Would you please explain disk encryption to me?

MacBH928

macrumors 601
Original poster
May 17, 2008
4,184
1,557
I know encryption turns your data unreadable except with the password, here is my questions.

1)If I encrypt a drive, does it work slower? Does it cause errors? Does it cause errors in backup?
2)If I backup an encrypted drive, does the back becomes encrypted too?
3)What do I encrypt? The Disk, the Volume, or the Partition? I think the new APFS has something new too which i forgot its name
4)Is encryption a public standard like .Zip, like I can encrypt it on Y app on MacOS and decrypt it on X app on Linux? Or do I need the same software from the software vendor on the same OS?
 

HDFan

macrumors 68020
Jun 30, 2007
2,320
630
2)If I backup an encrypted drive, does the back becomes encrypted too?
With a T2 chip Time Machine warns you that you are backing an encrypted drive to an unencrypted one. Carbon Copy Cloner copies are unencrypted. Does you Mac have a T2 chip?
 

KALLT

macrumors 603
Sep 23, 2008
5,136
3,183
Some of your questions are too generic.

File-system encryption (FileVault or encryption in Disk Utility) has a performance impact, but I argue that it is negligible. More so on SSDs and even more so on Macs with dedicated crypto chips, like T2 Macs. Data that you back up to another volume or drive is not encrypted unless that target itself is encrypted. Time Machine and other backup software copy the unencrypted data while the volume is unlocked (on-the-fly decryption). The encryption on an APFS-formatted drive happens at the volume level (it is a bit muddy, because APFS consists of several layers: containers, volume groups, volumes). For HFS+ (Mac OS Extended) the encryption happens in the surrounding volume layer (CoreStorage) not HFS+ proper. Apple uses the AES for encryption, but the decryption still requires support for the file system itself. I am not aware whether other operating systems support HFS+ or APFS at that level.

If you must share encrypted data across different operating systems, then you have to find a cross-compatible solution, such as encrypted network-attached storage, a cloud service or manual encryption with third-party software, e.g. with VeraCrypt.
 

MacBH928

macrumors 601
Original poster
May 17, 2008
4,184
1,557
With a T2 chip Time Machine warns you that you are backing an encrypted drive to an unencrypted one. Carbon Copy Cloner copies are unencrypted. Does you Mac have a T2 chip?
nope

Some of your questions are too generic.

File-system encryption (FileVault or encryption in Disk Utility) has a performance impact, but I argue that it is negligible. More so on SSDs and even more so on Macs with dedicated crypto chips, like T2 Macs. Data that you back up to another volume or drive is not encrypted unless that target itself is encrypted. Time Machine and other backup software copy the unencrypted data while the volume is unlocked (on-the-fly decryption). The encryption on an APFS-formatted drive happens at the volume level (it is a bit muddy, because APFS consists of several layers: containers, volume groups, volumes). For HFS+ (Mac OS Extended) the encryption happens in the surrounding volume layer (CoreStorage) not HFS+ proper. Apple uses the AES for encryption, but the decryption still requires support for the file system itself. I am not aware whether other operating systems support HFS+ or APFS at that level.

If you must share encrypted data across different operating systems, then you have to find a cross-compatible solution, such as encrypted network-attached storage, a cloud service or manual encryption with third-party software, e.g. with VeraCrypt.
This is exactly what I was worried about because I really don't want to encrypt a drive and then it will tell me for you to decrypt it you need an x86 MacOS computer that has USB-A running Mojave or earlier. This is a dangerous game to lock all your data.

Encryption should be a standard kind of like how you can view JPEG any where and unzip .zip files anywhere.
 

Texas_Toast

macrumors 68000
Feb 6, 2016
1,519
313
Texas
Fishrrman's description of disk encryption:
More trouble than it's worth, unless you have a REALLY good and legitimate reason for using it.
@Fishrrman,

How is that?

I have been using FDE for 10 years and have never had a problem so far. (And since I use CarbonCopyCloner, if something did go wrong, I have a backup. For those that are paranoid, make a clone, decrypt it, lock it up in a safe, and then you have a clone unfettered by encryption.)



- - Post merged: - -

I know encryption turns your data unreadable except with the password, here is my questions.

1)If I encrypt a drive, does it work slower? Does it cause errors? Does it cause errors in backup?
With a SSD, not noticeably slower.

Errors? It can.

A backup is a copy of your Mac's current state. Have a corrupt Mac. Your backup/clone will be corrupt too.


2)If I backup an encrypted drive, does the back becomes encrypted too?
I us CarbonCopyClone (CCC) to make "clones" of my Mac to serve as something better than a backup.

When I clone a virgin drive, it does ot encrypt that drive. You have to boot up into it, and turn on FileVault2 and then encryption can take a couple of days depending.

After that, each time you create an updated clone on that drive, it is encrypted. (Think of encryption as another layer to the backup or clone. (I cannot speak to how TimeMachone works...)


3)What do I encrypt? The Disk, the Volume, or the Partition? I think the new APFS has something new too which i forgot its name
You can encrypt files or directories, but you should instead trn on FileVault2 and encrypt EVERYTHING!!

If you are paranoid, you can encrypt individual files too, but you should always use Full-Disk Encryption (FDE) as a base line if you want encrption.

(Would you lock your file cabinet but leave your front door open? If not, then always use FDE!!)


4)Is encryption a public standard like .Zip, like I can encrypt it on Y app on MacOS and decrypt it on X app on Linux? Or do I need the same software from the software vendor on the same OS?
If you used some app to encrypt that existed on multiple platforms then you could in theory do as you describe.

FileVault2 is macOS only, but you can encrypt a bootable disk on mac #1 and then boot from that disk on Mac#2 and decrypt it. (That assumes you are using a bootable clone like CCC creates.)

HTH!
 
Last edited:
  • Like
Reactions: Mr_Brightside_@

MacBH928

macrumors 601
Original poster
May 17, 2008
4,184
1,557
I us CarbonCopyClone (CCC) to make "clones" of my Mac to serve as something better than a backup.

When I clone a virgin drive, it does ot encrypt that drive. You have to boot up into it, and turn on FileVault2 and then encryption can take a couple of days depending.

After that, each time you create an updated clone on that drive, it is encrypted. (Think of encryption as another layer to the backup or clone. (I cannot speak to how TimeMachone works...)
I use CCC too. Are you saying that the encryption layer is independent of the disk and its content? So a brand new HDD will take days to encrypt just like an HDD filed with 2TB of content? I thought the more data the longer it takes. Also this is not practical at all for external HDDs, can't have one hanging off my laptop for days. What happens if the encryption processes is interrupted like power failure or a pull USB?


You can encrypt files or directories, but you should instead trn on FileVault2 and encrypt EVERYTHING!!

If you are paranoid, you can encrypt individual files too, but you should always use Full-Disk Encryption (FDE) as a base line if you want encrption.

(Would you lock your file cabinet but leave your front door open? If not, then always use FDE!!)
This is my question, ,when I do an FDE which part should I do an FDE on? look at this image, there is 3 parts to the disk. Also I tend to have multiple partitions on a disk, should I encrypt each partition separate?

If you used some app to encrypt that existed on multiple platforms then you could in theory do as you describe.

FileVault2 is macOS only, but you can encrypt a bootable disk on mac #1 and then boot from that disk on Mac#2 and decrypt it. (That assumes you are using a bootable clone like CCC creates.)

HTH!
I understand that, but I really do not like the idea when I have a FileVault2 encrypt disk and in the future when they release FV3 they would give me an error that FV3 can not decrypt FV2 disks. I wish it was a standard where if I got the password any system can unlock it.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.