Full Disk Encryption Please

Before I begin, please note that this blog article is focussed on macOS, modern systems, and not a powerbook from 10 years ago, or a Windows 10 machine. Sorry.

Let’s do this in two parts, one: Encrypt everything, this includes internal and external drives. And two: Have a backup duh.

Let’s start with the backup, it seems the most logical. I am sure I either have an existing blog article about this, or will write one in the near future. But it will come down to this: make backups! Perhaps at least get an external USB drive that’s fast and big, so you can have an automated archive from multiple months. Time Machine from Apple’s macOS can do it all for you. Any modern Mac system has a recovery partition and supports online OS installation. And for $50 to $100 you’re ready to go. Make manual backups as well. Don’t just trust Time Machine – just select what you never want to delete and store it on the external drive (or yet another one). Be paranoid, make a backup that you can store offsite. Just in case of a fire or theft.

Okay, assuming you care about your data and have a backup, encrypt your drives. In two parts: Internal drives and external drives. And at the least encrypt your external drives. They are easier to pick up by others, easier to forget, etc.

On macOS High Sierra for example (and older versions as well) you can just right click the mounted drive, select ‘Encrypt..’ and set a unique and strong enough password. Do not check the box ‘save in keychain’, either store it in a password manager like 1Password, or simply remember it. If you store it in the keychain, someone with your login can unlock keychain and get the passwords that way.

Ok, the internal drive isn’t a right click. You have to go to System Preferences and go to Security and Privacy. From there you can go to FileVault and turn on Full Disk Encryption.

The password for this is your login’s password. If your system will have multiple users (it should!) it will require you to enter those passwords as well. When it asks if you wish to unlock with iCloud or a recovery key: Please use a recovery key. Again, just store it in a password manager like 1Password as a secure note, so your other devices like another system, an iPhone or iPad can show you the key (and it’s stored in a safe place) or just write it down and keep it in your physical vault or something secure.

I think it’s fair to point out that encryption is important, and strong. You can’t just ‘can you fix it for me, I do not remember my password’, you HAVE to remember the password, and if you can’t then you MUST have that recovery key. So please do take this serious. Don’t be scared by it, but please be aware that you’re not just making a .zip file and can unzip it at any time. You’re garbling up everything for the right reasons and the only way for it to make sense is with a unique key that only you know.

What do we want to end up with?

A computer system that has full disk encryption turned ON for all the internal and external drives.

But it is scary!

Okay, what are you more scared of? Someone potentially having access to all your personal and private data, or turning on full disk encryption?

Have any questions, or want to get more information? Feel free to contact me and I’d love to help you improve your privacy and security. Encrypting your drives is one step towards less worries in the long run.

Something worth mentioning is wireless / bluetooth. If you have a usb keyboard and mouse connected to the built-in usb ports, things should be fine. But sometimes with non-stock USB keyboards and mouses, they might not get recognized. So please do have the Apple keyboard/mouse handy or a wired solution. Just in case.