Hi Polgs,
Thanks for the detailed post!
If your intent is to hide the data, you might want to go with a sparsebundle instead of making a new APFS volume on the internal drive:
- It's portable - you can transfer the sparsebundle to another drive or Mac
- Whenever your Mac detects an encrypted volume, it prompts you to enter the password needed to unlock it. If you add an encrypted volume to the internal drive, it will always detect it at startup, and prompt you to enter the password. It might prompt again when someone else logs in. In contrast, disk images (including sparsebundles) are virtual disks that remain "detached" from the computer until you open them. In short, a sparsebundle is less likely to be detected than a regular encrypted volume.
EDIT: Yes, you can have an APFS sparsebundle stored on an APFS volume (APFS inside APFS). To the parent filesystem, the sparsebundle only appears as a series of folders. (A regular disk image would appear as a single file.) The child filesystem has no knowledge of the parent filesystem.
Also, if other people are using your Mac, you should do the following to ensure your data remains safe:
- If other people have used your user account, change your login password in System Preferences -> Users and Groups.
- Make sure that your Mac requires your password when it goes to sleep, or when the lid is closed. Check System Preferences -> Security and Privacy -> General.
- Turn on FileVault (in System Preferences -> Security and Privacy), to prevent anyone from starting up in macOS Recovery and resetting your login password. (You can still reset it using your Apple ID and password, or by using the FileVault recovery key.)
- Do one or both of the following, in System Preferences -> Users and Groups:
- Create a dedicated user account for each person that uses your Mac. Make them all standard users. (Admins can reset the passwords of other users and make system-wide changes.) With this setup, each person can log in to their own account, and store their own files and data inside.
- Enable the Guest User. This is a great option for people who just need to quickly borrow your Mac to browse the internet. Any files stored in the Guest account are deleted when it logs out. When FileVault is on, the Guest user can only access Safari.