External disk encryption: why not save time and format as (Journaled, Encrypted)

Question

External disk encryption: why not save time and format as (Journaled, Encrypted)

My basic question applies to encryption on Mountain Lion 10.8.2 both via Time Machine and through Finder. I am using a couple of 640GB Western Digital My Passport Studio Drives.

First, setting up Time Machine - if I follow the instructions listed at http://support.apple.com/kb/HT1427, when I tell Time Machine to encrypt the newly formatted drive - in Disk Utility, as Mac OS Extended (Journaled) - it performs the backup for an hour and then spends over 12 hours (cannot quite recall how long, it does not matter) performing the encryption. However, if I first of all format using Disk Utility as Mac OS X (Journaled, Ecrypted), which takes 20 seconds, Time Machine performs the backup and then appears to be complete. I tried to restore some files and all seems fine. My question, then: is there likely to be an encryption of restore problem with this latter approach, which saves half a day of processing?

Second, a related question with encryption via Finder. If I format in Disk Utility as Mac OS Extended (Jornaled, Encrypted) it takes the 20 seconds. If I format as Mac OS Extended (Journaled) and then use 'Encrypt...' via Finder, again, it seems to be taking many hours (dskutil cs list in Terminal is showing 4% done after half an hour or so). Again, why not simply format the drive as ac OS Extended (Jornaled, Encrypted) and save this rigmarole? I am concerned that doing it the 'format as encrypted' way there may be some problem with the outcome, otherwise I am unsure why Apple would recommend this approach. I should appreciate any thoughts people have.

Thank you.

------

Incidentally, this encryption process is ongoing, but when I right-click the disk on my Desktop the pop-up menu shows (greyed out) 'Decrypting 'DiskName"...', when it is in fact encrypting. I wonder why?

Finally, the reason I know all this is that I have gone through the process more than once, not entirely by choice. The firmware in the WDC drives was 10.09. Their updater (available at the link below) could not find the drive (that it had previously identified) whilst it was encrypted with FileVault. I reformatted to Mac OS Extended (Journaled) - this was quicker than doing a 12-hour decryption that may not have worked anyway - updated to firmware 10.12 and am now re-encrypting. Apparently, Mountain Lion does not play too well with earlier firmware versions, so feel free to learn from my lesson.

http://www.wdc.com/wdproducts/wdsmartwareupdate/firmware.asp?id=wdfMP_Studio&os= MAC

MacBook Air, OS X Mountain Lion (10.8.2)

Posted on Jan 20, 2013 12:25 PM

Reply

Answer 1

Linc Davis

Level 10

209,535 points

Jan 20, 2013 1:55 PM in response to BordeauxQuill

When you encrypt a volume in Disk Utility, the actual encryption is deferred until the next time you log in and enter the password. It takes just as long.

Reply

Answer 2

Jan 20, 2013 2:18 PM in response to Linc Davis

Thank you, Linc. This makes sense, but bizarrely, I have seen no evidence of this happening on the drives - even after reboot, no ongoing disc access; no indication in Finder that the disc was being encrypted, etc. The 'Decrypt...' option was available immediately on volume Chronos (see below). Then again, the last time I saw this was before I upgraded the firmware, so perhaps that caused a glitch. Still, here is the dskutil info on the two WDC drives:

Apollo - now firmware 10.12 - is being encrypted after I formatted with (Journaled)

Chronos - still firmware 10.09 - shows that it is fully encrypted - it was formatted with (Journaled, Encrypted) earlier today - not enough for the long encryption to have completed

+-- Logical Volume Group A36...

| =========================================================

| Name: Apollo

| Size: 639088156672 B (639.1 GB)

| Free Space: 16777216 B (16.8 MB)

| |

| +-< Physical Volume D9...

| | ----------------------------------------------------

| | Index: 0

| | Disk: disk2s2

| | Status: Online

| | Size: 639088156672 B (639.1 GB)

| |

| +-> Logical Volume Family D4...

| ----------------------------------------------------------

| Encryption Status: Unlocked

| Encryption Type: AES-XTS

| Conversion Status: Converting

| Conversion Direction: forward

| Has Encrypted Extents: Yes

| Fully Secure: No

| Passphrase Required: Yes

| |

| +-> Logical Volume 4C...

| ---------------------------------------------------

| Disk: disk3

| Status: Online

| Size (Total): 638752608256 B (638.8 GB)

| Size (Converted): 112166174720 B (112.2 GB)

| Revertible: Yes (unlock and decryption required)

| LV Name: Apollo

| Volume Name: Apollo

| Content Hint: Apple_HFS

|

+-- Logical Volume Group 25...

=========================================================

Name: Chronos

Size: 639088156672 B (639.1 GB)

Free Space: 0 B (0 B)

|

+-< Physical Volume 4B...

| ----------------------------------------------------

| Index: 0

| Disk: disk4s2

| Status: Online

| Size: 639088156672 B (639.1 GB)

|

+-> Logical Volume Family 2D...

----------------------------------------------------------

Encryption Status: Unlocked

Encryption Type: AES-XTS

Conversion Status: Complete

Conversion Direction: -none-

Has Encrypted Extents: Yes

Fully Secure: Yes

Passphrase Required: Yes

|

+-> Logical Volume CF...

---------------------------------------------------

Disk: disk5

Status: Online

Size (Total): 638769381376 B (638.8 GB)

Size (Converted): -none-

Revertible: No

LV Name: Chronos

Volume Name: Chronos

Content Hint: Apple_HFS

Reply

Answer 3

Linc Davis

Level 10

209,535 points

Jan 20, 2013 2:18 PM in response to BordeauxQuill

Back up all data.

Triple-click anywhere in the line below to select it:

diskutil cs list

Copy the selected text to the Clipboard (command-C).

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.

Paste (command-V) into the Terminal window.

Post any lines of output that appear below what you entered — the text, please, not a screenshot.

Reply

Answer 4

Jan 20, 2013 2:52 PM in response to Linc Davis

Linc, I was editing my previous post to include the diskutil information when you posted this request and instructions. Please see above. Thank you.

Reply

Answer 5

Linc Davis

Level 10

209,535 points

Jan 20, 2013 3:14 PM in response to BordeauxQuill

That shows one volume ("Apollo") with encryption in progress, and one ("Chronos") that hasn't yet started to be encrypted.

Reply

Answer 6

Jan 20, 2013 7:20 PM in response to Linc Davis

Mine is a logical rather than an expertly informed interpretation, but surely the data below suggest that the disc is encrypted? When I plug it in it does not attempt encryption and Tine Machine stopped as soon as the backup finished, rather than attempting to continue with encryption. Apologies if I am being slow.

Encryption Status: Unlocked

Encryption Type: AES-XTS

Conversion Status: Complete

Conversion Direction: -none-

Has Encrypted Extents: Yes

Fully Secure: Yes

Passphrase Required: Yes

Reply

Answer 7

Linc Davis

Level 10

209,535 points

Jan 20, 2013 7:41 PM in response to BordeauxQuill

You're looking at the logical volume family, not the logical volume, which has not been encrypted.

I don't think there's anything else I can contribute here. Obviously, a multi-gigabyte hard drive can't be encrypted in a few seconds. That is not physically possible. You've chosen to disregard the procedure recommended by Apple for encrypting a Time Machine backup volume. That's your privilege, but in that case you should also figure out why your procedure doesn't work. Good luck.

Reply

Answer 8

Jan 21, 2013 2:48 AM in response to Linc Davis

Thanks for your support, Linc - that was a useful distinction.

I have not chosen to disregard the recommended procedure (for the non-TM drive I could find no Apple guidelines that meaningfully differentiated between Finder and Disk Utility). Rather, having had the chance to experiment with two methods for different purposes, and now left with a handful of unexplained anomalies in both cases (noted above), I was curious to learn a little more about what was going on. Other comments on the web (eg http://macmost.com/forum-encrypting-an-external-hard-disk-with-finder-vs-disk-ut ility.html) are inconclusive. Anyway, I appreciate your investment of time in answering my initial query.

Reply

Answer 9

Sep 20, 2014 1:33 PM in response to Linc Davis

This is an old post, but the ignorance in Linc Davis's answer bemuses me.I respect your experience, and sometimes choosing the path of least resistance is the only way in life, but just following the herd without asking questions is what robots do. So if you don't have a good answer, just don't put any answer and don't waste bits with reprimanding people about what to do. I haven't been able to find answer to this question, so there may be no question after all because nobody has tested yet.

Same here - no answer

http://apple.stackexchange.com/questions/82122/what-kind-of-encryption-does-mac- os-x-extended-journaled-encrptyed-use/146186#146186

1. TM does on-the-fly encryption similar to the Finder option (is it correct?) and there is guarantee it finishes the job and you will know when it's done. It's definitively reliable.

2. Encrypting whole disk and then using that for TM should provide the same result, however, as BordeauxQuill and many others have noticed, the initial encryption is instantaneous (likely because there is no data?) and there is some background process (which is likely not transparent to the end-user) that does the job... However, Linc Davissimply implying the amount of time is same, is just assumption and not a fact until proven otherwise.

TrueCrypt encrypts whole disk volume and it does it instantaneously without any 4-hours overhead. So as BordeauxQuill and many others have observed, the encryption is completed rather quickly.

There is so far no proof the encryption used via Disk Utility would take 4 hours to complete in the background (removing such a disk without it transparently telling you it can't be removed would probably result to corrupted encrypted volume and or inability to remove the encrypted drive because a background encryption process is running for a few hours).

What is true is the Apple on-the-fly encryption is designed to ensure the TM backup works whenever you need it. However TM is also designed for situations where you use an external drive which may be used for other stuff (is this correct?). So the overhead caused by this encryption method may be as result for creating this convenience. With the Disk Util method, I am encrypting the whole drive, so I am basically giving up the possibility I will use the drive (or the partition on it) in any other way than encrypted volume.

Anyways, this is such an old post, but it's unfortunate there is such confusion and lack of clarify about these 2 methods. There are other differences between them, but I am only interested to know this particular feature - which is time-efficiency of backup and the amount of time and effort for the disk it takes to complete copying of the TM backup. If one method is faster than the other, it doesn't mean it's better overall or more secure. However, spending 5 hours to do backup vs 1 hour makes it worth to explore why TM encryption is still preferred method.

Reply