Encrypting external SSD with users on it ?

[PsykX]

Hi,

I recently bought an Apple Silicon iMac, but it's (sadly) a temporary computer (waiting for M1X / M2 / M2X generations), so I didn't want to use all my money to upgrade the drive.

So I bought a 2 TB SSD with a USB 3 (10 Gbits) external enclosure and put all my user accounts on it, except of course an "Admin" account that will always remain on the iMac's SSD just in case. It's working perfectly well, in case someone also wants to do that too 😀 Only downside is, of course, I don't have the native speed of my SSD (will need to upgrade to a Thunderbolt 3 or USB 4 enclosure in the future).

On my old 2013 iMac, I always had FileVault 2 enabled.
I know I can Open the Finder > Right click on my SSD > Encrypt, but before I do any of that, I had two questions :
- Is this option the same as FileVault 2 ?
- Is it going to even... work ?! If so, when in the process of booting my computer will I be able to mount the encrypted drive ?

Thanks a lot

 

[Weaselboy]

If you right click and encrypt like that, the drive will not be bootable. You need to go into System Prefs > Security > FileVault and turn it on there.

Edit: Just to clarify, you do not have the OS on the external SSD? If that is the case, I don't know of a way to encrypt that disk and have this work for you.

 

[NoBoMac]

Only way that I can think of this maybe working is to keep an account's Library directory and all the dot-files/folders on the Mac. All other folders can be put on the external and encrypted. Will allow one to sign-in and then provide the passcode for the drive (seen some cases where even when passcode for the drive is saved in Keychain still get a prompt for the passcode [guessing a timing issue on what's up and running at that moment]). And of course, turn on Filevault for the Mac.

Or: sign-in to the Admin account, mount the drive. Logout of Admin, login to the "normal" account.

 

[PsykX]

Just to clarify, you do not have the OS on the external SSD?

Sorry I should have been more clear about this.
macOS is installed on the internal drive, and I kept an Admin user on it.

My external drive contains my "real" user accounts.

Or: sign-in to the Admin account, mount the drive. Logout of Admin, login to the "normal" account.

This is one of the possibilities I imagined.

I just found out it's possible to try with a small USB Drive (not possible with an HDD). I will test this on my older iMac...

 

[PsykX]

Or: sign-in to the Admin account, mount the drive. Logout of Admin, login to the "normal" account.

OK I promised I would try this.
Well, it works. BUT. I cannot log out of Admin, I have to stay logged in.
If I log out, it un-mounts the drive, and if I try to login, the login screen spins for a long time, and then tells me it's impossible to load the account.
Which also means if I want to shut down the computer, I have to close my session, go back to Admin, and then I can shut down (or just enter the Admin password when asked to force shut down).

I wish there was a more straightforward way to do it. FileVault 2 is so convenient as opposed to just encrypting a drive, but I guess it's the price to pay if I didn't want to pay the Apple tax to get 2 TB of SSD in my iMac.

 

[Havmac]

I just boot from an external on my 2018 Mac mini, works great encrypted. I have tried with both an NVMe/TB3 enclosure and USB-C SSD in this configuration. Don't really see any reason to mess with the internal drive at all.

 

[PsykX]

I just boot from an external on my 2018 Mac mini, works great encrypted. I have tried with both an NVMe/TB3 enclosure and USB-C SSD in this configuration. Don't really see any reason to mess with the internal drive at all.

I was thinking about this...
Did you manage to enable FileVault 2 on your external NVME ? Anything different between external and internal ?

 

[Havmac]

I was thinking about this...
Did you manage to enable FileVault 2 on your external NVME ? Anything different between external and internal ?

Yes the external drive boots with FileVault (2 I assume since you make a point of the number 2, whatever is current in macOS). I also have the internal 128GB encrypted with FileVault. So it is easy to set up on the external: download the Big Sur installer to the internal (boot from internal), run it and install on external, the system will reboot to external and set that as the default boot drive, then select what Time Machine or existing disk to restore from if you want, then enable FileVault on the external (after booting to it after restoring from Time Machine if you like) and it will boot just fine.

Normally I don't use the internal drive for anything at all, I don't enter the password for it when I boot on the external (keeps it secure from malware just in case), just stays as an emergency boot disk and something convenient to have if I need it. I have made several copies of my boot disk in the process of putting it temporarily on another SSD (Samsung T7 which is just USB-C) while I had to replace the NVMe drive inside the Samsung X5 I normally boot from (drive went bad but the NVMe/TB3 controller and the enclosure still worked). The performance difference aside from in benchmarks between the T7 and X5 is very minimal if anything at all.

My situation went something like this in case it helps anyone understand how to move things around easily. I hope this doesn't complicate things in explaining it to you, you won't need to go through all this by any means:

1. After a couple years of use I noticed the system was very sluggish when booting off Samsung X5 (which I always use exclusively as the system disk) and Blackmagic indicated absolutely terrible performance, but the drive was luckily still working.
2. Booted to internal to test the X5 from there with Blackmagic and it was still very slow but the internal was working as it should.
3. From the internal I installed Big Sur to a Samsung T7 I had on hand so I could use it as a temporary boot disk (I need the T7 for something else). Selected the X5 as the disk to restore from after Big Sur was installed on the T7.
4. Booted to T7 and it did well on benchmarks and was working fine.
5. Decided I needed to figure out whether it was the X5 enclosure or the NVMe drive so I didn't have to deal with warranty service so I used an old NVMe drive to test with in the enclosure, installed Big Sur to it from the internal SSD and used the T7 as the source disk to restore from.
6. Tested X5 with old/new NVMe drive and it worked great, performance was fine.
7. Ordered a new NVMe drive in the size and with the performance I wanted and installed it in the X5 enclosure.
8. Installed Big Sur to X5 with new drive from internal SSD.
9. Booted from X5 and selected T7 again as source disk to restore from.
10. Encrypted with FileVault (which I had done at each step anyway).
11. Everything works great.

You can switch back and forth between boot disks with preferences from within macOS without using the Open Firmware. You can also do this with the firmware but it is easier just to use the existing macOS boot drive in my opinion.

And a note, if you don't already have a TB3/NVMe drive I would be very cautious about any products other than the X5 and make sure you read reviews. Samsung USB-C and TB3 enclosures are very stable but I know many other brands have issues.