Encrypt External Drives with Mac OS X Lion’s FileVault 2

Somebody asked me about whether I encrypt any of my external drives. The answer is yes – Mac OS X 10.7 Lion added the ability with FileVault 2 to encrypt an entire hard drive with XTS-AES 128 encryption (which is about as good as you can get while still making it easy). It’s handy when traveling, especially with the smaller USB/FireWire drives which can sprout legs and disappear. I’m talking about the smaller drives that use the 2.5-inch laptop hard drives. I’ve put together a couple of small FireWire 800 drives using Macally FireWire 800/USB 2.0 Enclosure (PHR-S250UAB) (Amazon is cheaper than dedicated Mac shops for this particular enclosure) and I also have a Western Digital My Passport Studio 1 TB FireWire 800 External Hard Drive (Amazon) that I picked up on sale.

Why FireWire 800?
Although this article is about encrypting external drives, I know somebody might be wondering about my choice of drives. FireWire 800 drives or buying FireWire 800 enclosures is a little pricier than the USB route, but my MacBook Pro supports it as does my iMac, it’s faster than USB, and you can daisy-chain devices, which frees up USB ports. There are also times where I handle a large amount of large files, such as when I’m scanning photos or dealing with home video or interviews, and it’s worth the speed increase. I do not have Thunderbolt interfaces on either of my Macs. Hopefully by the time I feel the need to upgrade, Thunderbolt-based external drives will be cheap and easy to obtain.

So why encrypt your external drives?
Imagine losing an external hard drive or flash drive. If you’re like me, you may be using it as a backup to your Mac(s), at least temporarily, or as supplemental storage. I do make use of Time Machine, however I leave my Time Machine backups in a secure location and don’t carry them with the computer. I use external drives when I’m traveling for manually backing up on the go and storing extra data and information. Those who are on MacBook Air’s with the smaller Solid State Drives (SSDs) are probably using external drives a lot, and although they are using USB or Thunderbolt devices instead of FireWire 800 like me, the information below still applies.

I have financial information, scanned receipts, emails and email attachments, and the other assorted digital things that we all come into contact with in our daily lives. It’s the nature of the “digital world”. In addition to being a Mac user, I’m obviously a genealogist. I end up with a lot of information such as copies of birth certificates, family photos, and other documents that I would not be comfortable having other people access without my permission. Imagine losing a hard drive with some personal information about a family member, and having to tell them that you didn’t take any precautions with that information even though it’s easy to do so? Awkward, very awkward.

The bottom line is that if somebody steals one of your external drives or flash drives, they aren’t going to be able to get the information off the drive if you have FileVault 2 enabled on the drive.

VERY IMPORTANT NOTE: Once you’ve encrypted an external hard drive with File Vault 2, if you lose or forget the password, that data is gone!

Before we Start – More on FileVault 2
* Apple Knowledgebase Article – OS X Lion: About FileVault 2
* When you select a partition to erase and encrypt, ALL DATA on that partition will be erased. Do not select a drive/partition that has information you care about.
* You cannot mount these drives on earlier versions of Mac OS X, such as OS X 10.5 Leopard and OS X 10.6 Snow Leopard. You will need a system that has FileVault 2 built-in and that means OS X 10.7 Lion or OS X 10.8 Mountain Lion. If you have a mixture of Mac OS X systems, think carefully about this. Once that drive is encrypted, it’s only going to be accessible on a system running Lion.

Note: This works on other types of external drives, including “thumb” drives and possibly even Secure Digital (SD) cards and other types of external storage. The steps below should also apply to those storage types.

Step #1 – Select the drive/partition
Mac OS X Lion FileVault 2 Encrypting External Drive

Step #2 – Select the partition, select erase, and select the file system.

Select Mac OS Extended (Journaled, Encrypted). I do not advise “Case-sensitve” as you can have file names that are the same except that some letters are uppercase and some lowercase. It could get confusing.

Mac OS X Lion FileVault 2 Encrypting External Drive - Select Encryption
(Click on the image for a larger version at flickr)

Step #3 – Confirm that you want to erase/reformat the partition, and enter a password. FileVault 2 will inform you of the strength of your password. Hint: Mix upper and lowercase letters, numbers, and characters such as # and % and &, but DO NOT FORGET this password.
Mac OS X Lion FileVault 2 Encrypting External Drive - Select Password

At this point, FileVault 2 will erase and partition your drive.

Step 4: This is what you see when you mount the drive in the future. Unless you enter the proper password, it will not mount.
Mac OS X Lion FileVault 2 Encrypting External Drive - Finished

And finally – passwords and you
Here’s a topic nobody wants to discuss: What if something happens to you? I don’t know about you, but I always encrypt my home directories (and now full drives) on my Macs in case of theft. If something happens to you and nobody has your password, your relatives are not going to be able to recover that data. We’ve probably all heard or experienced horror stories where something happens to a relative and we are unable to obtain information from their computer or email accounts without going through a very difficult, and possibly expensive, process.

I’m not trying to scare you into not using encryption – it’s there for a reason. Most of us know somebody that has lost a computer due to theft or carelessness and this carries over into external drives or USB flash drives. As I said in my reasons for using FileVault 2, I have a lot of information that could be easy to abuse by somebody who would steal or find (and not return) my computers or devices, especially financial information, or information that I would not be comfortable with them having.

With that said, make sure and have at least one other person who knows your password – even if it’s written down in a safe deposit box or with somebody in another city or state. With so much genealogy and personal information being created digitally, it would not be good if something happened to you and your relatives weren’t able to recover valuable information. This isn’t like in times past when we wrote everything out on paper and it was tucked away in a filing cabinet, that could be opened even without the keys. A lot of us do think about finding people within our family to pass this information on to when the time comes, and we don’t need to make it more difficult or impossible than it already is.