Whether you’re using an external hard drive for backup purposes or to provide additional storage for your Mac, it’s important to make sure that whatever information it contains is as secure as possible. By default, an external hard drive can be accessed on any other Mac without hinderance, so even if you have FileVault 2 enabled on your Mac but you’re backing up to an unencrypted hard drive, it’s rather redundant.
OS X can encrypt volumes located on external hard drives and USB sticks in just a few clicks, making it impossible to view the contents of a volume on any Mac unless the correct password is provided.
Supported Filesystems
OS X can only encrypt volumes that are Mac-formatted with the filesystem Mac OS Extended, otherwise known as HFS+. If you have a disk formatted in a more Windows-friendly format, such as ExFAT, then disk encryption won’t be possible.
Encrypting a volume using the Finder
The Finder includes a built-in option to enable (and disable) disk encryption on a volume without first needing to reformat it, provided it’s Mac-formatted to begin with (see above). This allows you to encrypt a volume already containing files and folders without worrying about copying them back and forth.
With a suitable Mac-formatted disk connected to your Mac, right-click the volume within the Finder’s Sidebar or on the Desktop and select Encrypt volume name….
OS X will then prompt you to enter a suitable password. You can either specify your own or use the small 🔑 icon to bring up OS X’s Password Assistant to randomly generate one for you. Finally, disk encryption requires a password hint be provided since forgetting it will mean you can no longer access any of the data the volume might contain, and there’s no amount of data recovery that can bypass this.
Disk encryption can take anywhere from a few seconds to an hour depending on the size, speed and amount of data on a disk. A near-empty 32GB USB 2.0 stick took only a few seconds but a 1TB USB 3.0 drive that’s almost full might take considerably longer.
Fortunately, OS X still provides access to the volume so you can keep reading and writing data to it though you’ll find you won’t be able to eject it until it’s completed. If you’re planning to do this on a portable Mac, make sure you’re in a position where it isn’t going to run out of power and can be left running until it’s finished, so starting it at the airport just before you’re about to board isn’t going to be the best place to do this.
Decrypting a volume using the Finder
If you decide that the volume you’re using no longer needs to be encrypted, it can be decrypted just as simply. Right-click it within the Finder’s Sidebar or on the Desktop and select Decrypt volume name….
You’ll be required to enter the password for the encrypted volume again, even if it’s mounted, before OS X will disable encryption. After that, the volume will decrypt. Again, this process can take some time on larger and slower disks so plan accordingly.
What about Disk Utility?
Rather surprisingly, Disk Utility is pretty bad at dealing with disk encryption. For example, the Finder includes a one-click option to enable or disable disk encryption. In Disk Utility, the option is never available and seems to be permanently disabled[1].
Disk Utility can be used to format a disk and enable encryption at the time, though it offers no benefit over just formatting a drive normally and then using OS X to encrypt it using the above steps. I don’t see any reason to use Disk Utility over the Finder when it comes to encrypting a disk.
-
I could be wrong and this may not be the case for others, but I’ve tested Disk Utility on a variety of Macs and versions of OS X and have never seen the option available. ↩