You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: ckralc
ckralc Author
User level: Level 1
5 points

FileVault vs Disk Utility questions and erasing data

I have a MacBook Pro and and iMac (for business) and I just used FileVault on both. I now need to encrypt my Time Machine and external hard drives. I have some questions:


1) Time Machine - is it just as secure to (A) go into Disk Utilities and erase the data on Time Machine and then go to System Preferences and set Time Machine to encrypt or is it better to (B) go into Data Recovery Mode and erase the hard drive three times and then set up Time Machine? Or, is the latter overkill? (C) Is Time Machine being encrypted by FileVault in System Preferences or Disk Utility?


2) External Hard Drives that I need encrypted: (A) It would be great to keep the data on these drives and encrypt using FileVault - are there reasons I should erase the data first (recovery mode? or no?). (B) Is there a reason to use Disk Utility to encrypt vs FileVault?


3) When these computers, have reached end-of-life since they are encrypted do I need to go to recovery mode and erase three times? leave them as they are? or something else?


iMac: vs. 10.13.5

Processor: 2.9GHz Intel Core i5

Memory 16 GB 1600 MHz DDR3

Storage 1.03 TB available of 1.11 TB



MacBook Pro (Retina, 13 in) vs. 10.13.5

Processor 2.7 GHz Intel Core i5

Memory 16 GB 1867 MHz DDR3

Storage 162.58 GB available out of 250.79 GB





Time Machine and external hard drives are G-Drives.

iMac, macOS High Sierra (10.13.4)

Posted on Jun 23, 2018 11:00 AM

Reply
Question marked as Top-ranking reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
116,260 points

Posted on Jun 25, 2018 7:35 AM

1) Erasing the drive 3 times will not do anything, especially to the data that can no longer be overwritten. While it is likely almost nothing, there still could be readable data on bad blocks.

You can't encrypt anything but the Startup drive using the FileVault settings in Security & Privacy.

FileVault provides a method to decrypt the drive and login at the same time. Otherwise, the full disk encryption is the same as using Disk Utility (DU) or the Finder.


2) As stated above, you can't use FileVault to encrypt the external drive.

If you attempt to encrypt the drive with the Finder, it will convert the drive to APFS. At this point, that is not recommended and may render the TM backup useless. As far as I know, the only way to encrypt the disk in DU is to erase the disk. To encrypt the drive using HFS+ and not destroy the data, you would need to use the command line (Terminal). I don't know the exact commands needed.

It will be nearly infinitely faster to encrypt the drive when you erase it in DU than encrypting a full disk.


3) Just Erase the drive, once. The remaining data will be encrypted and the encryption key will be destroyed.

View in context

Similar questions

6 replies
Question marked as Top-ranking reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
116,260 points

Jun 25, 2018 7:35 AM in response to ckralc

1) Erasing the drive 3 times will not do anything, especially to the data that can no longer be overwritten. While it is likely almost nothing, there still could be readable data on bad blocks.

You can't encrypt anything but the Startup drive using the FileVault settings in Security & Privacy.

FileVault provides a method to decrypt the drive and login at the same time. Otherwise, the full disk encryption is the same as using Disk Utility (DU) or the Finder.


2) As stated above, you can't use FileVault to encrypt the external drive.

If you attempt to encrypt the drive with the Finder, it will convert the drive to APFS. At this point, that is not recommended and may render the TM backup useless. As far as I know, the only way to encrypt the disk in DU is to erase the disk. To encrypt the drive using HFS+ and not destroy the data, you would need to use the command line (Terminal). I don't know the exact commands needed.

It will be nearly infinitely faster to encrypt the drive when you erase it in DU than encrypting a full disk.


3) Just Erase the drive, once. The remaining data will be encrypted and the encryption key will be destroyed.

Reply
User profile for user: ckralc
ckralc Author
User level: Level 1
5 points

Jun 25, 2018 11:55 AM in response to ckralc

Barney-15E and all ...


Follow-questions:


1. Basically then if a person is encrypting an external hard drive as a Time Machine (TM) - the least secure method of erasing the TM is fine as long as you are encrypting? Erasing the data multiple times is then overkill in this situation?


2. And the above is also true when you are encrypting an external hard drive that is NOT a Time Machine as well? Erasing the data multiple times is then overkill in this situation also and there is no need for it? to set

Reply
User profile for user: ckralc
ckralc Author
User level: Level 1
5 points

Jun 27, 2018 1:45 PM in response to ckralc

Barney-15E and all,


1) If there is little benefit to securely erasing external drives prior to using it as a Time Machine or for other backups, is it better to always use brand new external drives?


2) If the data on the external drives was encrypted to begin with and then not erased prior to encrypting for Time Machine /or other storage purposes AND there is perhaps a bad block - is that data still unreadable?


3) Are there best practices for this type of thing?

Reply
User profile for user: Barney-15E
Barney-15E
User level: Level 10
116,260 points

Jun 28, 2018 12:35 PM in response to ckralc

1) Sounds like you are reading too much into my answer. If you erase the drive, then encrypt the full disk, I don't see any benefit to erasing it more. Regardless of what you do, any data that is still readable but cannot be overwritten is vulnerable. That is why it would be better to use a brand new drive. Depends on how sensitive your data was.


2) Yes. If the device was encrypted prior to writing to the eventual bad blocks, the data is encrypted.


3) Encrypt the drive prior to using. Depending on the sensitivity of your data and what vulnerability you have should that data be revealed, given the low risk of there being anything left in the bad blocks, you may or may not need to start with a new drive.

Given the scenario where you already have sensitive data on an unencrypted drive, what are you going to do with the drive? It may be better to erase and encrypt than to try to dispose of the drive. If you have access to a degausser (magnetic drives only), you may be able to render the data unrecoverable, especially with follow-on mechanical destruction. If you have an SSD, you've got to be able to burn it--I'm not sure of the temp, duration required.


There are a lot of, "it depends," answers to your question.

Reply

FileVault vs Disk Utility questions and erasing data

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up