Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

on the rocks

macrumors newbie
Original poster
Jan 21, 2022
24
6
Recently I have bought a Samsung T7 Shield 4TB SSD drive. I would like to protect the data on this particular drive. I wouldn’t mind if it’s with a password or encryption. As long it has some protection which is reliable. Reliable as in for instance it doen't depend on software updates for it to open up.

This particular drive will be used for two purposes.
  1. The temporary storage of movie/series. Which will be deleted when watched.
  2. Longterm storage of photos, movies and some vulnerable files (therefore the need of protection)
To be clear no usage for system backups such as Time-Machine.

What I have done is researched what would be the best fit. I’ve checked Macrumors, Google, Quora and Mac’s platform. Because of contradictory advises I find it difficult to make out what solution would work best for my specific usage. For instance an option is to stick with the easiest solution by using the standard format and Samsung's password protection. While another mentioned that it's risky to rely on this by not knowing for certain that Samsung will continue releasing required updates in the future.

It was recommended to switch entirely to APFS and encrypt the T7 with apples software (which I’m not used to yet). While others advised to use HFS+ instead as APFS tends to crash and is not repairable/recoverable.


So my question is what would you recommend me how to secure my files on the T7? For instance what format and what password protection or encryption or alternative would you recommend?
 

ChrisA

macrumors G5
Jan 5, 2006
12,898
2,109
Redondo Beach, California
Recently I have bought a Samsung T7 Shield 4TB SSD drive. I would like to protect the data on this particular drive. I wouldn’t mind if it’s with a password or encryption.
APFS is by far the most reliable file system. Then let MacOS encrypt it. This is also the simplest thing you can do and you can bet will be supported by Apple for the next couple of decades.

HFS+ has become a legacy format used for oldes versions of MacOS.
 

on the rocks

macrumors newbie
Original poster
Jan 21, 2022
24
6
Thanks for the info @ChrisA and @Basic75 !

On a practical side am I correct that after encrypting my external SSD I can also open it on another Mac than my own by using the password to unlock its encryption?
 
  • Like
Reactions: Basic75

solouki

macrumors 6502
Jan 5, 2017
339
213
Hi on the rocks,

I have two questions:

(A) What do you mean by "some vulnerable files (therefore the need for protection)"?

(B) What do you mean by "protection"?

For (A), do you mean that you only have a few files that require protection from prying eyes? For example, say (A) refers to a file containing personal financial or insurance or banking or tax information.

For (B), "protection" comes in many forms and strengths of security. For instance, encrypting the entire disk provides some protection via a relative weak encryption that could be broken by a powerful adversary, say the government. But once the disk is attached to your computer its entire contents are open to a hacker with access to your account, that is, it is essentially decrypted and all of your files are available. On the other hand, if you only require a few files to be "protected" and you want a very secure encryption, then you could just encrypt those files separately using a stronger encryption scheme such as RSA with 4096 bit keys and your own "longish" passphrase for decrypting those files. These encrypted files would be "protected" even when the drive is attached to your computer, and only when you decrypt them would they then become available to a hacker.

For instance, my own scenario is that I have a few files that require strong encryption, so I encrypt those files with 4096 bit keys using the RSA algorithm. Not even governments can break this encryption (unless quantum computers become much more powerful than they are today). I wrote a program that disconnects my computer from all networks, stops sleep mode, stops the swap file from being written, stops hibernation, and then decrypts the protected file into memory (not on the disk), allows for reading and/or editing the plaintext, and then re-encrypts the file and writes the encrypted file to disk, then restarts the swap/sleep capabilities and overwrites 36 GB of RAM/universal memory with random bits to eliminate certain hacking modes, and finally restarts the network connections. My passphrases are 20+ to 50 characters long. In addition, my program as well as the RSA program is protected from hacking because I have calculated hash codes for the unhacked original executables that are always checked before they are run -- if the hash codes don't match, then the programs are not executed. This I believe is the most secure way that I can perform to handle my vulnerable data/information and still be able to use a computer.

So, in a nutshell, using an APFS encrypted formating for the T7 external disk provides some protection, and probably protection against most prying eyes, but is not secure against a determined attacker. RSA encryption with 4096 bit keys of a few vulnerable files is much more secure and would resist most all attacks -- but you are never completely secure, say from a hacker of your login account, the only way to be completely secure is to never attach your "secure" computer to a network, ever, from the first boot to the present time. This means, of course, that updating the computer is problematic. Also, you can't RSA encrypt with 4096 bit keys your entire disk ... only the few vulnerable files can be encrypted with this strong encryption.

Good luck,
Solouki

EDIT: Also, I don't store my passphrases in Apple's Keychain, as the keychain is also vulnerable.
 
Last edited:

Alameda

macrumors 65816
Jun 22, 2012
1,215
826
Hi on the rocks,

I have two questions:

(A) What do you mean by "some vulnerable files (therefore the need for protection)"?

(B) What do you mean by "protection"?

For (A), do you mean that you only have a few files that require protection from prying eyes? For example, say (A) refers to a file containing personal financial or insurance or banking or tax information.

For (B), "protection" comes in many forms and strengths of security. For instance, encrypting the entire disk provides some protection via a relative weak encryption that could be broken by a powerful adversary, say the government. But once the disk is attached to your computer its entire contents are open to a hacker with access to your account, that is, it is essentially decrypted and all of your files are available. On the other hand, if you only require a few files to be "protected" and you want a very secure encryption, then you could just encrypt those files separately using a stronger encryption scheme such as RSA with 4096 bit keys and your own "longish" passphrase for decrypting those files. These encrypted files would be "protected" even when the drive is attached to your computer, and only when you decrypt them would they then become available to a hacker.

For instance, my own scenario is that I have a few files that require strong encryption, so I encrypt those files with 4096 bit keys using the RSA algorithm. Not even governments can break this encryption (unless quantum computers become much more powerful than they are today). I wrote a program that disconnects my computer from all networks, stops sleep mode, stops the swap file from being written, stops hibernation, and then decrypts the protected file into memory (not on the disk), allows for reading and/or editing the plaintext, and then re-encrypts the file and writes the encrypted file to disk, then restarts the swap/sleep capabilities and overwrites 36 GB of RAM/universal memory with random bits to eliminate certain hacking modes, and finally restarts the network connections. My passphrases are 20+ to 50 characters long. In addition, my program as well as the RSA program is protected from hacking because I have calculated hash codes for the unhacked original executables that are always checked before they are run -- if the hash codes don't match, then the programs are not executed. This I believe is the most secure way that I can perform to handle my vulnerable data/information and still be able to use a computer.

So, in a nutshell, using an APFS encrypted formating for the T7 external disk provides some protection, and probably protection against most prying eyes, but is not secure against a determined attacker. RSA encryption with 4096 bit keys of a few vulnerable files is much more secure and would resist most all attacks -- but you are never completely secure, say from a hacker of your login account, the only way to be completely secure is to never attach your "secure" computer to a network, ever, from the first boot to the present time. This means, of course, that updating the computer is problematic. Also, you can't RSA encrypt with 4096 bit keys your entire disk ... only the few vulnerable files can be encrypted with this strong encryption.

Good luck,
Solouki

EDIT: Also, I don't store my passphrases in Apple's Keychain, as the keychain is also vulnerable.
RSA is not more secure than AES. They are both secure if used properly, and typically serve different purposes. Typically, a secure system uses a combination of AES and either ECC or RSA. The real issue is the design of the security system itself, and not whether it uses ECC, RSA or AES, although we will see a migration away from both ECC and RSA in the next few years as quantum-safe technologies roll out.

Apple’s hard disk encryption is excellent. It works and it’s been studied very widely for vulnerabilities. You can always use Apple’s encrypted file system and then encrypt some files stored on that volume, if you’re concerned. You can add encryption to an existing volume very easily, and you should consider that in your situation.
 

solouki

macrumors 6502
Jan 5, 2017
339
213
RSA is not more secure than AES. They are both secure if used properly, and typically serve different purposes. Typically, a secure system uses a combination of AES and either ECC or RSA. The real issue is the design of the security system itself, and not whether it uses ECC, RSA or AES, although we will see a migration away from both ECC and RSA in the next few years as quantum-safe technologies roll out.

Apple’s hard disk encryption is excellent. It works and it’s been studied very widely for vulnerabilities. You can always use Apple’s encrypted file system and then encrypt some files stored on that volume, if you’re concerned. You can add encryption to an existing volume very easily, and you should consider that in your situation.
Hi Alameda,

Thanks for the comments. Allow me to ask a couple questions.

Are you saying that AES with 256 bit keys is as secure as RSA with 4096 bit keys?

AES with shorter keys has been cracked before, but RSA with 4096 bit keys has never been cracked. Although I agreee that AES with 256 bit keys is secure for the time being from most hackers, but maybe not from determined hackers, say governments. AES with 128 bit keys is not very secure, and thus the reason why most AES is moving from AES-128 to AES-192 to AES-256.

When do you expect Shor's algorithm running on a quantum computer to break RSA with 4096 bit keys?

Last time I checked, granted a couple years ago, the largest composite number factored on a quantum computer using Shor's algorithm was 21 (=3x7). This is a long way from 4096 bits. Perhaps photonic qubits or topological qubits will improve things, but so far I don't believe that they have demonstrated large number of qubits, not enough to break 4096 bit RSA keys. Yes, quantum-safe encryption will take over for any algorithm that can be attacked by Shor's algorithm, but I wonder if this is not more of a "marketing" ploy than a real and immediate threat to RSA.

And yes, I do use Apple's disk encryption, but my point was that once an Apple encrypted disk is attached to your laptop, the information on the disk is viewable by anyone through your account. So using another encryption scheme (personally, I use RSA with 4096 bit keys -- and I disconnect from the network whenever I decrypt sensitive files) to encrypt a few sensitive files is wise even if you are using Apple disk encryption.

Thanks again.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.