hoakley Macs, Technology

What to do with your encrypted HFS+ disks

Among the deprecations brought in macOS Golden Gate is HFS+ encryption using CoreStorage. Apple’s exact words are:
“Encrypted HFS+ (CoreStorage) is deprecated and will not be supported in a future version of macOS. If you use Encrypted HFS+ backups on external drives, begin backing up to encrypted APFS-formatted external drives instead.”

Of course encrypted HFS+ is used far more widely than just in backups. When macOS 28 or later no longer supports it in the future, access to all encrypted HFS+ volumes will be lost when using that version of macOS. If you have a fire-safe full of old encrypted HFS+ external hard disks that would be a problem. This article aims to help you plan what to do.

Archives that are seldom if ever accessed

In many cases, those old encrypted HFS+ volumes are seldom if ever accessed, and you’re only keeping them in case.

In the event you did need to gain access to their contents in the distant future, you could plan on retaining or acquiring an old Mac that could run Golden Gate or earlier macOS that can still read those encrypted volumes. In that case, you should be more concerned about how well your archives will be preserved, and consider transferring them to archival media if needed.

Backups

You really shouldn’t be backing up to HFS+ any more, whether or not it’s encrypted. HFS+ doesn’t support many of the most valuable features of APFS such as sparse files, and is more prone to file system problems. Now is the time to plan your transition to backing up to APFS.

There’s no way to convert or migrate old Time Machine backups to HFS+ into APFS, because the older format is based on directory hard links which aren’t available in APFS. So you will need to close and archive your current backups, and start new backup series to fresh modern storage using APFS. The sooner you do that, the better.

Accessible archives

If you want to retain access to old backups or archives, now is the time to plan how to maintain that into the future.

Hard disks and SSDs aren’t suitable for archival storage. Hard disks suffer magnetic and physical degradation over time, and will progressively lose your data. SSDs are known to be prone to loss of charge, and at the very least should be powered up and checked thoroughly every year or so.

Two types of media have been designed and tested for long-term archival storage: Blu-ray optical discs, particularly M-DISC products, and archival tapes. The latter are expensive and only practical for specialists, but Blu-ray drives and M-DISC media remain widely available at more modest prices. I have described how you can use them in Monterey, and I gather support remains in Golden Gate.

All archival media require careful storage, in cool, dry and dark conditions.

Integrity

If you are to have any confidence that your archived files remain intact and usable, it’s essential to check their integrity when they’re first written to storage and to monitor it periodically thereafter. Although like other optical media, Blu-ray discs use error-correcting code, integrity checking remains important.

For this I have a suite of tools, Dintch, Fintch and the command tool cintch, described in detail in this article. They compute a SHA-256 hash for each file and attach it as an extended attribute with a flag to indicate it should be preserved in most file operations. Checking a file’s integrity is then a matter of calculating its hash and comparing that with that stored in the xattr. As the SHA-256 method is in the public domain, this should work decades into the future when my software and Macs have long since faded into the past.

For the last six years I have been running a long-term integrity test in my iCloud Drive, consisting of 97 image files. When I checked their integrity using Dintch yesterday, all 97 continued to match their SHA-256 hashes, as expected. Periodic sampling tests are important for checking whether archived media are starting to deteriorate.

Summary

For encrypted HFS+ volumes:

  • If they’re just kept in case, and unlikely to be accessed, you can plan to use a Mac that still has access to them, but need to consider transfer to archival storage media.
  • If they’re backups, plan to switch to backing up to APFS. Archive your current backups and start new series on modern storage media.
  • If you do need to access them, plan to transfer them to archival media, such as Blu-ray M-DISC, with careful storage and integrity checking.
  • Don’t put this off any longer: now is the time to start.