View Single Post
Old 02-04-2018, 04:09 PM
wildthing wildthing is offline
Registered User
Join Date: Dec 2011
Posts: 30
Encrypted APFS clones

I have several questions regarding encrypted clones and APFS.
  1. This thread describes a method for creating bootable encrypted clones. Does it still work with APFS using the latest SuperDuper?
  2. In the same thread, Dave said "if you want an encrypted backup but don't care about bootability ... you can do that, too...". How would you do that, and does that still work with APFS?
  3. Is it possible to configure a clone such that a unique high-entropy random passphrase is required to decrypt it, and it cannot be decrypted using any of the macOS account passwords that reside in the OS that's been cloned?

The reason for question 3 is that macOS account passwords usually need to be memorized by a human, and therefore tend to have much lower entropy than truly random long passphrases. Furthermore my backup drives are transported to, and stored in, various offsite locations. For this reason I want this additional level of protection on my backups, compared to my actual computers which stay at home.

Before APFS came along, I was able to create clones which were both bootable and encrypted using SuperDuper, and which required a unique passphrase which was totally distinct from any of the macOS account passwords. I did this by using Disk Utility to first create an HFS+ volume encrypted with a unique high-entropy random passphrase, and then cloning to it using SuperDuper. When I booted from the clone, the following happened:
  • I was FIRST prompted to decrypt the drive - the prompt was usually (but not always) for a user called "[Update Needed]". A this point I HAD to type the unique high-entropy random passphrase for the drive - macOS account passwords were NOT accepted
  • I THEN got a normal macOS login screen where I could select a macOS account, and then log in as normal

When I tried to do the same thing with APFS using the latest SuperDuper 3.1.4, I found that SuperDuper replaced my encrypted APFS volume with a plain old non-encrypted APFS volume - which is not what I wanted.

Has the capability to generate bootable encrypted clones that require a distinct passphrase vanished with the move to APFS?

Last edited by wildthing; 02-04-2018 at 04:19 PM. Reason: Minor edits for clarity
Reply With Quote