MacOS – How to encrypt an external drive with FileVault 2 in OSX Yosemite

encryptionfilevaulthard drivemacosSecurity

Ok, so according to https://www.apple.com/osx/what-is/security/ I should be able to encrypt ANY external drive…"with ease" using FileVault 2.

I have a brand new (empty) 2TB Fantom Drive model: GFP2000EU3 (Hitachi Drive)

Disk Utility:

I tried to erase and format the drive to Mac OS Extended (Journaled, Encrypted) Returned Error: "A GUID Partition Table (GPT) partitioning scheme is required."
Selected Logical Volume in left list, then went to Partition tab, clicked on dropdown, showing "Current," changed it to 1 partition, clicked Options button, then selected GUID Partition Table radio button > clicked OK, then Apply on main window. No errors came during this step.
Tried step 1 again, different error message: "Unable to create a new Core Storage logical volume group."

Finder:

Attempted ctrl+click>Encrypt *Drive Name* drive icon on my desktop, same error: "Unable to create a new Core Storage logical volume group."

I also tried a disk repair before trying again. Then tried all these steps again in Recovery Mode (command+R during startup), then tried under Safe Mode (holding shift at startup), and then under another user account. All come back with same error: "Unable to create a new Core Storage logical volume group."

Update 1:: I was able to successfully encrypt a 8gb Sandisk thumb drive. Still need to take care of the 2TB.

$diskutil list

/dev/disk3
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *2.0 TB     disk3
1:                        EFI EFI                     209.7 MB   disk3s1
2:                  Apple_HFS MyDrive                 2.0 TB     disk3s2

After chats with Apple tier 1 & Senior Support, they've ran CaptureData and a Systems Engineer is looking into this, may take a day or two. They said they have little to no documentation yet on my problem. Seems unlikely that I'm the only one…

Update 2: I received repair authorization from Fantom and overnighted the drive (at my expense). After inspection I received this message: "We've completed diagnostics on your drive and regret to inform you that the hard disk inside the case has failed. As such, the damage is now beyond our ability to repair- we will replace the disk drive mechanism and return the repaired unit."

I find this interesting, because I may not have found out about this problem until after I loaded critical data on the drive. I was able to format the drive and copy to and from the drive without issue…encrypting the drive exposed the problem. I still need to confirm that the "repaired unit" will encrypt as expected, hopefully I will receive that back soon.

Final update: after receiving the new drive, everything encrypted as expected. My advice is to try to encrypt every drive when you first get it, as a failure may detect some glitches that you'd want to see sooner rather than later…

Best Answer

I understand that you're running into issues, so this is going to be more for others looking for info on this topic. Encrypting non-boot volumes should be a relatively easy process in OS X 10.8.x and later.

To encrypt a non-boot volume:

Right-click on the volume you want to encrypt
Select the Encrypt… command

enter image description here

When prompted, enter a password and (optionally) a password hint.

enter image description here

The drive will momentarily disappear from the desktop (to initialize the encryption) then re-appear.

enter image description here

Related Solutions

MacOS – Is FileVault distinct from Finder’s “Encrypt …” command

Filevault's use the XTS-AES 128 encryption. As Finder's contextual menu encryptation option and the Erase with the Encrypted format use Filevault's system, the encryption is the same.

Disk Utility's, in the other hand, when creating an new image, lets you choose between a 128 or 256 bits AES Encryption.

These two methods are, therefore, different. The latter just creates a folder which requires a password to be opened, while Filevault is a lot more complex.

And for the Logical Partition, here is explained in detail.

How Does FileVault 2 Work? Compared to the bare file system, or even FileVault 1, FileVault 2 seems like magic. How does it work? The first thing to know is that Apple has included a Logical Volume Manager (LVM) with OS X Lion. This is what FileVault 2 gets to ride on top of.

Physical media still exists—we really can’t get away from that, as the data need to be stored somewhere. CoreStorage doesn’t really care what the media is, though: traditional spinning-plater drives, SSD, USB storage or even a disk image. Represented above in green, we have three volumes that reside on some physical disks. These three volumes are converted into CoreStorage volumes and imported into a Logical Volume Group (LVG). This sets up a “pool” of storage. Volumes can be added to and removed from the pool after creation. A LVG is represented with a UUID. This LVG is then brought into a Logical Volume Family (LVF). An LVF maintains properties about the volumes in a LVG and presents these Logical Volumes (LV) to the system. CoreStorage creates new device nodes for each LV. As shown in the visualization above, the LVs, in blue, have a device node (disk1, disk2, disk3). The ‘key’ icon associated with the LVF shows that encryption is one of the properties maintained about the LVG. This is the layer at which the encryption key resides.

When you “Turn On FileVault…”, one of the steps converts your disk to a CoreStorage volume. Of course, when you “Turn On FileVault…”, only your boot disk is encrypted. Naturally, this fits Apple’s 99% case and is the right fit for the bulk of Mac users on the planet. That said, FileVault cannot and will not encrypt any other drives you may have attached to your system. That’s up to you.

MacOS – Can’t encrypt external hard drive

OK, I'm running El Capitan OS X 10.11. The Apple app "Disk Utility" is useless to create encryption, as it typically returns

Operation Failed with status 28

So the fix is to use a little terminal magic. After adding your USB drive to the Mac, run terminal At the command-line prompt, enter:

diskutil list

You will see your main (internal) disk listed, as well as your USB:

/dev/disk0 (internal, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.3 GB   disk0
   1:                        EFI EFI                     209.7 MB   disk0s1
   2:          Apple_CoreStorage Macintosh HD            499.4 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.1 MB   disk0s3
/dev/disk1 (internal, virtual):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           +499.1 GB   disk1
                                 Logical Volume on disk0s2
                                 B0B7A5AA-7D8D-41E3-8565-82E4E1D685D5
                                 Unlocked Encrypted
/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *31.5 GB    disk2
   1:             Windows_FAT_32 KINGSTON                31.5 GB    disk2s1

You can spot your external drive by its size -- mine is 32 GB, which, after overhead is around 31.5. In other words, its name is KINGSTON at drive identifier disk2s1. Now, using your USB drive's device identifier in place of disk2s1, pick a suitable name for your new drive. I like thing2:

diskutil eraseDisk JHFS+ thing2 /dev/disk2

About 30 seconds of progress later, you should get:

Finished erase on disk2

Now, open a Finder window, and right click your newly named disk. Pick the option encrypt . In my case, the USB 3.0 encryption took about 12 minutes of effort for 32 GB (45MB/s write). You will know you are done, when the drive activity light goes out.

Best Answer

Related Solutions

MacOS – Is FileVault distinct from Finder’s “Encrypt …” command

MacOS – Can’t encrypt external hard drive

Related Question