Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Polgs
Polgs Author
User level: Level 1
40 points

Set up extra encrypted volume on MacBook SSD.

I am trying to set up an encrypted space on the APFS formatted SSD in my MacBook Air 2020 (Intel Monterey 12.1) to store sensitive data — to hide data for when someone else is using my Mac.


Options:

  1. Create another volume on the SSD formatted APFS encrypted.
  2. Create a sparsebundle on the main volume formatted APFS encrypted.
  3. Create a sparsebundle on the main volume formatted HFS+ encrypted. The reason for this is that I don't know if APFS works when in a sparsebundle on an APFS volume. APFS under APFS?


I'm guessing that opt 1. might be best but not sure. Any thoughts?


Deeper question: As it's easy to create a new volume in a APFS container, is there ever a reason to create sparsebundles in an APFS volume anymore?

MacBook Air (2020 or later)

Posted on Jan 5, 2022 6:35 PM

Reply
Question marked as Best reply
User profile for user: Encryptor5000
Encryptor5000
User level: Level 5
7,502 points

Posted on Jan 7, 2022 6:13 PM

Hi Polgs,


Thanks for the detailed post!


If your intent is to hide the data, you might want to go with a sparsebundle instead of making a new APFS volume on the internal drive:


  • It's portable - you can transfer the sparsebundle to another drive or Mac


  • Whenever your Mac detects an encrypted volume, it prompts you to enter the password needed to unlock it. If you add an encrypted volume to the internal drive, it will always detect it at startup, and prompt you to enter the password. It might prompt again when someone else logs in. In contrast, disk images (including sparsebundles) are virtual disks that remain "detached" from the computer until you open them. In short, a sparsebundle is less likely to be detected than a regular encrypted volume.


EDIT: Yes, you can have an APFS sparsebundle stored on an APFS volume (APFS inside APFS). To the parent filesystem, the sparsebundle only appears as a series of folders. (A regular disk image would appear as a single file.) The child filesystem has no knowledge of the parent filesystem.



Also, if other people are using your Mac, you should do the following to ensure your data remains safe:


  • If other people have used your user account, change your login password in System Preferences -> Users and Groups.


  • Make sure that your Mac requires your password when it goes to sleep, or when the lid is closed. Check System Preferences -> Security and Privacy -> General.


  • Turn on FileVault (in System Preferences -> Security and Privacy), to prevent anyone from starting up in macOS Recovery and resetting your login password. (You can still reset it using your Apple ID and password, or by using the FileVault recovery key.)


  • Do one or both of the following, in System Preferences -> Users and Groups:


    • Create a dedicated user account for each person that uses your Mac. Make them all standard users. (Admins can reset the passwords of other users and make system-wide changes.) With this setup, each person can log in to their own account, and store their own files and data inside.


    • Enable the Guest User. This is a great option for people who just need to quickly borrow your Mac to browse the internet. Any files stored in the Guest account are deleted when it logs out. When FileVault is on, the Guest user can only access Safari.
View in context

Similar questions

3 replies
Question marked as Best reply
User profile for user: Encryptor5000
Encryptor5000
User level: Level 5
7,502 points

Jan 7, 2022 6:13 PM in response to Polgs

Hi Polgs,


Thanks for the detailed post!


If your intent is to hide the data, you might want to go with a sparsebundle instead of making a new APFS volume on the internal drive:


  • It's portable - you can transfer the sparsebundle to another drive or Mac


  • Whenever your Mac detects an encrypted volume, it prompts you to enter the password needed to unlock it. If you add an encrypted volume to the internal drive, it will always detect it at startup, and prompt you to enter the password. It might prompt again when someone else logs in. In contrast, disk images (including sparsebundles) are virtual disks that remain "detached" from the computer until you open them. In short, a sparsebundle is less likely to be detected than a regular encrypted volume.


EDIT: Yes, you can have an APFS sparsebundle stored on an APFS volume (APFS inside APFS). To the parent filesystem, the sparsebundle only appears as a series of folders. (A regular disk image would appear as a single file.) The child filesystem has no knowledge of the parent filesystem.



Also, if other people are using your Mac, you should do the following to ensure your data remains safe:


  • If other people have used your user account, change your login password in System Preferences -> Users and Groups.


  • Make sure that your Mac requires your password when it goes to sleep, or when the lid is closed. Check System Preferences -> Security and Privacy -> General.


  • Turn on FileVault (in System Preferences -> Security and Privacy), to prevent anyone from starting up in macOS Recovery and resetting your login password. (You can still reset it using your Apple ID and password, or by using the FileVault recovery key.)


  • Do one or both of the following, in System Preferences -> Users and Groups:


    • Create a dedicated user account for each person that uses your Mac. Make them all standard users. (Admins can reset the passwords of other users and make system-wide changes.) With this setup, each person can log in to their own account, and store their own files and data inside.


    • Enable the Guest User. This is a great option for people who just need to quickly borrow your Mac to browse the internet. Any files stored in the Guest account are deleted when it logs out. When FileVault is on, the Guest user can only access Safari.
Reply
User profile for user: Polgs
Polgs Author
User level: Level 1
40 points

Feb 8, 2022 8:21 PM in response to Encryptor5000

Thanks for your details reponse.


I have decided to go with my option 1.

I have found that APFS volumes are more stable than sparsebundles in my environment. As you stated, I did notice that macOS asked me for the password every time I booted or connected the external drive but I got around this by using vifs to add the volume's UUID to the list of volumes to not automount.

Reply

Set up extra encrypted volume on MacBook SSD.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up