Securing sensitive data

Many of us now have both moral and legal responsibilities to look after some of the information we use on our Macs. Thankfully, there’s now a wide range of different methods to secure data. This article presents a short summary of what you should consider using.

Laws and practices of data protection vary with different legislation around the world, but in general expect you to comply with two principles when it comes to storing sensitive data: it must be secured from access by anyone who isn’t entitled, and it must be safeguarded from loss or damage. A lot of emphasis has been placed on encryption as a means of preventing others from access, but far less on the need to safeguard.

There’s another important issue in how you might need to demonstrate compliance. In many situations, simply being able to justify to yourself that you have exercised due diligence isn’t sufficient, and your equipment, procedures and practices need to comply with accepted standards. Ask yourself if something did go wrong and someone else were to scrutinise what you did, how could you justify that, perhaps in a court or to an enquiry?

Encrypted sparsebundle or image

These are convenient and essentially free of cost. I’ve explained their basics here, and there are two excellent tools for working with them: C-Command’s excellent DropDMG for Disk Images, and my own free Spundle for sparsebundles from here.

Although I’ve no reason to suspect that their encryption has been broken, one snag with these is that someone can make off with your encrypted data and use brute force and other techniques to decrypt it. In the case of a state or government agency, that may well be a feasible proposition with their existing tools. You also need to make separate provision for safeguarding the data by means of a robust backup system, which again exposes it to the potential for theft.

For modest amounts of data of fairly low sensitivity, this is a cheap option, but you’ll find it hard to demonstrate compliance, and existing standards and codes may not accept that.

Encrypted volume

Unlike HFS+, APFS has native support for encryption, and you can easily enable this when creating any new APFS volume, by selecting its format as APFS (Encrypted) rather than plain APFS. This is different from FileVault whole-disk encryption* used, for example, in Intel Macs with a T2 chip and M1 Macs on their internal SSDs, as it’s not performed in the disk controller, so comes at a performance cost.

If you decide to store your sensitive data on an external SSD in APFS Encrypted format, it should be safe from all but the most serious attacker. Don’t rely on this to be safe from state/government agencies, for example, but this is going to defeat the casual or criminal.

As with encrypted sparsebundles and images, this doesn’t address safeguarding the data from loss or damage, and you’ll have to be very careful if you need to demonstrate compliance. For example, one common requirement is that passwords satisfy criteria on length and content, and may need to be changed periodically: there’s nothing in APFS encryption to ensure those are met, or to provide evidence that they met those criteria.

Encrypted SSD – in-disk

Several models of SSD offer encryption which is built into the SSD itself, and seems a more transparent alternative to APFS encryption. Unfortunately it’s also a real gamble, and the odds aren’t in your favour. Several researchers have assessed this type of encryption, and found it’s often extremely easy to bypass. As a consequence, Microsoft’s BitLocker equivalent of FileVault stopped trusting in-disk encryption in 2019.

Apple’s T2 and M1 systems include a secure enclave, which is designed to store keys securely. These aren’t trivial, and add significant cost. I’m not aware of any SSD which has a built-in secure enclave which can compare, and some models have been found to store encryption passwords insecurely.

There’s also the problem of Mac compatibility to consider. The overwhelming majority of these encrypting SSDs are aimed at the Windows market, and don’t appear to have been tested against current versions of macOS. As with previous methods, in-disk encryption doesn’t address safeguarding of data or compliance. I don’t recommend this as a solution.

Encrypted SSD – specialist unit

I’ve been reviewing one of the few specialist SSDs which is designed to meet all the criteria above, including compliance with established standards. iStorage offers a range of external storage including its DiskAshur M2, which is a physically hardened external SSD with its own secure enclave processor. It’ll survive crushing, contaminated environments and water, and meets appropriate security standards. It’s fully compatible with Intel and Apple Silicon Macs, and performs well so that you can use it to store working documents.

My major concern with such specialist storage is that it would turn out to be prohibitively expensive, but iStorage products work out at around twice the price of regular SSDs, roughly the same as ‘pro’ quality. That’s around $229/£249 for a 1 TB SSD, and they’re are available in sizes from 120 GB to 2 TB. They also support a great deal more than basic encryption. For full details of their performance and features with macOS, please read my forthcoming review in Mac|Life or MacFormat magazine.

If I had to work with sensitive documents, this would now be my first choice.

* Thanks to Thomas Tempelmann for pointing out that this isn’t in fact whole-disk, but macOS determines what is encrypted. It’s therefore different from the whole-disk encryption offered by the last two options, from FileVault on HFS+, and from APFS encrypted volumes on external disks.