If you want to encrypt the contents of an external hard drive to protect its data in case of loss or theft, you’ve got a lot of options. You can create an encrypted disk image using Apple’s Disk Utility. You can use any of several third-party encryption programs, such as TaoEffect’s $25 Espionage, Northern Software’s $10 FileWard, or Smith Micro’s $80 StuffIt Deluxe, to encrypt individual files or folders. Alternatively, if you’re using the drive exclusively for backups, you may be able to make use of encryption capabilities in your backup software.
All these methods are fine, but in some situations conventional software encryption isn’t adequate. For example, if you want to use Time Machine but also keep your backups encrypted, you’ll have to jump through extra, complicated hoops because Time Machine lacks an encryption feature. Similarly, if you want to use a program like Bombich Software’s Carbon Copy Cloner (payment requested; ) or Shirt Pocket Software’s $28 SuperDuper ) to create a duplicate of your startup disk that’s both bootable and encrypted, regular software encryption won’t do the trick. Ditto if you want to be able to use an encrypted external drive on any computer (Mac or PC) without needing special software.
PGP’s $149 PGP Whole Disk Encryption for the Mac is one of several programs that let you encrypt the entire contents of a hard disk in such a way that it can still be bootable, and can be used on either a Mac or a PC. It’s often an excellent approach, but note that drives encrypted with PGP Whole Disk Encryption may not work on another computer unless it also has a copy of the software installed, and this sort of encryption may hinder disk repairs and a few other common activities.
If you want a truly universal solution that places no restrictions on the way the drive can be used, buy a hard drive with encryption capabilities built in. The drive itself encrypts and decrypts your data, so you don’t need to install any software. You can also use the drive as a boot volume or a Time Machine destination without any technical acrobatics. One word of caution, though: if the drive’s controller board or other electronics should fail, you may be unable to access your data (even if the drive mechanism itself is fine) unless you have the device repaired, or swap the drive into another identical enclosure.
Hardware-encrypted drives fall into several categories, based on the mechanism they use for decrypting data:
Several manufacturers make encrypted drive enclosures that you can unlock using a physical device that encodes the encryption key. As long as the device is present (plugged in, or in proximity to the drive), the drive can be mounted; without it, it’s effectively inert. Drives in this category include RadTech’s Encrypted Impact Enclosures (prices start at $95; available with or without drive mechanisms); RocStor’s Rocbit FXKT drives, and a variety of devices from SecureDISK ($50 and up). All of the SecureDISK enclosures include two or three keys that plug into a special port in the device. SecureDISK also sells a $50 RFID Security External Enclosure that uses RFID tags as the keys, so they need only be brought near the drive to unlock them.
If you’re concerned about losing a physical key, you can choose a drive with a built-in fingerprint scanner. Some examples include MXI Security’s Outbacker MXI Bio drives ($419-$599) and LaCie’s SAFE hard drives ($400 for the 2 TB model). (Note that some older, discontinued LaCie SAFE models, which came in pocket-sized enclosures, didn’t encrypt your data but only employ a less-secure firmware lock.) All these drives are convenient to use and can be configured to store fingerprints for up to five users. That’s a good idea in case any one user should, for example, suffer a hand injury. Be aware that several techniques exist for defeating fingerprint scanners (even without the physical presence of a fingertip). Still, these drives are likely secure enough for all but the most demanding applications.
The Data Locker Pro AES and Data Locker Enterprise ($230-$480) are encrypted hard drive enclosures that eschew a physical key or biometric reader in favor of a keypad on which you can enter a passcode of up to 18 digits. The use of a keypad means you can share the device with someone who doesn’t have a physical key, and whose fingerprints haven’t been enrolled. The drives can be set to “self-destruct,” erasing their data after a given number of incorrect passcode attempts.
At least one product, Rocstor’s upcoming Rocsafe MX, combines a physical key (in the form of a smart card) and a built-in keypad for entering a passcode in a compact hard drive enclosure, so users must have both the key and the code to decrypt the data.
Joe Kissell is the senior editor of TidBits and author of the e-book Take Control of Mac OS X Backups.