Mac – Encrypting from the Disk Utility vs Finder

encryptionhard drivetime-machine

I am testing two methods of encrypting a new hard drive. Using Disk Utility, I erased it and created two equal partitions (10GB each, the rest free space), both "Mac OS Extended (Journaled)".

1) From Disk Utility, I selected the first partition (Seagate1 below). Then, from the "Erase" tab, I selected "Mac OS Extended (Journaled, Encrypted)". Next, I clicked on the "Erase" button. It encrypted it right away, as explained below.

2) In the Finder, I selected the second partition (Seagate2), then selected "Encrypt" from the Finder gear-like drop down menu. It stated encrypting it, at a rate of maybe 100MB/sec (also explained below).

Below is the output of "distill cs list". I know 1) was instantaneous and 2) took 100 sec roughly because I looked at the partial results.
So it looks like the approach 2) is encrypting the entire empty partition.

i) Is this the only difference between 1) and 2)?

ii) In particular, what does "Revertible: No" mean for Seagate1 (see below)?

iii) Which approach is safe for Time Machine backups? I do not want to use the "encrypt backups" option in the time machine because I want to know what is going on.

I found this post somewhat helpful, but it does not answer question iii). The poster is talking about my method 1) vs the TM "encrypt backups" option. The conclusion is that they are the same. I would guess that TM "encrypt backups" is the same as my method 2).

Difference between enabling Time Machine's "Encrypt Backups" option, and encrypting from Disk Utility?

$ diskutil cs list

CoreStorage logical volume groups (3 found)
|
+-- Logical Volume Group E374A008-44C9-4A5F-877E-1A14186EE3C1
|   =========================================================
|   Name:         Macintosh HD
...
...
+-- Logical Volume Group D3D788DF-C76A-43B9-8325-A8E875E3720A
|   =========================================================
|   Name:         Seagate1
|   Status:       Online
|   Size:         10000007168 B (10.0 GB)
|   Free Space:   782336 B (782.3 KB)
|   |
|   +- Logical Volume Family AAFDF6DC-ECEE-4919-9FD9-A3A6E3F1CCEF
|       ----------------------------------------------------------
|       Encryption Status:       Unlocked
|       Encryption Type:         AES-XTS
|       Conversion Status:       Complete
|       Conversion Direction:    -none-
|       Has Encrypted Extents:   Yes
|       Fully Secure:            Yes
|       Passphrase Required:     Yes
|       |
|       +-> Logical Volume B5EA0F9F-55D6-48BF-BBD0-FBA00B595D6F
|           ---------------------------------------------------
|           Disk:                  disk3
|           Status:                Online
|           Size (Total):          9646899200 B (9.6 GB)
|           Conversion Progress:   -none-
|           Revertible:            No
|           LV Name:               Seagate1
|           Volume Name:           Seagate1
|           Content Hint:          Apple_HFS
|
+-- Logical Volume Group 31EFE91B-0384-4D1F-B706-493509FBC66F
    =========================================================
    Name:         Seagate2
    Status:       Online
    Size:         10000007168 B (10.0 GB)
    Free Space:   19005440 B (19.0 MB)
    |
    +- Logical Volume Family E5AFD11D-75E5-4ACB-8687-D740C1ED99AC
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume 31DE3F9A-F7FD-4898-B3D7-C9222D38B943
            ---------------------------------------------------
            Disk:                  disk4
            Status:                Online
            Size (Total):          9628680192 B (9.6 GB)
            Conversion Progress:   Complete
            Revertible:            Yes (unlock and decryption required)
            LV Name:               Seagate2
            Volume Name:           Seagate2
            Content Hint:          Apple_HFS

Best Answer

The difference with method 1 is that, with method 1, you're not actually converting anything. You're erasing the existing data and replacing it with an encrypted partition. With method 2, a conversion process begins, which doesn't erase data, but does take more time.

The thing to keep in mind: any drive which is converted from a normal drive (HFS+) to a Core Storage drive can be reverted back to a simple HFS+ volume (non-encrypted). If you use the Disk Utility method you showed above, the resulting disk will NOT be revertible, because the disk will have never been an HFS+ volume in the first place. That is what you're seeing with "Revertible: No". If you use the Finder method (or the equivalent command-line option), the drive will be revertible.

Another thing to keep in mind is that modern versions of OS X will normally use Core Storage on the boot drive by default, even on unencrypted disks. The result is that, in some cases, "Revertible" may always be "No". You'll always be able to decrypt a Core Storage volume however, so perhaps this is insignificant for most people.

If you want to talk about what's the best option for Time Machine, it doesn't really matter. The end result is, in either case, an encrypted disk, protected by a password. To do anything to the disk you would need the password. There isn't any significant difference to either method. It's marginally possible that the disk utility method could be the slightest bit more secure, for the simple reason that this reduces the number of attack vectors. If there is any benefit, it would only be slight.

Related Solutions

MacOS – Is FileVault distinct from Finder’s “Encrypt …” command

Filevault's use the XTS-AES 128 encryption. As Finder's contextual menu encryptation option and the Erase with the Encrypted format use Filevault's system, the encryption is the same.

Disk Utility's, in the other hand, when creating an new image, lets you choose between a 128 or 256 bits AES Encryption.

These two methods are, therefore, different. The latter just creates a folder which requires a password to be opened, while Filevault is a lot more complex.

And for the Logical Partition, here is explained in detail.

How Does FileVault 2 Work? Compared to the bare file system, or even FileVault 1, FileVault 2 seems like magic. How does it work? The first thing to know is that Apple has included a Logical Volume Manager (LVM) with OS X Lion. This is what FileVault 2 gets to ride on top of.

Physical media still exists—we really can’t get away from that, as the data need to be stored somewhere. CoreStorage doesn’t really care what the media is, though: traditional spinning-plater drives, SSD, USB storage or even a disk image. Represented above in green, we have three volumes that reside on some physical disks. These three volumes are converted into CoreStorage volumes and imported into a Logical Volume Group (LVG). This sets up a “pool” of storage. Volumes can be added to and removed from the pool after creation. A LVG is represented with a UUID. This LVG is then brought into a Logical Volume Family (LVF). An LVF maintains properties about the volumes in a LVG and presents these Logical Volumes (LV) to the system. CoreStorage creates new device nodes for each LV. As shown in the visualization above, the LVs, in blue, have a device node (disk1, disk2, disk3). The ‘key’ icon associated with the LVF shows that encryption is one of the properties maintained about the LVG. This is the layer at which the encryption key resides.

When you “Turn On FileVault…”, one of the steps converts your disk to a CoreStorage volume. Of course, when you “Turn On FileVault…”, only your boot disk is encrypted. Naturally, this fits Apple’s 99% case and is the right fit for the bulk of Mac users on the planet. That said, FileVault cannot and will not encrypt any other drives you may have attached to your system. That’s up to you.

MacOS – How to enable Time Machine encryption on the command line

No, sorry chickpee, I believe you're incorrect.

Is an encrypted Time Machine disk really just the same as a normal disk, full-disk-encrypted using FileVault?

Yes. It is. This would be "FileVault 2" we are talking about, aka CoreStorage, Apple's newish logical volume manager. This is different that the previous TM and FileVault technologies, which are based on AES-encrypted sparse-bundle disk images (which are still used for network backups, etc.). The process that starts in System Preferences (these days) when you enable disk encryption (whether on an external disk, for Time Machine, or on the boot drive for FileVault), provided the disk is suitable, it does an online conversion from a traditional GPT Partition Table to a single monolithic data store, with a very small partition for the CS firmware. Logical volumes (in logical volume groups) are then carved out of this, and these (software) volumes are then HFS formatted and encrypted.

I believe the most straightforward method for doing this would be to:

Attach the disk you're going to use, wipe it. Free space or a single HFS+ partition.
diskutil cs create/convert (wasn't/was formatted; unimportant) to initialize and add a new LVG
diskutil cs createVolume, create a single LV. You could enable encryption at this point, with diskutil cs encryptVolume, if you know the passphrase you're going to use; if not, leave it unencrypted for now.
diskutil partitionDisk diskX -- see below -- CS volumes appear as if they are completely autonomous, separate disks, so you partitionDisk.

Then: mount and unlock the volume on your new user's machine. Once the disk is unlocked, there shouldn't be any trouble 'adopting' it for use there. If you want to put it into a config script, I believe it's just something like tmutil -a /Volumes/Foo, tmutil startbackup -ad disk.... This is the part I'm least sure about, but I'm also sure its easily doable. I haven't done this for Time Machine per se my self, but I pre-encrypt disks for FileVault like this all the time, and the OS sort of just knows what to do with if after that.

A properly suitable CS-enabled-disk is going to appear like this in diskutil (although you might not have the third partition on disk0 if it's knows it's not going to be a boot drive:

/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *251.0 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage                         250.1 GB   disk0s2
   3:                 Apple_Boot Boot OS X               250.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh LV           *249.8 GB   disk1

disk0 will not appear as encrypted, ever, since this is what the volume manager basically has to 'boot' off of. disk1 will be encrypted and will require the passcode to mount.

Best Answer

Related Solutions

MacOS – Is FileVault distinct from Finder’s “Encrypt …” command

MacOS – How to enable Time Machine encryption on the command line

Related Question