How to encrypt an external HDD?

Encryptor5000 wrote:

...

A: Create an encrypted read/write disk image

...

Pros:

...

256-bit encryption is available, which is twice as strong as FileVault (full disk encryption).

B: Reformat your HDD and encrypt the entire drive

...

Cons:

...

256-bit encryption isn't available unless you choose to use an encrypted disk image in conjunction with this.

Hope this helps!

How is 256-bit encryption not available?

"FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption with a 256-bit key."

Source: Use FileVault to encrypt the startup disk on your Mac

Unfortunately not (for full disk encryption). As a matter of fact, Windows and other operating systems can’t even read unencrypted partitions formatted as Mac OS Extended (Journaled) or APFS without the assistance of a third-party program or application. Although programs which allow you to mount unencrypted Mac-formatted drives certainly exist, I couldn't find a program that can unlock, read and write to encrypted Mac-formatted drives.

If you want to store your data in an encrypted disk image, you'll still need a third-party program on the Windows PC you're using in order to access the disk image. However, you'll be able to read and write to that encrypted disk image (as far as I know).

Similarly, macOS can’t natively unlock a volume that is encrypted by BitLocker (Windows’ version of full disk encryption). So even if you were to encrypt your data for Windows, a Mac (and probably Linux machines too) couldn’t read it without the assistance of a third-party app. That being said, an application exists for Mac which permits you to unlock BitLocker-encrypted drives, but the trial mode only mounts as read-only and the cost for the full version is expensive. Nonetheless, here's the link to that application: Bitlocker for Mac, read/write Bitlocker encrypted drive in Mac: M3 Mac Bitlocker Loader Official

1. Yes. Alternatively, you can reformat an already existing partition, or just add a new partition to your drive and format the new partition correctly.

2. Yes, if you want. You can create, erase (reformat) and destroy as many partitions as you wish. Erasing the entire HDD destroys all partitions and creates a new partition.

3. Correct. Be sure to back up your data on the partitions before proceeding.

4. SSDs, or Solid State Drives, are drives with all-flash-storage. They run considerably faster than traditional hard drives and don't have any moving parts to them. Apple's newer MacBooks automatically come equipped with an SSD inside instead of a traditional hard drive. Although traditional HDDs are cheaper and fairly reliable, SSDs are faster and more reliable.

Although you can format really any drive with Apple File System (APFS), I still recommend Mac OS Extended (Journaled). Three reasons for this:

1. Compatibility. Despite the benefits of APFS, you can only mount an APFS drive on Macs running macOS High Sierra or later. A drive formatted as Mac OS Extended (Journaled), however, will be recognized by almost all versions of macOS or OS X.

2. Running macOS. If you plan on installing macOS onto a drive and format that drive as APFS, macOS will not run well on that drive unless it is an SSD. Traditional hard drives simply can't meet the demands of APFS efficiently while running macOS.

3. Convertibility. You can easily convert a drive formatted as Mac OS Extended (Journaled) to APFS without destroying any data. However, APFS drives cannot be reverted back to Mac OS Extended (Journaled), unless you reformat the entire APFS container (partition).

In other words: If you simply plan on storing data on your HDD, don't plan on installing macOS onto it, and won't use it with Macs that can't run High Sierra, format as APFS. Otherwise, format as Mac OS Extended (Journaled).

Hope this helps!

Hello,

Turning on FileVault for your Mac encrypts the internal system drive, not the external one. Regardless, this is an excellent security measure against easy password resets and unathourized access to data, and should remain enabled.

In regards to your external drive, full disk encryption is only supported if your HDD is formatted as one of the following formats:

Mac OS Extended

Mac OS Extended (Journaled)

APFS

The case-sensitive variants of these formats also support full disk encryption. If your external HDD is not formatted as one of these formats, it must be reformatted (erased) before it can be encrypted.

At this point, there's two methods you could use for encrypting your data on the external HDD:

A: Create an encrypted read/write disk image

The following Apple Support article details how to create an encrypted disk image. Be sure to follow the instructions for the "Create a secure disk image" section: Create a disk image using Disk Utility on Mac - Apple Support

Pros:

• You choose the size of the encrypted zone (disk image) on your HDD
• You can add or remove files from the disk image at any time
• The disk image can be converted into other formats (compressed, read-only, etc)
• The disk image can be moved anywhere, and isn't stuck on your HDD.
• The HDD shows up on your desktop even if you haven't unlocked and mounted the encrypted disk image.
• 256-bit encryption is available, which is twice as strong as FileVault (full disk encryption).

Cons:

• Only the disk image is encrypted. Anything else you put on the HDD remains unencrypted.
• You have to mount the disk image before you can modify it, and you must eject the disk image before you can eject the external HDD.

B: Reformat your HDD and encrypt the entire drive

1. Back up all of your data on your external HDD, or move it to a safe location.

2. Open Disk Utility, which is located at /Applications/Utilities. For added safety, eject all other drives.

3. Select your external HDD, then click erase. Format your external HDD as follows:

Name: Whatever you want

Format: Mac OS Extended (Journaled, Encrypted) or APFS (Encrypted)

Scheme: GUID Partition Table

Note: While APFS is a newer file system and has benefits that are detailed here, Mac OS Extended (Journaled) is compatible with almost all releases of OS X and macOS. APFS is only supported on macOS High Sierra and later, and works best on SSDs.

4. Click Erase. When the process is finished, move all of your data back onto your HDD.

Pros:

• The entire HDD is encrypted. Anything you put on it is instantly encrypted on the fly.
• No need to mount an extra disk image and deal with the process of creating one, unless you choose to do so.
• Permits multiple layers of security: If you choose to put an encrypted disk image on the encrypted HDD, you could store super-sensitive files in the disk image, since unlocking the HDD doesn't unlock the disk image inside it.
• This is equivalent to turning on FileVault for your external HDD. As a matter of fact, if you install macOS on this drive afterwards (while it's encrypted), FileVault will behave as if it was already turned on and will prompt you for the disk password you set originally.
• Easily reversible; simply right-click (or Control-click) the HDD in Finder and select Decrypt.

Cons:

• If you choose not to enter your password for the HDD when prompted, it won't appear on the desktop. You'll have to go into Disk Utility, select the drive and then click Mount. Then, after you enter your password, it will reappear on your desktop.
• 256-bit encryption isn't available unless you choose to use an encrypted disk image in conjunction with this.

Hope this helps!

Yes, it should work fine. Be careful, though, to only erase the volume on the drive that you want to encrypt, and not the entire drive (unless you want to destroy all partitions and their data). Alternatively, you can create a new partition and format it as Mac OS Extended (Journaled, Encrypted) or APFS (Encrypted).

An easy way to tell if you're only erasing a volume or if you're erasing the entire drive is to look for a Scheme option. If you see an option to select a Scheme, you're erasing the entire drive. If you don't see an option for Scheme, you're only erasing a volume on the drive, and the other partitions will remain unaffected.

I don't know if Filevault is only for a boot volume and if you will have to do it this way:

Disk Utility for macOS Sierra: Create a disk image using Disk Utility - https://support.apple.com/kb/PH22247