Tony Padgett uses FileVault in macOS to encrypt his startup volume. However, it occurred to him that because he routinely updates a bootable clone of that drive, his clone remains unprotected at rest.
After cloning my internal drive to an external, I can take that external clone, plug it into another Mac, and see and read the contents.
This “hole” is not very obvious to the average person. I somehow assumed because FileVaut has encrypted my iMac, an encrypted version of it was being cloned the external drive.
I agree! I understood this because of extensive testing of FileVault, but it’s certainly not immediately obvious if you don’t know how a seemingly identical clone is managed at a low level by macOS.
Tony consulted the folks behind SuperDuper and Carbon Copy Cloner, and they had similar advice, which I paraphrase here, as it works with any cloning solution:
Change your startup drive to the cloned backup or select it at startup by holding down the Option key after restarting.
Reinstall macOS in place (not an erase-and-install) on the cloned drive.
Boot from the clone.
Enable FileVault in the Security & Privacy system preference pane.
Select the original drive in the Startup Volume preference pane (you don’t have to wait for encryption to complete; it will continue in the background whenever the drive is mounted).
Restart and ensure you’re now booted from the original drive.
All subsequent operations on that drive will be encrypted.
Carbon Copy Cloner’s documentation offers a slight variant because that software can install the Recovery partition and files onto a clone. You can bypass the system reinstall as a result.
There’s an alternative to this that doesn’t result in a bootable clone but does result in a clone that you can restore to a Mac via macOS Recovery.
You can encrypt any drive in the Finder with a unique password that’s not connected to FileVault.
Select any drive.
Right-click and select Encrypt “Drive Name.”
Set a password by clicking the key icon and choosing one from the Password Assistant or creating one of your own. Warning: Save this password somewhere secure. Without it, you can be locked out of that drive’s contents forever.
Click Encrypt Disk.
You can then use any cloning program, including a feature within Disk Utility, to create a disk image on that encrypted mounted drive to which the startup drive is cloned.
While you can’t boot from a disk image in macOS, you can restore a startup volume from a disk image via Recovery, even if the drive on which the disk image is located has encryption turned on:
Restart your Mac or startup and hold down Command-R to boot into Recovery.
Launch Disk Utility.
Mount the volume in question.
Enter the encryption password when prompted.
Now you can right-click the startup volume and choose Restore, then click the Image button to choose the disk image on the mounted, encrypted volume.
I have so rarely needed to boot from a clone that I typically clone multiple computers to a large volume by using disk images. However, I have had to restore damaged systems a few times recently, and used the disk image method above without a hitch.
Ask Mac 911
We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.