macOS drive encryption.

[yellowhelicopter]

A question regarding use of an encrypted object (file/folder/drive). Will I be able to use it as usual after encryption (like if it was encrypted with FileVault), or the information in it will become unusable until decryption? I want to encrypt a pretty full external drive (APFS) and continue to use it as usual, but just learned that I can't use FileVault for it.

 

[FreakinEurekan]

“FileVault” is only for boot disks. You can format it as “APFS Encrypted” and it’ll have the equivalent security. It’ll work fine in the Finder.

 

[yellowhelicopter]

“FileVault” is only for boot disks. You can format it as “APFS Encrypted” and it’ll have the equivalent security. It’ll work fine in the Finder.

I wasn't clear enough sorry, by "Finder" I meant way to do the encryption: i.e. right click on a drive and choose "Encrypt". Will this method allow me to work with it as usual after encryption? It has some symlinked folders on it from my Home on other drive (like Downloads f.e.). I cannot format it as APFS Encrypted coz it's pretty full and I have no other drive to temporarily move the stuff.

 

[Brian33]

right click on a drive and choose "Encrypt". Will this method allow me to work with it as usual after encryption?

I believe the right-click/encrypt from finder will do what you want. I did this for an HFS+ formatted volume and it worked out very well.

IIRC, the first time the drive is ejected and then mounted again, macOS will ask for the encrypted drive's password, and there is an option (checkbox, I think) to save the password in your keychain. If you select that option, you won't have to enter the password anymore, and it will work for your account login just as if it were not encrypted.

 

[yellowhelicopter]

Another question: what's the difference between FileVault and APFS encrypted, if any? They must be different in some way, otherwise FileVault would be available for any drive in the system like APFS encrypted.

 

[Weaselboy]

Another question: what's the difference between FileVault and APFS encrypted, if any? They must be different in some way, otherwise FileVault would be available for any drive in the system like APFS encrypted.

The end result of both is the drive is in APFS encrypted format. The difference is when you turn on FileVault, it changes the way the computer boots up. It boots to a small startup volume and presents the login screen. Once you enter the password, the main boot drive is unlocked then booted to.

 

[yellowhelicopter]

The end result of both is the drive is in APFS encrypted format. The difference is when you turn on FileVault, it changes the way the computer boots up. It boots to a small startup volume and presents the login screen. Once you enter the password, the main boot drive is unlocked then booted to.

So, I suppose the only way to use APFS encrypted for startup disk is the FileVault? Otherwise how the computer can boot up... I mean may I not enable FileVault but just encrypt the startup disk via Finder?

Also, do macOS updates work as usual for "FileVaulted" drive, or one needs to turn off the FileVault first?

 

[Weaselboy]

So, I suppose the only way to use APFS encrypted for startup disk is the FileVault?

Correct.

I mean may I not enable FileVault but just encrypt the startup disk via Finder?

That won't work because it would have no way to boot.

Also, do macOS updates work as usual for "FileVaulted" drive, or one needs to turn off the FileVault first?

No need to turn off FV. Updates with it on work exactly the same. It is quite transparent once enabled.

 

[yellowhelicopter]

Thanks. Yet another question: is there a way to extract files from APFS encrypted drive in Windows should something happen with my Mac? I heard about Paragon's APFS for Windows app, but have no idea if it can work with files on encrypted drives or decrypt them.

 

[Weaselboy]

Looks like Paragon APFS can read only APFS encrypted disks. Does not look like it can decrypt.

It also mentions it cannot read disks encrypted on newer Macs with the T2 chip.

 

[yellowhelicopter]

Looks like Paragon APFS can read only APFS encrypted disks. Does not look like it can decrypt.

It also mentions it cannot read disks encrypted on newer Macs with the T2 chip.

Yes, just found the answer:

I have just tested my encrypted disk on APFS for Windows after reading this thread. And the result is: “This volume cannot be mounted in Read/Write mode due to encryption.” Reading the files works fine though.

Only haven't quite understood what the "reading the files" means exactly. Does it mean I only will be able to extract useless encrypted files from the drive and no original files?


PS: It seems there is a software capable of decryption in Windows: https://www.ufsexplorer.com/articles/how-to/recover-data-apfs-encryption/

 

[Weaselboy]

Only haven't quite understood what the "reading the files" means exactly. Does it mean I only will be able to extract useless encrypted files from the drive and no original files?

No... it means you can see files on the disk and open them to see the contents, or even copy files from the drive. But not copy files to the drive (write access).

 

[yellowhelicopter]

Ok, I used "Encrypt" command for my external HDD, but does anybody know how long it usually takes?

It's 1TB 2.5" HDD, about 80% full. The thing is that Disk Utility shows it as "Encrypted" but obviously the process isn't finished yet and I don't have "Decrypt" option in Finder either, just greyed out "Encrypt...". The disk works and all, but for several days now it's constantly busy and System Monitor's disk activity shows that kernel_task is constantly reading/writing something in large amounts. Another thing is that I have periodic outages here due to bombed out power stations and resulting shortages, like every 4 hours, so maybe the process can't be finished because of that and every time it kinda starts anew? Or it's really just that long for HDD?

 

[Weaselboy]

It can take hours and hours for a HDD like that to encrypt. Just use the computer normally and it will keep going. It can even pause and resume on its own if you sleep the Mac.

 

[Brian33]

I agree with @Weaselboy 's comment. If I remember correctly, you can even shutdown and restart the computer and it will pick up encrypting where it left off. A 2.5" HDD is probably even slower than typical 3.5" HDDs.

Using Terminal.app there is a way to see the % progress. If I remember correctly, use diskutil corestorage list and look to find the volume's "UUID" of the volume being encrypted. It will be some long string like "AB0A2B8F-A986-4477-B432-03905518CB4E".

Then use diskutil corestorage info <UUID> where you replace <UUID> with the long number you found previously.

The result of the "info" command should give you an encryption progress as a percentage.

There may be an easier way to see the progress in the GUI, but I'm not sure how. Try selecting the disk in Finder and hitting 'Cmd-I' (for Get Info) -- maybe that shows the progress.

 

[yellowhelicopter]

Using Terminal.app there is a way to see the % progress. If I remember correctly, use diskutil corestorage list and look to find the volume's "UUID" of the volume being encrypted.

The command results in "No CoreStorage logical volume groups found".

There may be an easier way to see the progress in the GUI, but I'm not sure how. Try selecting the disk in Finder and hitting 'Cmd-I' (for Get Info) -- maybe that shows the progress.

Nope, nothing there like it.

 

[Brian33]

The command results in "No CoreStorage logical volume groups found".

Hmmm... sorry. Due to the length of time it's taking, I thought the volume was formatted HFS+. If it's formatted APFS, try the command diskutil apfs list

There will be info for a bunch of volumes printed out, but I think the encryption progress will be shown in that command's output (That is, a second "info" command isn't needed.)

If it's too much to look through, you can search for encryption info in the output with diskutil apfs list | grep -i encrypt

Hope that works.

 

[yellowhelicopter]

Hmmm... sorry. Due to the length of time it's taking, I thought the volume was formatted HFS+. If it's formatted APFS, try the command diskutil apfs list

There will be info for a bunch of volumes printed out, but I think the encryption progress will be shown in that command's output (That is, a second "info" command isn't needed.)

Thanks. Encryption Progress: 61.0% (Unlocked)

 

[yellowhelicopter]

Ok, the encoding has been finished at last, but somehow my encoded drives cease to mount on start up, I have to run Disk Utility and enable them manually. Why is that and what should I do for them to mount automatically as they did before?

 

[Weaselboy]

Go to Disk Util and eject the drive. Then still in Disk Util mount the drive. You should get a popup asking you to enter the password. Type in the password then in that same pane check the box to remember the password in Keychain. From then on it should mount on its own when you boot.

 

[Brian33]

my encoded drives cease to mount on start up, I have to run Disk Utility and enable them manually.

That is odd. In my experience with encrypted drives (Mojave), the drive will start to mount at login (assuming it's connected and powered on, of course). The first time, you would be asked to provide the password, and you can optionally have the password saved to your login keychain. After that it would be mounted automatically during subsequent logins.

I believe that's the way it's supposed to work, even in the latest macOS releases. Something seems off...

You say that you have mounted the drive using Disk Utility. Have you selected the checkbox to save the drive password to your login keychain? If you haven't, perhaps saving it would make a difference and let it automatically mount at login.

Also curious what happens in this scenario:

Shut down the Mac
Disconnect the external drive
Start up the Mac and log in
Now connect/power on the drive

Does it mount automatically (or ask for the password) now?

Also, what version of MacOS are your running?
(I've seen lots of postings about problems with Monterey mounting external drives.)

 

[yellowhelicopter]

It has fixed itself. After finishing encryption of an external drive, the system just "ejected" all external drives somehow. I think what was needed was to mount them again and shutdown or restart the computer properly for them to be properly mounted further. And mine is usually being abruptly cut off due to outages, at least I think that was the reason.