Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security related questions (booting MacOS from an external drive)

H

hajime

macrumors G3
Original poster
Jul 23, 2007
8,092
1,368
Hi, the following article states that "If you have a Mac with Apple silicon or an Apple T2 Security Chip, your data is encrypted automatically. Turning on FileVault provides an extra layer of security by keeping someone from decrypting or getting access to your data without entering your login password."

Protect data on your Mac with FileVault

Turn on FileVault to add an extra layer of security to the encrypted data on your Mac.
support.apple.com

Does that mean if I have a Silicon Mac, even MacOS is booted from an external drive, the data is encrypted automatically?

If I use FireVault to encrypt the external boot drive, is my Mac as secure as if the OS were booted directly from the internal drive?

What are other disadvantages booting MacOS from an external drive?
 
hajime said:
Does that mean if I have a Silicon Mac, even MacOS is booted from an external drive, the data is encrypted automatically?
Click to expand...
Not by default, from what I understand — I haven’t used an external boot drive since my 2012 Mac mini.


hajime said:
If I use FireVault to encrypt the external boot drive, is my Mac as secure as if the OS were booted directly from the internal drive?
Click to expand...
No. With the Secure Enclave (i.e., T2 or AS), FileVault generates an encryption based on user password and a hidden (hardware) UID.

Volume encryption with FileVault in macOS

In Mac OS X 10.3 or later, Mac computers provide FileVault, a built-in encryption capability to secure all data at rest.
support.apple.com

For external drives and pre-T2/AS Macs, the encryption is solely based on user password. It’s not bad, but not the multilayered, hardware associated method of Apple Silicon.

For example, the key hierarchy protecting the file system includes the UID, so if the internal SSD storage is physically moved from one device to another, the files are inaccessible.
Click to expand...

Secure Enclave

The Secure Enclave is a dedicated secure subsystem in the latest versions of iPhone, iPad, Mac, Apple TV, Apple Watch, Apple Vision Pro, and HomePod.
support.apple.com
 
  • Like
Reactions: hajime
Thanks. So does that mean if I want to have the most secured computer system that Apple can offer (one of the main reasons to buy a Mac), it is better to boot from an internal drive?

I don't worry about bad guys plugging USB device to my Mac to compromise its security as I keep the computer at home. However, I do worry about them hacking to my computer through the internet.
 
hajime said:
Thanks. So does that mean if I want to have the most secured computer system that Apple can offer (one of the main reasons to buy a Mac), it is better to boot from an internal drive?

I don't worry about bad guys plugging USB device to my Mac to compromise its security as I keep the computer at home. However, I do worry about them hacking to my computer through the internet.
Click to expand...

If your concern is the Internet, I would focus more on 1) your browser and its sandbox and 2) firewall.

On the firewall, the most critical ones are your network's firewall (typically embedded in your router) and your Mac's firewall. I recall the latter is not enabled by default. I would enable and ensure only appropriate applications are accessible (potentially even disabling automatic bypass for Apple's apps though TBD what that will break for you).

Some people like to run Little Snitch to monitor outgoing connections from their computer, too.

Then the browser and its sandbox. I prefer to run my browser sessions under a user account that does not have admin privileges. Within this account, be suspicous of anything requesting admin access to make system changes. Finally, validate your browser's privileges via Privacy.
 
  • Like
Reactions: Alameda
FileVault is designed to defeat the risk if your storage (external disk or computer) is physically stolen by someone. It won't be possible to read the data on the drive without the password. When using the Internet, your data is already "unencrypted" when you're using it. It's irrelevant how the data is stored on the drive. FileVault isn't going to help against someone pulling your files from the Internet. The only thing that could remotely help are encrypted drive images as long as you keep them disconnected unless you are actually using them.
 
  • Like
Reactions: hajime
mfram said:
The only thing that could remotely help are encrypted drive images as long as you keep them disconnected unless you are actually using them.
Click to expand...

Do you mean using imaging software to image the drive and keep such imaged file somewhere else?
 
No, using Disk Utility to create a new Disk Image. You'd have to select an encrypted option. Think of it as an encrypted folder where you can store files.
You create the disk image and provide a password. Then when you click on the disk image it asks for the password and mounts a new "external" drive on your desktop. You put your sensitive files in there. Then when you aren't actively using them you unmount the external encrypted drive. While the drive is open your files are potentially accessible to someone over the Internet. So you'd have to minimize the time you have the encrypted drive mounted. For example, I use it to store the files associated with my tax returns.
There are third-party apps that will do similar things for you. But Disk Utility is included with every Mac. Search on the Internet for tutorials on how to use the functionality.
 
  • Like
Reactions: hajime
In practical, if I am not concerned with somebody physically hacking into my computer while in front of it, what are the potential risks of running the OS from an external drive?
 
mfram said:
No, using Disk Utility to create a new Disk Image. You'd have to select an encrypted option. Think of it as an encrypted folder where you can store files.
You create the disk image and provide a password. Then when you click on the disk image it asks for the password and mounts a new "external" drive on your desktop. You put your sensitive files in there. Then when you aren't actively using them you unmount the external encrypted drive. While the drive is open your files are potentially accessible to someone over the Internet. So you'd have to minimize the time you have the encrypted drive mounted. For example, I use it to store the files associated with my tax returns.
There are third-party apps that will do similar things for you. But Disk Utility is included with every Mac. Search on the Internet for tutorials on how to use the functionality.
Click to expand...

So this will not work if the external drive is the boot drive since it needs to be connected to the Mac all the time?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back