MacOS automatic external drive encryption/decryption

encryptionmacosmojavetime-machine

Question

MacOS does offer automatic disc encryption for at least 2 "types" of hard drives in the system:

  • Internal APFS Hard Drive with FileVault
  • External Time Machine Hard Drive (If set up in Time Machine Preferences)

Result of diskutil list for external Time Machine Drive via diskutil list:

        /dev/disk3 (external, virtual):
    #:                       TYPE NAME                    SIZE       IDENTIFIER
    0:                  Apple_HFS DISK                +499.4 GB   disk3
                                    Logical Volume on disk2s2
                                    [redacted]
                                    Unlocked Encrypted

As we can see, system manages to encrypt and decrypt Time Machine disk (in this case) automatically

Problems

  1. Is there any way in MacOS for automatic external disc encryption and decryption? When disc is plugged, system does decrypt its content and allow normal operations, leaving disc encrypted when disconnected from the system
  2. Would external ssd's with hardware encryption benefit from it using MacOS built-in FileVault features, or does it only apply for disk manufacturer proprietary software?

Best Answer

Yes, it is possible for macOS to automatically handle encryption of external drives in the sense that when you plug the disk in, you're asked for an unlock passphrase - and when you unmount the drive, it is encrypted and safe for transport.

An easy way to do this is to open Disk Utility and then plug in an empty external drive. Choose to Partition the drive (make sure the external drive is selected in the left side bar) - and choose to format the drive as "APFS (Encrypted)". You will automatically be asked for a passphrase, and the system will automatically ask you to unlock the drive when plugging it in.

NOTE: Partioning and formatting the drive will erase your existing files on the drive. Please take a backup before doing so!

Regarding your second question - no, FileVault does not as such benefit from hardware encryption feature on external SSDs. This is really a good thing, as recently it was unveiled that these hardware encryption features on many popular SSDs are really very insecure. For example by having built-in backdoor password that are extremely simple (such as a blank password).

On Windows the BitLocker feature in some cases rely on the external hardware's encryption features, and for those users that meant that their security had been compromised all along. Therefore, even though it sounds counter-intuitive, it was really an advantage that File Vault 2 does not rely on the encryption in the SSD controller of the external drive.