Encryption of a HDD using the Disk Utility or FileVault

Thank you Allan.

I have also decided to use Disk Utility instead of any WD or LaCie software. You and other people say WD software is not secure. I don't know anything about the reliability of LaCie Private-Public software, but it creates encrypted volume at the speed of 1GB per 1 minute. This means that if I have 5TB disk I would have to wait 5 000 minutes to make it encrypted volume, which is ridiculous. I have not tested it yet but that's what the manual of Private-Public software says. If I can get the same encryption from DiskUtility and faster, there is no reason to use Private-Public. Unless it would be some different kind of encryption.

Thank you a lot for both replies, Urquhart and Eric. I am sorry I reply with delay. After a couple of busy days I can finally resume my shopping for the disks.

The idea that the WD software is just the interface makes sense and it clarified the ambiguous description to me. Speaking of the apple software, I am also inclined to use it instead of WD hardware encryption. It looks like the more straightforward way not to rely on any third-party products.

Speaking of which, why do people actually buy external HDDs with hardware encryption? I understand that people buy internal HDDs with hardware encryption because of the Cold Boot Attack, but is there any reason to buy an external HDD with hardware encryption? Is the only reason the fact that the hardware encryption does not slow down my computer, because it is not using the computer's processing power, or are there any other reasons?

There is one more thing that is unclear to me. Once I format the HDD as “encrypted” using the Disk Utility, which software executes the encrypting when I later use the drive? In other words, when I connect the encrypted drive to my or somebody else's iMac and drag some data on the drive, the Disk Utility is not running any more (at least not visibly), but the encryption of the data takes place anyway. Does it mean that there are some (hidden) OS processes or drivers doing the encryption for me automatically every time I work with the encrypted disk?Thanks for your replies again.

I admit that my questions can be confusing. I am not a native speaker and sometimes I express myself in a too complicated way. But your answer helps me anyway.

You say “Once encrypted, the software on the external encrypts new data”. As far as I understand this explanation, the encrypted format encrypts and hides my data. So, when we speak about “software encryption”, it does not have to involve an application. The encrypted format itself is the software measure. Is that right?

This is what was so confusing for me. When I first read about “software encryption”, I thought the “software” has to be some application that carries out the encryption. I thought that I have to install an app either on my computer or directly on the disk to be able to achieve some kind of encryption.

But now I see that the word “software” does not have to refer to an app. It can refer to the fact, that the security step is software-based (for instance the encrypted format), and not hardware-based (for instance a hardware chip).

The app - namely Disk Utility - creates just the encrypted volume or encrypted disk image at the very beginning, but that’s it. After this initial formatting, the encryption takes place automatically, as I drag and drop the data. It takes place thanks to the encrypted format of the disk and its specific cipher key that was created and embedded in the disk when I formatted the disk.

Do I understand the process right? Correct me, if I am wrong.

Thank you for your reply, Bob. Your answer has explained exactly the thing that I did not understand. Thank you a lot for that.

I apologise to you and to other participants of this discussion that I reply with delay again, but the summer vacation kept me away from the online world for a while.

Speaking of the encryption keys, I would like to ask one more question. As far as I know, when I use an external disk with hardware encryption, the encryption key never leaves the disk. But I am wondering about how it works when I use Disk Utility, i.e. software encryption.

If macOS disk device drivers provide the encryption and decryption, where are the encryption keys stored during or after the process - on the disk or on my computer? Are the keys and the password deleted from the computer memory after I dismount the disk?

Also, if the computer retains the keys, I suppose it might be risky to connect the disk to someone else’s computer, because the owner of the computer could later recover the keys, am I right?

But I suppose hardware encryption is not 100% reliable either.

P.S. How do I mark someone's post as "helpful" on this forum? The button works for me only sometimes. I don't know why. Is there a limit on the number of times I can use it in each thread?

Hi Bob, thank you for your answer. Very logically put again. Thank you for that.

I tried to use FileVault a couple of months ago but it slowed down my computer a bit so I turned it off again. My MacBook is getting old and I had to give preference to speed over security.

Now I am thinking more about encrypting my external devices. So, my question was more about how the password and encryption keys work when it comes to external HDDs. I would like to know, where the encryption keys are stored when I encrypt an external disk. Are they deleted after I eject the disk?

I think there is a misunderstanding. I talk about encryption of external disks via Disk Utility, whereas you seem to be talking about the encryption of external disks via FileVault.

I know that in principle it is the same thing, but judging from my experience, there are some little differences. When I use Disk Utility, it does not work with my login password (i.e. my user account password) at all. I choose a separate password for the external disk when I format it, and this is the only password that decrypts the disk. It is not possible to set more than one password for the disk when formatted in Disk Utility. Or is it possible? (I have never noticed that option in Disk Utility.)

But I think your answer applies partly to Disk Utility as well. You explained to me where the encryption key is stored. I suppose, regardless whether I use Disk Utility of FileVault, the password that I choose encrypts the encryption key. The encryption key is stored on the external disk itself. After I use my password to unlock the drive, the encryption key is then given to the device drivers.

My second question from my post on 18th June was about using the disk with other computers. I know it is possible to use it, but is it safe to use it? After you explained it, I understand the encryption key cannot be deleted from the disk itself. But is it removed from the device drivers after I dismount the disk?

I am asking this question, because I would like to know how safe it is to use an encrypted disk on someone else’s computer. I have to connect my disk to other people’s computers from time to time, but I do not want my password or encryption key to get stuck somewhere in the memory of these computers.

Hi Bob. Your last answer has made everything clear to me. Yesterday and today I have finally got to the job and I have formatted and encrypted all the disks that I want to secure, and everything works fine. Please, excuse my late replies and thank you very much for your detailed and quick responses.