MacOS Sierra: encrypting a bootable external drive

Discussion in 'Audio Hardware' started by gd0, Mar 5, 2021.

Thread Status:
Not open for further replies.
  1. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    Off-Topic seems goofier than usual lately, so I’m posting here.

    I think what I want to do is simple. Encrypt a bootable external HDD for off-site backup (mailed out of state). I use SuperDuper for cloning; I’ll buy CCC if that helps, but there are too many options there I don’t understand, for the time being.

    Outboard HDDs are always initialized and/or erased and set for Mac OS Extended (Journaled).

    Cloning works fine, but the seemingly simple function of selecting / encrypting via the Finder stalls out after the password is entered, with a popup that reads “A Recovery System for the targeted disk is required.” Installing a ‘recovery system’ seems to entail creating partitions and somehow installing OS. Which further seems to entail an arduous change the Target Disk, boot from the external, install OS (isn’t it there already from having backed up?).

    Is there a simple straightforward way to do this?

    FWIW, I’m stuck on 10.12.6 Sierra, so I can use old Adobe software. 2013 iMac.

    I don’t need to schedule automated backups.

    Before you reply, these conditions are set in stone (many reasons, don’t ask):
    No Time Machine
    No FileVault
    No Cloud
    No WiFi
    No Java

    I presume this has something to do with the need for a bootable backup, and my inexperience in encryption. I’ve never even put my clones to the test, frankly. Oddly, I did successfully encrypt a couple disks a few months back (via Finder), but I can’t remember what was on them.

    Any ideas?
    .
     
    head_unit likes this.
  2. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
     
  3. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    I'm not sure, but there might be enough differences between High Sierra and Sierra to get a false impression of what to do.

    Scouring the drive for material to encrypt would easily kill a day here. Mostly to protect my identity / info and (job) client confidentiality. Probably takes up most of the 300GB. These things would be mailed out of state.

    Before you go to that effort, could you tell me if what I'm trying to do is so far off-menu that I should consider other alternatives, ie your suggestion to isolate data?

    Thanks!
     
  4. geezin'

    geezin' Forum Resident

    Location:
    Flintstone MD
  5. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
  6. elvisizer

    elvisizer Forum Resident

    Location:
    San Jose
    that uses filevault, though, and the OP said no filevault
    OP: you should use filevault for this, I would love to hear why that's off the table.
     
    BruceS likes this.
  7. elvisizer

    elvisizer Forum Resident

    Location:
    San Jose
    the recovery partition is a special checksummed OS from apple, you can install it onto a drive very easily using carbon copy cloner- it copies the recovery partition from your boot drive to the target drive.
    Cloning Apple's Recovery HD partition | Carbon Copy Cloner | Bombich Software
     
  8. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
    I missed that, but "set in stone" is pretty emphatic. It occurred to me that a bootable drive drive could be created with SuperDuper and perhaps subsequently encrypted in Terminal, as noted here: Using a Unix terminal to encrypt a disk under OS X
    Whether that would work for a boot drive....don't know. Might be worth trying, though.
     
  9. elvisizer

    elvisizer Forum Resident

    Location:
    San Jose
    heyyy look at that you found a post from my buddy Rich Trouton (aka derflounder!) :love: he's a great guy, I met him back when he worked at the howard hughes medical institute and I worked at genentech. He's one of the most knowledgeable mac admins I've ever had the pleasure of sharing a podcast with.
    anyway diskutil cs convert is still filevault, really- you're just calling the encryption engine using the diskutil binary rather than fdesetup, but it's the same encryption process as filevault once invoked. so if filevault is out technically anything using fdesetup or diskutil cs convert would be out too.
     
    jesterthejedi, head_unit and Rolltide like this.
  10. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    Thanks guys.

    Yeah, I actually read that article before I started the thread. Three times in fact. It basically lays out the multiple steps I was trying to avoid. This kind of desktop management might be daily routine to many, but it's foreign to me. Already I'm hours into this reading and replying, just for terminology unfamiliarity alone.

    This started out as "it's easy to encrypt a disk from the Finder" :confused:

    Physical theft is not an issue here. It's an iMac; I don't have portable anything. It's also an older 2013 iMac, likely subject to slowed performance with FileVault. This mostly needs to be simple. Just looking to safely mail backups. I also don't want to double up on passwords and log-ins in daily use as a result.

    This off-site backup exercise is strictly for worst-case-scenario stuff like fire or earthquake, where I'd have to start all over with a new Mac.

    If I did something like drag-n-drop to a backup (thus making it not bootable?) can I encrypt that? And if I did need to access it on a new Mac, can that be done somehow?
     
  11. geezin'

    geezin' Forum Resident

    Location:
    Flintstone MD
    Well if you want to do it your way problems may occur. Try using disk utility to make a new image. Getting around file vault is going to be an issue. Using native software is always best practice. Good luck.

    BTW this is typed on a 2009 iMac 21.5" Core Duo 3.6gHz running High Sierra 10.13.6. Without issues.
     
    timind likes this.
  12. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
    I added a folder (data) via drag/drop to a bootable external of Mojave. Then I restarted my Big Sur 2015 MBA from the Mojave bootable. This worked. There was something about the drive the system didn't like—a popup msg of some sort—but the op was successful and I am able to run Mojave from the bootable—with—added-folder. Setting things back to how they were now.
     
    Last edited: Mar 6, 2021
  13. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    And do what with it? Here's where I embarrass myself in public. I've run across various instrux to make an "image" (disk image?) with no other info, but I don't remotely know what that is, how to use it, or why it matters. Can you point me to a tutorial? I need EXPLICIT step-by-step instructions when doing stuff like this. Also need to understand what I'm doing, and what the unspoken implications are.

    So, could that be encrypted?

    Thanks guys.
     
  14. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
    I'll try to get back to it later, as other tasks are upon me now. Encrypted how, though...by what method were you thinking?
     
  15. elvisizer

    elvisizer Forum Resident

    Location:
    San Jose
    The easiest way to do this is to clone your boot to an external disk using carbon copy cloner or super duper, including the recovery partition. Then boot from the external drive and enable filevault. Job done.
     
    jesterthejedi and BruceS like this.
  16. elvisizer

    elvisizer Forum Resident

    Location:
    San Jose
    the only reason this is difficult is because of the refusal to use filevault. Apple made it easy, why not use it? If you encrypt via diskutility or finder you're using the same encryption in a less convenient way.
     
    jesterthejedi likes this.
  17. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    I didn't expect I'd have to write so much on this.

    It appears I'll have to actually to learn and use FileVault. This will take days; I have no understanding of admittedly crucial and essential security practices, and I can't find any plainspoken entry-level descriptions or instructions anywhere. For example...
    I literally don't know what the bolded item means, esp in terms of exactly how to do that, and confirm that I've done that. When I backup now, I just have SD clone my internal HDD to externals, and don't give it any more thought.

    My issues with FV are these:

    I'm concerned that my lack of knowledge could lead to me to bricking my main system. And then spending days trying to undo that, mostly spending time to just learn basic terminology.

    Also concerned that FV will cause performance slow down an older 2013 iMac, which is already showing signs of mild sluggishness on an increasingly crowded internet (though that's expected).

    Also concerned that enabling FV will create a new daily routine of multiple passwords and/or log-ins. Maybe the least of issues, I guess, but an annoyance for something I'm not sure I need.

    And even if I do implement FV, can I ever get to a point where creating encrypted (and bootable) backups is as simple as doing the unencrypted backups I do now?

    Is my old version of FV even reliable? I'm topped out at Sierra (old software).

    You guys obviously have IT chops, or at least understanding of basic security protocol. I got none of that. Can you point me to a plainly-written beginner's tutorial?

    Thanks again.
     
  18. geezin'

    geezin' Forum Resident

    Location:
    Flintstone MD
    gd0 likes this.
  19. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
    This topic interested me enough to do some testing on an existing bootable that was created on Mojave. I used High Sierra, Mojave, and Big Sur for the test. In all 3 cases, macOS did not offer me an option to encrypt the bootable under any conditions. As a sanity test, I tired the same proc on a non-bootable external (only on Mojave). In that case, I got the expected option to Encrypt. It may not be possible to natively encrypt a bootable external on Mac. Like to note that other non-boot externals have been encrypted with no issues. Of course, I could be missing something. If I were doing this, I'd round up the data—yes, that could be painful—and encrypt that. You can use a strong system password. Good luck. Like to know how it goes.
     
    gd0 likes this.
  20. kaikki on aivan jees

    kaikki on aivan jees Forum Resident

    Location:
    Brooklyn
    gd0 and BruceS like this.
  21. BruceS

    BruceS El Sirviente del Gato

    Location:
    Reading, MA US
    That could do it. I don't have CCC and I did not enable File Vault Encryption on the bootable after startup. I do wonder why I couldn't encrypt the bootable when it was mounted as just a regular volume.
     
    gd0 likes this.
  22. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    This all started with a simple "Just right-click your drive in Finder and select Encrypt."

    Easy-peasy!

    I can't believe my original task was so far off the main menu.

    Those look like the exact things I should be able to decipher. Also appreciate the bolded Warnings.

    I'll also take a hard look at @geezin' 's Apple Pro Training suggestion; hopefully there's one for Sierra.

    It's not like my actual work hasn't come to a complete standstill. o_O

    I will report back as requested. But this is gonna take me a real. long. time. It's not just FileVault, it's all the peripheral crap that goes with it: recovery key, two-step verification etc. I've never done any of that. I'll probably have to re-learn such basic things as precisely setting up Admin access; done once, decades ago, and forgotten. I'll have to learn which CCC options to enable. I have to go slow, or I will surely brick this thing.

    It's the first day of kindergarten for me.

    Thanks for the help, guys.
    .
     
    jesterthejedi likes this.
  23. geezin'

    geezin' Forum Resident

    Location:
    Flintstone MD
    Take yer time and ..............back up yer ****!

    Oh and for Sierra.
     
    gd0 likes this.
  24. gd0

    gd0 Looney Tunes and Merrie Melodies Thread Starter

    Location:
    Golden Gate
    @elvisizer @BruceS @geezin'

    I’m back, as threatened. Had to drop this for a while, but started back up several days ago.

    Summary to this point: The original goal was to encrypt BOOTABLE external drives for offsite backup. Feedback in this thread convinced me to enable FileVault and use Carbon Copy Cloner instead of SuperDuper. Since I’ve never used FV, or ever done any kind of security configuring, and am entirely clueless about password management, I’ve started from scratch as if I’d never used a Mac before.

    I did buy a copy of macOS Support Essentials 10.12, as suggested by @geezin' . While I get that it’s geared for actual hands-on administrators managing networks and multiple users, it was still difficult reading stuff over and over only to realize it didn’t pertain to me. I’ve never even worked in an office. Strictly at-home single-user. But it did explain stuff as you said.

    Anyway, the short-term goal now is to safely enable FileVault without locking myself out. Encrypted backups can wait.

    Several things remain unclear, despite reading 2, 3, 4 times. Got a few questions regarding how things appear on the display, how my daily usage is affected, and how many different passwords and log-ins do I have to juggle. It might be in that book, but it doesn’t jump out to this single-user.

    To repeat my setup:

    2013 iMac, macOS 10.12.6 Sierra, 1TB SSD
    No fewer than 4 external backup HDDs

    No Java
    No Time Machine
    No Cloud
    No WiFi; hard-wired Ethernet to antique DSL
    No smart phone, or portable devices at all
    No network to other computers at all

    I am THE single sole user here, “admin”
    My Apple ID is established, two-factor authentication is ON
    My account log-in ID / password is separate from Apple ID
    “Legacy FileVault” is not on this iMac, only the current version
    I did locate the Recovery HD partition

    Physical theft is a non-issue here

    What remains unclear:

    1. Keychains
    If there are no other users, is there any reason to have or save keychain files or passwords for them? I barely understand the usage, other than a not-very-secure “convenience” I don’t need. Passwords are stashed away on a hard copy, and a buried text file. (Although it seems like a keychain might be a preferred way to do FileVault Recovery if needed.) Should I lock existing keychain access (it’s now unlocked, not sure if I’ve ever looked at it before)?

    2. Passwords
    How many passwords, authentications and log-ins to I have to juggle to live with FileVault? Can I ultimately resume my normal daily account log-in and forget I ever enabled FV? I understand that Apple ID / PW, and account password are separate; is there a separate FileVault password to deal with? I can’t tell from reading, but do I need to pay attention to Master Password and/or Firmware Password for any reason?

    3. Configure FV Recovery
    There is a choice to make, “use iCloud account to unlock disk” or “create a recovery key” with a mild preference stated for keychain but no explanation. If I’m looking to ignore keychains in general, and am confident in finding my Apple ID on the premises, can I just go with the Apple ID?

    4. What does FV look like?
    I understand that enabling FileVault and restarting to begin encryption will show me different things on the monitor, and that it will take some hours to accomplish. But once done, can I resume my normal, simple log-in routine and otherwise ignore that FV is enabled? And when I eventually make backups, do they require repeated extra setup effort so they too are encrypted?

    5. What does FV NOT do?
    Not really clear, but reading suggests that FileVault is there primarily to thwart physical theft of laptops and other portables. Can it do anything to lessen the chance of online hacks?

    Thanks guys. If you’ve read all this, your stamina is commendable.
    .
     
  25. elvisizer

    elvisizer Forum Resident

    Location:
    San Jose
    keychains are part of a user account on Macos- if you have a single user account on your mac then by default your mac will have 2 keychains- your user keychain or 'login' keychain, and the system keychain. Don't delete either of those, and in general don't try to manage keychains yourself- let the OS handle that unless there's an actual problem that needs to be fixed. Also note that the login keychain by design should unlock automatically when you login and stay unlocked until you log out. Anything you tell your user account to save in the keychain will go in there. the system keychain is for the system's use for anything that isn't user-account-specific, and will stay locked. The system will unlock that one when needed silently. Keychains have gotten harder to manage manually in recent OS releases- they used to be a plain encrypted container file that lived on your disk, nowadays the files actually just point to a sqlite database that contains all the items. It's much harder to move or replace kc's now.
    no extra passwords- filevault uses your user account password for authentication, so it's the same password you're currently using. the only auth item FV adds is the recovery key, which is only used if you forget your password.
    as I mentioned earlier keychains are an intrinsic part of a user account and the system on macOS so you CAN NOT AVOID THEM. Also they really don't relate to this particular choice. if you choose to use icloud for recovery your icloud account will have hidden recovery keys that will allow you to unlock your mac if you forget your login password on the mac. If you choose the recovery key option, filevault will show a password on screen that can unlock your disk if your password is forgotten. This recovery key will not be stored ANYwhere- it's up to you to record it and keep it safe. you could of course create a secure note in your login keychain to store the recovery key, but if you can't unlock the disk on that mac, you can't get at that keychain with the recovery key! so that'd be a REALLY bad idea. a normal password manager like 1password would make much more sense, or just writing it down in a secure location.
    basically there's no changes outside of the boot process. on a non-FV mac, the OS boot up before you get to the login screen. With filevault, the OS has to authenticate before the disk is unlocked, so the auth screen comes up first, and THEN the OS boots. so the progress bar for boot occurs after auth with FV on, before auth with FV off. Oncee you're logged in, there's ZERO difference unless you look at how the disks are arranged under the hood via diskutil.
    filevault is volume based encryption, so no- it doesn't do anything about malware at all... MacOS has other things built in for malware protection like gatekeeper and xprotect. The point of filevault is that if someone steals your mac they won't be able to read any of the data on the hard drive.
     
    Last edited: May 19, 2021
    gd0 likes this.
Thread Status:
Not open for further replies.

Share This Page

molar-endocrine