Tony Padgett uses FileVault in macOS to encrypt his startup volume. However, it occurred to him that because he routinely updates a bootable clone of that drive, his clone remains unprotected at rest.
After cloning my internal drive to an external, I can take that external clone, plug it into another Mac, and see and read the contents.
This “hole” is not very obvious to the average person. I somehow assumed because FileVaut has encrypted my iMac, an encrypted version of it was being cloned the external drive.
I agree! I understood this because of extensive testing of FileVault, but it’s certainly not immediately obvious if you don’t know how a seemingly identical clone is managed at a low level by macOS.
Tony consulted the folks behind SuperDuper and Carbon Copy Cloner, and they had similar advice, which I paraphrase here, as it works with any cloning solution:
- Change your startup drive to the cloned backup or select it at startup by holding down the Option key after restarting.
- Reinstall macOS in place (not an erase-and-install) on the cloned drive.
- Boot from the clone.