Which is faster: Encrypt empty external disk or leave data on disk while encrypting

encryptionhard drive

I'm trying to encrypt one of my 2 TB external drives using Finder > Right-click on drive name > "Encrypt"

I moved all the files (~1 TB) to another drive because I was thinking that an empty drive will be encrypted faster than encrypting the drive with the files in place.

However, I'm about four hours into the encryption process of the empty drive and it's only about 5% done.

Is there any advantage to encrypting the drive while it's empty, or does having files on the drive not make a difference in encryption speed?

This is on 10.12.3.

Best Answer

Leave the data on the disk being encrypted to achieve the fastest speed.

Full-disk encryption encrypts the entire disk, no matter what data is or isn’t there. Otherwise an adversary could easily determine which sections were blank, and attack only the ones that weren’t all 0s.

That’s one weakness of per-file encryption: allowing an attacker to determine what they want to target.

The way you chose to perform this operation, your empty disk will be fully encrypted once. Then once you move the 1 TB back onto it, encryption will be performed a second time on half of your drive.

This means it will have taken 50% longer to encrypt the drive vs. if you had left the files on the drive to begin with. Then add to that the amount of time required to shuffle the data back and forth, and you end up with a significant time loss.

Now since the process has already started, it’s more advantageous to let it complete before moving the files back over. Spinning hard drives really struggle with writing multiple areas of a drive at a time (which would occur if you encrypt one area while copying files to another).

If the external is an SSD, copying while the initial encryption takes place might not impact the process as much.

Related Solutions

MacOS – Is FileVault distinct from Finder’s “Encrypt …” command

Filevault's use the XTS-AES 128 encryption. As Finder's contextual menu encryptation option and the Erase with the Encrypted format use Filevault's system, the encryption is the same.

Disk Utility's, in the other hand, when creating an new image, lets you choose between a 128 or 256 bits AES Encryption.

These two methods are, therefore, different. The latter just creates a folder which requires a password to be opened, while Filevault is a lot more complex.

And for the Logical Partition, here is explained in detail.

How Does FileVault 2 Work? Compared to the bare file system, or even FileVault 1, FileVault 2 seems like magic. How does it work? The first thing to know is that Apple has included a Logical Volume Manager (LVM) with OS X Lion. This is what FileVault 2 gets to ride on top of.

Physical media still exists—we really can’t get away from that, as the data need to be stored somewhere. CoreStorage doesn’t really care what the media is, though: traditional spinning-plater drives, SSD, USB storage or even a disk image. Represented above in green, we have three volumes that reside on some physical disks. These three volumes are converted into CoreStorage volumes and imported into a Logical Volume Group (LVG). This sets up a “pool” of storage. Volumes can be added to and removed from the pool after creation. A LVG is represented with a UUID. This LVG is then brought into a Logical Volume Family (LVF). An LVF maintains properties about the volumes in a LVG and presents these Logical Volumes (LV) to the system. CoreStorage creates new device nodes for each LV. As shown in the visualization above, the LVs, in blue, have a device node (disk1, disk2, disk3). The ‘key’ icon associated with the LVF shows that encryption is one of the properties maintained about the LVG. This is the layer at which the encryption key resides.

When you “Turn On FileVault…”, one of the steps converts your disk to a CoreStorage volume. Of course, when you “Turn On FileVault…”, only your boot disk is encrypted. Naturally, this fits Apple’s 99% case and is the right fit for the bulk of Mac users on the planet. That said, FileVault cannot and will not encrypt any other drives you may have attached to your system. That’s up to you.

MacOS – Time Machine drive encryption going for 22 hours. Is it stalled

22 hours is very long indeed. I have encrypted a 1TB drive in less time before.

The encryption is handled by a "live background process". "This process continues seamlessly across reboots. The logical volume remains usable at all times."

^{from man page > diskutil > encryptVolume}

Maybe this daemon hangs or simply halted because the drive is not mounted (which is fine). So you should just re-mount it again.

Alternatively, I would try I restart the daemon by simply restarting the computer. Once the Time Machine backup is mounted again, the daemon will continue encrypting the drive.

Checking the encryption progress using diskutil

You can check the status of the encryption by using the command:

diskutil cs list

In the nested tree you will see a Logical Volume Family which is currently being encrypted. If you drive is being encrypted, you should see the entry Conversion Status: Converting .

Encryption Status:           Unlocked
    Encryption Type:         AES-XTS
    Conversion Status:       Converting      //what does it say here?
    Conversion Direction:    forward
    Has Encrypted Extents:   Yes
    Fully Secure:            No
    Passphrase Required:     Yes

Best Answer

Related Solutions

MacOS – Is FileVault distinct from Finder’s “Encrypt …” command

MacOS – Time Machine drive encryption going for 22 hours. Is it stalled

Checking the encryption progress using diskutil

Related Question