Is there any way to encrypt my drive with a private key, and no external tools (to be installed), and then unlock via command-line?
I'm referring to my second drive and not my boot drive. I’m not keen on turning on file-fault.
Encrypt drive with private key
encryptionhard drivemojave
Related Solutions
Aha! The answer comes when you try to deselect the "Encrypt backups" option:
So it appears they are one and the same.
It should work, but if you use SuperDuper! a workaround is necessary:
I backed up my main system volume (hereinafter referred to as "System") to the unencrypted! backup volume (hereinafter referred to as "SystemBackup"). After rebooting to SystemBackup i tried to encrypt the volume SystemBackup, which wasn't successful, because the Recovery HD on the backup disk is missing. SuperDuper! only creates a copy of the system volume.
- To get around this you first have to install a working system on the backup disk or use another way to create a Recovery HD volume on the backup disk and then erase the main backup volume again.
- Backup your main system volume to the backup volume.
- Boot to your (bootable) backup volume SystemBackup
- Enable File Vault 2 in the system preferences.
- Reboot to SystemBackup like advised and continue encrypting.
- After encryption has finished boot to your main volume again
- Now backup your main volume as usual using SuperDuper!
In my second/third attempt i used CarbonCopyCloner. In contrary to SuperDuper! CCC creates a backup, which usually includes the Recovery HD:
- Backup your main system volume to the unencrypted! backup volume. You might have to initiate the backup of the Recovery HD manually. In my first attempt it was backed up automatically and in a second attempt i had to initiate it manually.
- Boot to your (bootable) backup volume SystemBackup
- Enable File Vault 2 in the system preferences.
- Reboot to SystemBackup like advised and continue encrypting.
- After encryption has finished boot to your main volume again.
- Now backup your main volume as usual using CarbonCopyCloner.
Even after completely deleting my main disk (File Vault volume & Recovery HD) to simulate a disk failure, i have been able to boot to my system backup volume.
Don't encrypt the backup volume in the Finder (e.g. control-click on the the volume) before or after backing up your main volume!
An important note from the CCC knowledge base:
Mac firmware cannot "see" FileVault-protected volumes larger than 2.2 TB when the disk is attached via USB. If attaching the disk to your Mac via Firewire or Thunderbolt is not an option, create a 2TB partition at the beginning of the external disk to work around this limitation.
Related Question
- MacOS – How to encrypt an external drive with FileVault 2 in OSX Yosemite
- Formatting Boot Drive As Encrypted For Clean Install
- Mac – Encrypt External Hard Drive for Mac and Linux
- MacOS – Encrypt FAT USB drive under El Capitan (10.11)
- Which is faster: Encrypt empty external disk or leave data on disk while encrypting
- Encrypt USB Drive – How to on macOS High Sierra
- Encrypt external HDD without erasing data on High Sierra
Best Answer
You can use APFS encryption (essentially FileVault) on a secondary drives such as USB drives etc. When formatting the drive with Disk Utility choose “APFS (Encrypted)”, and you’ll be asked for a password for the drive.
When you plug in the secondary drive, macOS will automatically try to mount to mount it by opening a pop up asking you to enter the password to unlock.
If you literally want to use a private key, as in a key file (i.e. not a written password, but an encryption key) - then you’re out of luck. No such solution comes built in with macOS. However it can be done with external tools.