Options for securing external storage in OS X

USBDriveIconXThe default approach for storing files on drives other than your boot drive is to get an external storage device and then copy your files to it; however, by doing so you leave open the possibility of someone getting your drive and accessing your data. To secure the files you place on such drives, there are several approaches you can take, including encrypting files or the drive itself, and using special setups to require two or even more physical drives be attached before you can access the data on them.

Encryption options

If you are using a modern version of OS X, such as Yosemite or El Capitan, then you can use Apple’s built-in drive encryption options, which will convert your external drive to a managed virtual device, and then encrypt it. This requires the drive to be formatted with Apple’s native GUID partitioning scheme, which can be done quickly with Apple’s Disk Utility program.

When done, you can right-click the drive in the Finder where you will see an option to encrypt the drive. Select this and enter a password when prompted, and after a few moments the drive will be encrypted.

This approach is perhaps the easiest to use, especially since you can store the drive’s password in your keychain, so on systems that you regularly use you can just insert the drive to have it automatically unlock.

An alternative to full disk encryption is to create encrypted disk images that you can store on the drive. An image is a file that serves as a virtual disk, where when opened it will mount a file system just as if you had inserted a USB drive. However, being just a file means it has many unique options for handling data, including the option to encrypt its contents. To create an encrypted disk image, open Disk Utility and choose New Blank Image from the File > New menu. Then set your desired size (ie, just shy of the size of your external drive), followed by choosing either 128- or 256-bit encryption for the drive.

When you do this, you will supply a password for unlocking the drive, set any additional partitioning options if desired (though the defaults should be used in most cases), and then save the image file. To use this image, you can copy it to wherever you would like, and then to load the disk stored in it, just double-click it.

Disk images have superior encryption options than whole-disk encryption, and are more portable in that you can upload them and transfer them across a network. Their drawback is that you will be required to specifically open them, so if stored on a USB drive, you will have to insert the drive, then open the image file in order to access the content.

Multi-disk approaches

Encryption is an excellent way to secure your files, especially on portable media; however, you can also secure files by requiring two or more physical drives be present before you can read data on them. To do this, you use an option to span a logical volume across two physical drives. Apple supports two approaches for this: AppleRAID and CoreStorage.

AppleRAID is a software-based RAID technology that has been with the Mac OS for years, and can be used to combine two or more drives into single volumes. It does have some limitations like requiring the drives to be the same size, but can be used to generate a situation where you will not have access to drive data unless all volumes are present and attached.

With two drive’s formatted and ready to be used, create your RAID with the following procedure:

  1. Open the Terminal and run the following command:
    diskutil list
  2. Note the drive names for the external volumes, which will be something like “disk1,” “disk2,” etc.
  3. Run the following command to create a basic RAID:
    diskutil appleRAID create concat MyRAID jhfs+ disk1 disk2

In this last command, you can use “concat” as shown, or use “mirror” or “stripe” as alternative RAID options. These change how data is stored on the drives, either for more redundancy or for more storage space. Concatenation is a basic way to simply combine two storage drives in series, and is the simplest option. Beyond this, you can change the resulting volume name from MyRAID to something else, and be sure to use the appropriate drive devices for your external volumes in place of “disk1” and “disk2.” Note that since you will be accessing external drives, for data safety its best to first eject all drives from your Mac except your boot drives and the USB drives that you want to use for creating the RAID.

When the command is executed, you will see a new drive appear that has the combined storage of its member drives (ie, two 4GB drives will result in an 8GB volume to use). You can eject the storage volume, and then unplug both drives. Now in order for the drive to be mounted, you need to re-insert both drives. Just inserting one will show an unmountable storage device, but when you insert the second then OS X will recognize a RAID set and attempt to mount the volume. In this manner, you can create a combined drive for storing files, then give the separate drives to two people, so they both have to be present for the data to be accessed.

The second option for combining drives is to use CoreStorage, where similar to the Fusion Drive that ships with OS X (a combination of SSD and HDD storage), you can combine the storage provided by separate drives and partitions into a single logical volume. I have outlined the details of how to do this here, but briefly the procedure is as follows:

  1. Unmount and eject all drives from your Mac except the two you wish to combine.
  2. Open the Terminal and run the following command:
    diskutil list
  3. Note the device identifier of the first drive to add, and the partition (or “slice”) identifier of the second partition you want to combine with this initial drive. They will be something like “disk3” for the device identifier, and “disk4s2” for the second available partition (see the article linked above for more details on this).
  4. Run the following command to combine the drives:
    diskutil cs create GROUPNAME disk3 disk4s2

Note that in this command, the disk and partition identifiers are the ones you found above, and the “groupname” is the name of the collection of disks. This is an internal name that you will not show as the volume name, but is important for the final step, which is to run the following command to create the storage volume that you will be using:

diskutil cs createVolume GROUPNAME jhfs+ "VOLUME NAME" 100%

There are many components in this command that can be adjusted for customization, such as using 50% instead of 100% to use only half of the available storage space for your volume. However, for basic clarity the command includes the groupname you created above when combining the drives, followed by “jhfs+” to indicate a journaled HFS+ volume format is desired, and then the volume name or label (put in quotes if it contains spaces), and finally the amount of the available space in the volume group to use. As noted above, 100% uses all of the available space.

When done, attaching both of these drives to a Mac in any order will have OS X recognize an available CoreStorage drive and then mount the volume you created on it. When you eject it you will be able to remove both drives from your Mac, and separate them for security purposes, if needed. Being a CoreStorage volume, you can also right-click it when mounted in OS X and choose the option to encrypt its data, for an additional security layer.

7 thoughts on “Options for securing external storage in OS X

  1. Jim Chaffin

    “I have outlined the details of how to do this here (), but briefly the procedure is as follows:” I think a link to a fuller description to this method must have leaked out of some Internet tube! Electrons are really, really small, ya know! :-O

  2. Scott Bayes

    Not sure that the idea of using RAID orCoreStorage is good for securing data. Even though the drives may not be normally mountable if one of the set is unavailable (which leads to concerns over data safety), since you are apparently suggesting no encryption need be used, sector-scans of the unmounted drive could reveal lots of interesting info. Especially concat or “spanning” mode.

    Mounting is for wusses. Real men use raw drive access.

    1. B. Jefferson Le Blanc

      Topher is describing choices, not recommending one over the other. Pick the one that suits your needs. I would be inclined to use whole drive encryption because it is the easiest to implement for a common user like me. The others are for gear-heads. In any case, no encryption scheme is bullet-proof. If you want to hide something from the NSA, bury it on the moon.

    2. Gary Dauphin

      I have to agree with you. All it would take is for one drive to fail or get lost and your whole dataset could be useless.

  3. Walter Johnson

    “If you want to hide something from the NSA, bury it on the moon.”

    Nope, the NSA has a back-door on the moon. You haven’t been paying attention.

Comments are closed.