Protecting sensitive data is going to be an ongoing discussion, with ideas stemming from whether full disk encryption or perhaps avoiding your hard drive and storing files on external media is best.
Any additional encryption or protective measure you take for a file will have an impact on the system; however, in most cases this impact will be negligable.
If files you use are sensitive, then be sure to fully password-protect your system (use strong passwords), and ensure FileVault is enabled. In addition, ensure any external drive you use is fully encrypted, which can be done by formatting it to "Mac OS X Extended (Journaled) encrypted" in Disk Utility. When done, ensure the system has a sleep/screensaver password enabled, and you should be well-off to having your data secured with minimal impact on the system.
Apple's full-disk encryption rides above the storage device hardware, and below the operating system, so the type of storage you use should not matter one bit, and the encryption should be transparent to the operating system and programs you use. In the event of theft, however, without the proper password then all data on the drive will be garbled.
I suppose you are aware that Apple does not support secure erasure of Solid State Drives for many good reasons including the fact they cannot be truly erased. My suggestion would be when the time comes to pass your iMac along to another user you pop open the enclosure, yank out the SSD and place it in an external enclosure for use on the iMac's replacement. As for the old iMac, either replace the drive with a new blank drive or sell it as is without a drive.
- Use Disk Utility to encrypt your sensitive files or folders. This is very secure. How to create a password-protected (encrypted) disk image
- Before you sell your Mac, use disk utility to securely erase your HD. Securely wipe your hard drive | Macworld
@Joe Bailey and arthur
As mentioned in the thread opening message all this is about iMac late 2013.
That means, drive replacement conducted by user is not possible.
As mentioned there as well it is about ssd, the only drive in this iMac, the boot drive.
A nice thank-you for all your hints.
It helped me little bit to make progress in deciding.
Yes, the FV2 seems to be good enough as for our requirements.
It shows few impacts, however these are rather minors.
The overall costs of any nature seem to be acceptable as well.
Strong passwords, encrypting on the whole chain, screenshots with pwds all these
are right points. My intention however was to narrow the discussion here to
topics and use-cases described at start.
If the new iMac is physically safe during your use, for example it is in a location where others do not have access to the physical computer then you may not need FDE (Full Disk Encryption) with File Vault. In this case before the iMac was sold I would simply remove the drive and replace with a new one before selling. The cost of a new drive is relativly small and in 1 to 2 years will be even less expensive. Not selling the drive is the only way to ensure you will not have any data leakage due to sector sparing by the drives internal firmware (the drive will disable access to certain locations if read errors are identified and you will not be able to erase them in the future). I concur with Joe just pull the drive before selling.
Actually, all additional measures to protect sensitive data from unauthorized access within the whole chain of data storage are out of focus here. In focus just two use cases mentioned in initial question.
This is due to switching from hdd and a user serviceable solution to sdd-only and repairable only by professionals mac.
So that switch results in degradation of data security.
The goal here is just to get back the same grade of data security - despite the fact how inperfect it is.
All additional measures will be met not until the decision is made - this data needs more security within whole chain. Currently for the environment here the highest data leakage risks are even two described use cases, natural cataclysm.