OP is not Jason Bourne—but is looking forward to the release of the Bourne remake film!

For whatever reason, as I mentioned right-clicking on the partitions wouldn't allow me to encrypt them. So I opened Disk Utility and re-partitioned only the two partitions I wanted to be secure. As you said, that erased them but I'm copying the data back over now.

The LaCie Little Big Disk is actually a 1 TB drive with 2x 500 GB PCI SSDs preconfigured in RAID 0. I am thinking that the best option here would just be to convert the files I need to protect into encrypted disk images.

Those are good movies and the new one looks to be the same.

I think it is related the layout of the partitions on that drive. Glad you got it sorted out.

Unless you want to "break" the RAID setup and manage those as two, separate drives, I think the encrypted bundle is your best option.

 

[grahamperrin]

… I've helped a couple people on the forums who have accidentally broken the RAID setup and you can reconfigure it with Disk Util (pre-El Capitan and now in Terminal). They come from Lacie setup like this.

OK, thanks. (Years ago I broke the preconfigured RAID on a dual-disk LaCie but the fix involved LaCie firmware (not Apple software).)

 

[badlydrawnboy]

Those are good movies and the new one looks to be the same.

I think it is related the layout of the partitions on that drive. Glad you got it sorted out.

Unless you want to "break" the RAID setup and manage those as two, separate drives, I think the encrypted bundle is your best option.

This external drive is always mounted and stores my active photos and videos for editing (that's why it's such a fast drive), so encrypting it as a bundle/disk image (if that's what you're suggesting?) wouldn't work, right?

Now that I'm thinking about it, the best option might be to simply move the folder with the sensitive financial info on that external drive onto my boot drive, since there is enough space. Duh. Should have thought about that before.

Then the only thing I'd have on the LaCie would be active photo/video projects, which I don't feel the need to encrypt.

 

[Weaselboy]

This external drive is always mounted and stores my active photos and videos for editing (that's why it's such a fast drive), so encrypting it as a bundle/disk image (if that's what you're suggesting?) wouldn't work, right?

Now that I'm thinking about it, the best option might be to simply move the folder with the sensitive financial info on that external drive onto my boot drive, since there is enough space. Duh. Should have thought about that before.

Then the only thing I'd have on the LaCie would be active photo/video projects, which I don't feel the need to encrypt.

When you use an encrypted sparse bundle image, you are not encrypting the drive at all. You just create the encrypted image in Disk Utility then put that file anywhere you want. Then double click it and enter your password to open it and drop in whatever files you want.... the n"close" the image by ejecting it and it is locked up again. You can put that encrypted image anywhere you want. You can put it on an external drive like the Lacie without changing the format or setup of that drive at all. You can even store the image on MS-DOS (Fat) formatted drives if you like.

Think of it sort of like a ZIP file where you can open and close the ZIP and add and remove files, only it is password protected.

 

[badlydrawnboy]

When you use an encrypted sparse bundle image, you are not encrypting the drive at all. You just create the encrypted image in Disk Utility then put that file anywhere you want. Then double click it and enter your password to open it and drop in whatever files you want.... the n"close" the image by ejecting it and it is locked up again. You can put that encrypted image anywhere you want. You can put it on an external drive like the Lacie without changing the format or setup of that drive at all. You can even store the image on MS-DOS (Fat) formatted drives if you like.

Think of it sort of like a ZIP file where you can open and close the ZIP and add and remove files, only it is password protected.

Right, which is why I don't think it can work for photo and video editing. When Lightroom is open it needs to be able to continually access the images on that drive.

Are you saying it's possible that I could enter the password for the encrypted image before each photo session?

In any event, I don't really need to secure the photo/video files so I will just encrypt the sensitive info on that drive or better yet move that to the boot drive. Thanks for all of your help.

 

[Weaselboy]

Right, which is why I don't think it can work for photo and video editing. When Lightroom is open it needs to be able to continually access the images on that drive.

Are you saying it's possible that I could enter the password for the encrypted image before each photo session?

Exactly.

 

[grahamperrin]

Also you can allow the passphrase to be saved in a keychain, and have the image opened automatically when you log in to the OS.

 

[NoBoMac]

TLDR: it's Sunday, enjoying day on the deck.

I do something similar to what some seems to have been suggested. On my external drives, if a partition (or whole drive if smallish and used for TimeMachine) contains sensitive information, I use KeyChain to generate a long random passcode (25 characters, upper/lower, digits, special) and use it for encrypting. Click on the option to have KeyChain remember it during first unlock of the drive. Other partitions, that backup my photos, music, other, are unencrypted.

The Mac has FileVault set, long rememerable yet randomish passcode. The Mac is the weak link, in that if that is stolen, and evil doer can crack that passcode, they have keys to the kingdom.

That all said, agree with Weaselboy in that lots of ifs to get hit with an exploit. I don't keep my machine on/online, download only respectable software from trusted sites. Firewalls turned on everywhere that has it.

Alternative: generate a random passcode for the account/Filevault password, and store it in a phone password vault and transcribe it when signing in. Have that for a dummy account solely for unlocking the disk, then sign into the primary account after that. Gut tells me that most folks are like me in that the phone is pocketed/on the night stand (close by) and odds are phone and computer and drives are not going to be lost at same time.