The default approach for storing files on drives other than your boot drive is to get an external storage device and then copy your files to it; however, by doing so you leave open the possibility of someone getting your drive and accessing your data. To secure the files you place on such drives, there are several approaches you can take, including encrypting files or the drive itself, and using special setups to require two or even more physical drives be attached before you can access the data on them.
If you are using a modern version of OS X, such as Yosemite or El Capitan, then you can use Apple’s built-in drive encryption options, which will convert your external drive to a managed virtual device, and then encrypt it. This requires the drive to be formatted with Apple’s native GUID partitioning scheme, which can be done quickly with Apple’s Disk Utility program.
When done, you can right-click the drive in the Finder where you will see an option to encrypt the drive. Select this and enter a password when prompted, and after a few moments the drive will be encrypted.
An alternative to full disk encryption is to create encrypted disk images that you can store on the drive. An image is a file that serves as a virtual disk, where when opened it will mount a file system just as if you had inserted a USB drive. However, being just a file means it has many unique options for handling data, including the option to encrypt its contents. To create an encrypted disk image, open Disk Utility and choose New Blank Image from the File > New menu. Then set your desired size (ie, just shy of the size of your external drive), followed by choosing either 128- or 256-bit encryption for the drive.
When you do this, you will supply a password for unlocking the drive, set any additional partitioning options if desired (though the defaults should be used in most cases), and then save the image file. To use this image, you can copy it to wherever you would like, and then to load the disk stored in it, just double-click it.
Disk images have superior encryption options than whole-disk encryption, and are more portable in that you can upload them and transfer them across a network. Their drawback is that you will be required to specifically open them, so if stored on a USB drive, you will have to insert the drive, then open the image file in order to access the content.
Encryption is an excellent way to secure your files, especially on portable media; however, you can also secure files by requiring two or more physical drives be present before you can read data on them. To do this, you use an option to span a logical volume across two physical drives. Apple supports two approaches for this: AppleRAID and CoreStorage.
AppleRAID is a software-based RAID technology that has been with the Mac OS for years, and can be used to combine two or more drives into single volumes. It does have some limitations like requiring the drives to be the same size, but can be used to generate a situation where you will not have access to drive data unless all volumes are present and attached.
With two drive’s formatted and ready to be used, create your RAID with the following procedure:
- Open the Terminal and run the following command:
- Note the drive names for the external volumes, which will be something like “disk1,” “disk2,” etc.
- Run the following command to create a basic RAID:
diskutil appleRAID create concat MyRAID jhfs+ disk1 disk2
In this last command, you can use “concat” as shown, or use “mirror” or “stripe” as alternative RAID options. These change how data is stored on the drives, either for more redundancy or for more storage space. Concatenation is a basic way to simply combine two storage drives in series, and is the simplest option. Beyond this, you can change the resulting volume name from MyRAID to something else, and be sure to use the appropriate drive devices for your external volumes in place of “disk1” and “disk2.” Note that since you will be accessing external drives, for data safety its best to first eject all drives from your Mac except your boot drives and the USB drives that you want to use for creating the RAID.
When the command is executed, you will see a new drive appear that has the combined storage of its member drives (ie, two 4GB drives will result in an 8GB volume to use). You can eject the storage volume, and then unplug both drives. Now in order for the drive to be mounted, you need to re-insert both drives. Just inserting one will show an unmountable storage device, but when you insert the second then OS X will recognize a RAID set and attempt to mount the volume. In this manner, you can create a combined drive for storing files, then give the separate drives to two people, so they both have to be present for the data to be accessed.
The second option for combining drives is to use CoreStorage, where similar to the Fusion Drive that ships with OS X (a combination of SSD and HDD storage), you can combine the storage provided by separate drives and partitions into a single logical volume. I have outlined the details of how to do this here, but briefly the procedure is as follows:
- Unmount and eject all drives from your Mac except the two you wish to combine.
- Open the Terminal and run the following command:
- Note the device identifier of the first drive to add, and the partition (or “slice”) identifier of the second partition you want to combine with this initial drive. They will be something like “disk3” for the device identifier, and “disk4s2” for the second available partition (see the article linked above for more details on this).
- Run the following command to combine the drives:
diskutil cs create GROUPNAME disk3 disk4s2
Note that in this command, the disk and partition identifiers are the ones you found above, and the “groupname” is the name of the collection of disks. This is an internal name that you will not show as the volume name, but is important for the final step, which is to run the following command to create the storage volume that you will be using:
diskutil cs createVolume GROUPNAME jhfs+ "VOLUME NAME" 100%
There are many components in this command that can be adjusted for customization, such as using 50% instead of 100% to use only half of the available storage space for your volume. However, for basic clarity the command includes the groupname you created above when combining the drives, followed by “jhfs+” to indicate a journaled HFS+ volume format is desired, and then the volume name or label (put in quotes if it contains spaces), and finally the amount of the available space in the volume group to use. As noted above, 100% uses all of the available space.
When done, attaching both of these drives to a Mac in any order will have OS X recognize an available CoreStorage drive and then mount the volume you created on it. When you eject it you will be able to remove both drives from your Mac, and separate them for security purposes, if needed. Being a CoreStorage volume, you can also right-click it when mounted in OS X and choose the option to encrypt its data, for an additional security layer.