Help in Encrypting My MBP and External Backup HD's

[qqurioustiger8945]

I've a MacBook Pro running High Sierra with an internal SSD and 2 external HDD's for backup. The first external is using Time Machine and the other is using Carbon Copy Cloner, in order to be bootable if needed.

None of those 3 HD's are encrypted.

For security/privacy I've been using encrypted disk images that contain my sensitive documents, but I want to start using a whole system encryption; by either enabling FileVault or formatting my HD as Journaled (Encrypted).

So far, if my MacBook was stolen or its internal SSD just failed, I could always plug my backup HDD's to any other Mac (even older ones still running Lion for example), and reach my sensitive documents by opening the equivalent disk image.

1. After setting up a system encryption on both my MacBook and my 2 external HD's, how can I reach those documents using any other Mac like I used to? What will be the difference? Will I be able to access them from an older pre-High Sierra Mac? Any limitations or inconvieniences I didn't take into consideration?

2. Given the way that I work, should I go with FileVault or formatting my internal SSD as Journaled/Encrypted? And what about the encryption of my 2 external HDD's?

Thank you in advance for any info.

 

[Weaselboy]

1. After setting up a system encryption on both my MacBook and my 2 external HD's, how can I reach those documents using any other Mac like I used to? What will be the difference? Will I be able to access them from an older pre-High Sierra Mac? Any limitations or inconvieniences I didn't take into consideration?

As long as you format the externals to HFS+ Encrypted, older macOS versions will be able to open and read the drives. Just don't format to the newer APFS encrypted since pre High Sierra OS versions will not be able to read it.

Otherwise, you just attach the encrypted drive and you will get a popup to enter the encryption password as the drive tries to mount. Once you enter the password the drive looks and works just like any other external drive.

2. Given the way that I work, should I go with FileVault or formatting my internal SSD as Journaled/Encrypted? And what about the encryption of my 2 external HDD's?

You will want to turn on FileVault in System Preferences to encrypt the internal drive. That will reboot the system and encrypt the drive, as well as setup the boot process to work with FileVault.

Then just use Disk Utility to format the externals to encrypted format.

 

[qqurioustiger8945]

As long as you format the externals to HFS+ Encrypted, older macOS versions will be able to open and read the drives. Just don't format to the newer APFS encrypted since pre High Sierra OS versions will not be able to read it.

Otherwise, you just attach the encrypted drive and you will get a popup to enter the encryption password as the drive tries to mount. Once you enter the password the drive looks and works just like any other external drive.




You will want to turn on FileVault in System Preferences to encrypt the internal drive. That will reboot the system and encrypt the drive, as well as setup the boot process to work with FileVault.

Then just use Disk Utility to format the externals to encrypted format.

Very helpful answer. Thank you. ☺

By the way, since you mentioned APFS, I basically have to give up compatibility with older Mac OS versions in order to use it, correct? In case, I decide so, is there an issue with my externals being HDD instead of SSD? Just asking cause from what I've read SSD is what APFS requires.

 

[Weaselboy]

By the way, since you mentioned APFS, I basically have to give up compatibility with older Mac OS versions in order to use it, correct? In case, I decide so, is there an issue with my externals being HDD instead of SSD? Just asking cause from what I've read SSD is what APFS requires.

That is correct, you would just lose backward compatibility with older macOS versions.

APFS will work with either a SSD or a HDD.

The only issue right now is you cannot use an external APFS formatted drive as your Time Machine destination.

 

[qqurioustiger8945]

That is correct, you would just lose backward compatibility with older macOS versions.

APFS will work with either a SSD or a HDD.

The only issue right now is you cannot use an external APFS formatted drive as your Time Machine destination.

I see.

Would the following be a workaround? :
Internal SSD -> encrypted APFS
External HDD's -> HFS+ (Encrypted)
Use CCC to backup the internal into the externals.
a. Plug the externals into older Macs and not boot, but still be able to browse the files inside them.
b. Plug the externals to other High Sierra Macs and both boot and browse files.

Thank you for your time. ☺

 

[Weaselboy]

Would the following be a workaround? :

Yep... that would work perfectly.

 

[Fishrrman]

I would NOT encrypt the CCC cloned backup.

If you have data that is "that sensitive" on it, keep it locked up or hidden somewhere.

The whole point of having a bootable cloned backup is that you have a drive that you can "reach for in an emergency" and boot from as quickly and as easily as is possible.

ANYTHING that "gets in the way" of doing that will defeat its purpose (at least in my opinion).

 

[qqurioustiger8945]

Yep... that would work perfectly.

I was just looking into APFS (as I haven't used it yet) and its features Copy-on-Write (CoW) and Cloning confused me.

Using HFS+, if I were to duplicate the exact same file (let's say "testfile1") over several folders (say "folder1", "folder2" and "folder3") throughout my HD, the file would actually copy/paste, and it would be the same whole and intact "testfile1" in every folder I pasted it in. No aliases or shortcuts.

So if I then backed up into an external HD, I should again expect to find the same whole and intact "testfile1" (again no aliases) in the equivalent "folder1", "folder2" and "folder3" that reside in my external HD as well.

With APFS, if I did the exact same duplication procedure as previously, and then backed up into (let's say) an ExFAT formatted external HD instead (for Windows compatibility), should I expect to find "testfile1" whole and intact in "folder1", "folder2" and "folder3" in my external HD, or would I find something like an alias/shortcut in place of "testfile1" that simply references it?

Again, thank you for your time.

 

[Weaselboy]

With APFS, if I did the exact same duplication procedure as previously, and then backed up into (let's say) an ExFAT formatted external HD instead (for Windows compatibility), should I expect to find "testfile1" whole and intact in "folder1", "folder2" and "folder3" in my external HD, or would I find something like an alias/shortcut in place of "testfile1" that simply references it?

You would find the actual file if you copied to an ExFAT drive.

 

[qqurioustiger8945]

You would find the actual file if you copied to an ExFAT drive.

And I'm guessing I would also find the actual file if I copied to an external HFS+ drive. Correct?

Basically, the duplicated files that take up space of the APFS formatted SSD as delta files, when copied to a non-APFS drive, they always have their whole intact form.

So if I duplicated testfile1 ten times on my APFS SSD, I'd expect it wouldn't actually duplicate it ten times, taking up valuable space. It would utilize this delta implementation. But, if I were to back up to any non-APFS drive it would recreate testfile1 ten different times.

Let me know if I got it right or wrong, thank you.

 

[Weaselboy]

So if I duplicated testfile1 ten times on my APFS SSD, I'd expect it wouldn't actually duplicate it ten times, taking up valuable space. It would utilize this delta implementation. But, if I were to back up to any non-APFS drive it would recreate testfile1 ten different times.

Yep... that is exactly how it works.

 

[qqurioustiger8945]

Yep... that is exactly how it works.

Thank you very much. ☺