How can I enable FileVault in Mojave on an APFS formatted partition of an external USB HDD?

[Diamond Dave]

According to this page:

https://support.apple.com/en-gb/guide/mac-help/mh40593/10.14/mac/10.14

it’s perfectly possible - in Mojave - to encrypt an external HDD - any removable media in fact - with a couple of mouse clicks.

Yet that option doesn’t appear in the context-sensitive menu when I right-click on the volume that I want to encrypt.

Some info on the setup:

• Mac mini (Late 2018)
• 2TB internal SSD, named “Macintosh SSD”
• macOS Mojave 10.14.6 (18G9323)
• External “Mercury Elite Pro” USB enclosure, connected directly to one of the Mac’s USB-A ports
• Western Digital 8TB HDD inside the enclosure
• 8TB HDD partitioned into an APFS formatted 2TB clone of the internal SSD, called “Macintosh SSD Clone”, and a 6TB partition, currently unused

Having studied a great deal about FileVault, including reading all of this page (& all the comments):

https://eclecticlight.co/2022/04/23/explainer-filevault

FileVault (internal SSD) / software encryption (external HDD) appears to be a no-brainer, with no performance hit (with the SSD at least) on account of the T2 chip etc.

I’m not bothered about any performance hit on the external partition as it’s only ever used by Carbon Copy Cloner to clone the SSD. It’s a 5400rpm HDD anyway - so hardly Speedy Gonzales.

Screenshots of the internal SSD:

As you can see, right-clicking doesn’t give any encryption options, but I’m assuming that’s as expected, as you’re supposed to enable FileVault using System Preferences. So far so good.

But with the external partition, there’s no “Encrypt [item name]” in the shortcut menu, despite the Apple Support Document saying there should be:

If anyone’s wondering why I have some options in the menu that they don’t (e.g. “Copy Path”) it’s because I always run “XtraFinder”:

https://www.trankynam.com/xtrafinder

But that’s not relevant or the cause of the issue. Restarting the Finder without XtraFinder running doesn’t make the “Encrypt [item name]” option re-appear in the shortcut menu:

It just removes the additional options that would normally be there if XtraFinder was running.

According the Electric Light Co article, and a few others I’ve read, turning on encryption isn’t a feature offered by Disk Utility (strangely) so as you’d expect, that option doesn’t appear for me when I right-click on the physical disk, the container, or the volume in Disk Utility:

So, does anyone have any ideas as to why I can’t encrypt the external partition?

Could it possibly be the case - and this doesn’t sound likely to me - that I’d need to turn on FileVault first on the internal SSD, before the Mac will let me software encrypt the external partition?

A final thought. If it would help, I’ve no problem in reformatting the external partition in HFS+ format. Many comments I’ve read over the years say that it’s a better fit for external HDDs anyway.

Here’s one for example:

https://forums.macrumors.com/threads/apfs-or-mac-os-extended-for-external-hdd.2386349/post-32089416

Many thanks for any insight anyone can provide.

 

[Diamond Dave]

Could it possibly be the case - and this doesn’t sound likely to me - that I’d need to turn on FileVault first on the internal SSD, before the Mac will let me software encrypt the external partition?

I've just successfully enabled FileVault on the internal SSD, and nothing has changed. There's still no option to encrypt the APFS partition on the external HDD using the Finder. So my dubious theory was, naturally enough, nonsense.

 

[IngoX]

So, does anyone have any ideas as to why I can’t encrypt the external partition?

Have you made the "Macontosh SSD Clone"-volume bootable in CCC? If I remember correct you cannot boot from an APFS-encrypted external disk in Mojave, but you can enable FileVault when booted from the external volume. In that case it´s a good thing Finder doesn´t give you the option!

turning on encryption isn’t a feature offered by Disk Utility (strangely) so as you’d expect, that option doesn’t appear for me when I right-click on the physical disk, the container, or the volume in Disk Utility:

You can opt to make a APFS-encrypted volume in Disk Utility when you choose to format with Erase. For testing purposes:

1) Test what options you get if you try to Erase and format "Macintosh SSD Clone"-volume in Disk Utility. You don´t have to go through with it, just to see that you get the option of APFS-encrypted.

2) Make a new APFS-volume (non encrypted) on the unused space of the external disk. Do you then get the Finder-option to encrypt it?

 

[Diamond Dave]

Have you made the "Macintosh SSD Clone"-volume bootable in CCC?

As far as I know, yes, although I can't remember if I've ever tried booting from the external volume (foolish I know!). I think I may have done once, but it took so long that I decided not to make a habit of it!

Here's a couple of screenshots from CCC, which I reckon mean that the clone should be bootable:

You can opt to make a APFS-encrypted volume in Disk Utility when you choose to format with Erase. For testing purposes:

1) Test what options you get if you try to Erase and format "Macintosh SSD Clone"-volume in Disk Utility. You don't have to go through with it, just to see that you get the option of APFS-encrypted.

That worked! When I click on Erase, options for "APFS (Encrypted)" are always there, no matter whether I choose the Disk, the Container, or the Volume:

So I guess all I need to do is to erase the clone volume, but choose "APFS (Encrypted)" rather than "APFS" under "Format", then re-run the CCC task to re-build the clone.

2) Make a new APFS-volume (non encrypted) on the unused space of the external disk. Do you then get the Finder-option to encrypt it?

Yes I do! I formatted the 6TB empty partition as "APFS", then when it mounted, the Encrypt "Unused"... option was there:

Clicking on it made this dialogue box come up:

which I then cancelled.

So - we now know a couple of things:

• If you're prepared to erase a disk in Disk Utility, you'll get up to 4 Encrypted options, one each for the various types of disk format.
• There's no difference that I can see between the "Macintosh SSD Clone" volume and the "Unused" volume (once I'd formatted the "Unused" volume as APFS), other than one volume being empty, so it appears that the Encrypt option in the Finder only appears when a volume is empty / freshly formatted.

It's strange though that the need for the volume to be empty isn't mentioned anywhere on the Apple support page that I linked to at the very beginning of this thread.

Anyway, thanks very much for the advice. I'll erase the "Macintosh SSD Clone" volume in APFS (Encrypted) format, and take it from there.

 

[IngoX]

so it appears that the Encrypt option in the Finder only appears when a volume is empty

No, you are making the wrong deduction! Try yourself to put some files on your "Unused" volume. I bet you still can encrypt it via Finder!


I still guess the special case here is that your "Macintosh SSD Clone"-volume is a bootable backup of macOS 10.14 Mojave made with CCC. Bombich explicicly states you should not use APFS Encrypted on legacy macOS bootable backups.

Bombich.com | Preparing a disk for a backup or restore

Choose APFS or APFS Encrypted. If you intend to create a legacy bootable backup, do not choose APFS Encrypted; rather you will encrypt your backup by enabling FileVault while booted from the backup volume.

On macOS newer than 10.15 Catalina CCC don´t suport bootable backups at all, even if Bombich makes an attempt to make it possible. But as you mentioned, do you even want to use the bootable clone feature? It serves no purpose on newer macOS with signed system volume. And on Apple Silicon-macs no sense at all. Just backup your data!

Bombich.com | Creating legacy bootable copies of macOS (Big Sur and later)

Copying Apple's system is now an Apple-proprietary endeavor; we can only offer "best effort" support for making an external bootable device on macOS Big Sur (and later OSes).
.....
Apple Silicon Macs will not start up (at all) if the internal storage is damaged or otherwise incapacitated, so there is very little value, if any, to maintaining a bootable rescue device for those Macs.

 

[Diamond Dave]

No, you are making the wrong deduction! Try yourself to put some files on your "Unused" volume. I bet you still can encrypt it via Finder!

It was the "Macintosh SSD Clone" volume that didn't have the Encrypt option:

not the "Unused" volume, which, once formatted as "APFS", had the Encrypt option available:

I still guess the special case here is that your "Macintosh SSD Clone"-volume is a bootable backup of macOS 10.14 Mojave made with CCC. Bombich explicitly states you should not use APFS Encrypted on legacy macOS bootable backups.

Between my last reply and you replying, I found that out for myself!

I (stupidly with hindsight) erased the "Macintosh SSD Clone" volume, formatting it as "APFS (Encrypted)".

Then when I updated the task in CCC to use the new volume, and tried to run a clone, I got this:

(Sorry - I forgot to say before that I'm running the final version of CCC 5. CCC 6 isn't Mojave compatible.)

So I clicked the Help button, which opened a copy of this page (but in the Help Viewer):

https://bombich.com/kb/ccc5/working-filevault-encryption

which, in a nutshell, explains that in my particular situation (running Mojave) you should:

• Format the external volume as "APFS" - and NOT "APFS (Encrypted)”
• Clone the startup disk to it as normal
• Boot from the clone
• Enable FileVault on the clone when booted from it

So in other words, you don’t use the “Encrypt…” option in the Finder.

So… I’ve formatted the ”Macintosh SSD Clone" volume as “APFS” as before, and re-made the clone using CCC.

Once I have the time to boot from the clone, I can enable FileVault on it.

On macOS newer than 10.15 Catalina CCC don't support bootable backups at all, even if Bombich makes an attempt to make it possible. But as you mentioned, do you even want to use the bootable clone feature? It serves no purpose on newer macOS with signed system volume. And on Apple Silicon-macs no sense at all. Just backup your data!

Yes I’m aware of all that. I’ve been reading about it for years. It’s very relevant to other people I’m sure, but not to me.

I’m prepared to go to the ends of the earth to maintain an up-to-date, exact & hopefully bit-for-bit perfect bootable clone of my internal SSD - system files and all - on the external drive. Call me old fashioned if you must, but I’ve wasted countless days at work, trying to resurrect old iMacs, and also attempting to get an almost identical Mac to my Mac mini working again, using Recovery Partitions, internet boot, etc, all because I didn’t have a proper bootable clone that I could just restore from.

The “modern” way of doing things - using the internet to re-download Gigabytes of data, booting from a “hidden” partition, etc, is a convoluted load of Nanny State bollocks if you ask me. Sure, it suits most users, but not the technically savvy amongst us, who trust the "cloud" as far as we could throw it (other things being equal).

I want everything cloned. EVERYTHING. Nothing missed. And I want to be able to boot from that clone whenever I need to, which is hopefully never.

I don’t ever foresee me upgrading the Mac mini beyond Mojave anyway (I need to run some 32-bit software) so the inability to make a bootable clone of everything won’t be relevant to me, as long as I stay on Mojave.

If booting from the external volume takes so long as to be impractical, Mike Bombich recommends reformatting in MacOS Extended (Journaled) format, which may be a likely scenario in my case, seeing as my external is a 5400 rpm HDD.

There’s also a great deal of useful background info here if it’s of help to anyone else:

https://bombich.com/kb/ccc5/frequently-asked-questions-about-encrypting-backup-volume

Thanks for your help. I reckon once I boot from the external volume, and enable FileVault on it, I'll have accomplished what I set out to do.