Tony Padgett uses FileVault in macOS to encrypt his startup volume. However, it occurred to him that because he routinely updates a bootable clone of that drive, his clone remains unprotected at rest.
After cloning my internal drive to an external, I can take that external clone, plug it into another Mac, and see and read the contents.
This “hole” is not very obvious to the average person. I somehow assumed because FileVaut has encrypted my iMac, an encrypted version of it was being cloned the external drive.
I agree! I understood this because of extensive testing of FileVault, but it’s certainly not immediately obvious if you don’t know how a seemingly identical clone is managed at a low level by macOS.
Tony consulted the folks behind SuperDuper and Carbon Copy Cloner, and they had similar advice, which I paraphrase here, as it works with any cloning solution:
- Change your startup drive to the cloned backup or select it at startup by holding down the Option key after restarting.
- Reinstall macOS in place (not an erase-and-install) on the cloned drive.
- Boot from the clone.
- Enable FileVault in the Security & Privacy system preference pane.
- Select the original drive in the Startup Volume preference pane (you don’t have to wait for encryption to complete; it will continue in the background whenever the drive is mounted).
- Restart and ensure you’re now booted from the original drive.
All subsequent operations on that drive will be encrypted.
Carbon Copy Cloner’s documentation offers a slight variant because that software can install the Recovery partition and files onto a clone. You can bypass the system reinstall as a result.
There’s an alternative to this that doesn’t result in a bootable clone but does result in a clone that you can restore to a Mac via macOS Recovery.
You can encrypt any drive in the Finder with a unique password that’s not connected to FileVault.
- Select any drive.
- Right-click and select Encrypt “Drive Name.”
- Set a password by clicking the key icon and choosing one from the Password Assistant or creating one of your own. Warning: Save this password somewhere secure. Without it, you can be locked out of that drive’s contents forever.
- Click Encrypt Disk.
You can then use any cloning program, including a feature within Disk Utility, to create a disk image on that encrypted mounted drive to which the startup drive is cloned.
While you can’t boot from a disk image in macOS, you can restore a startup volume from a disk image via Recovery, even if the drive on which the disk image is located has encryption turned on:
- Restart your Mac or startup and hold down Command-R to boot into Recovery.
- Launch Disk Utility.
- Mount the volume in question.
- Enter the encryption password when prompted.
- Now you can right-click the startup volume and choose Restore, then click the Image button to choose the disk image on the mounted, encrypted volume.
I have so rarely needed to boot from a clone that I typically clone multiple computers to a large volume by using disk images. However, I have had to restore damaged systems a few times recently, and used the disk image method above without a hitch.
Ask Mac 911
We’ve compiled a list of the most commonly asked questions we get, and the answers to them: read our super FAQ to see if you’re covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org including screen captures as appropriate. Mac 911 cannot reply to email with troubleshooting advice nor can we publish answers to every question.