Easiest way to encrypt just part of an external SSD?
February 13, 2022 11:03 AM Subscribe
I have an external SSD that I use for backup - this includes non-confidential family pics, videos, etc and also confidential docs like tax returns etc. I use this external drive with multiple machines (Windows, Mac, and Linux). Ideally I don't want to encrypt the whole SSD, but I want to just have one portion or folder on it that is encrypted and password-protected. Easy, cross-platform way to do this?
The reason I don't want to encrypt the whole SSD is I want to make it simple to just backup the non-sensitive stuff like family pics - and also I want to make it easy to recover these files in the event part of the SSD gets corrupted or something. On the other hand, I *do* want to be able to encrypt copies of paperwork with SSNs and so forth. So if I could just have one encrypted folder on the SSD then I could use that to throw in anything confidential.
Since I use with several different OSs, multi-platform compatibility is a must. It's also a folder I will be constantly writing to (and reading from), so creating encrypted zip files isn't the most convenient solution.
Any ideas on the easiest way to do this?
The reason I don't want to encrypt the whole SSD is I want to make it simple to just backup the non-sensitive stuff like family pics - and also I want to make it easy to recover these files in the event part of the SSD gets corrupted or something. On the other hand, I *do* want to be able to encrypt copies of paperwork with SSNs and so forth. So if I could just have one encrypted folder on the SSD then I could use that to throw in anything confidential.
Since I use with several different OSs, multi-platform compatibility is a must. It's also a folder I will be constantly writing to (and reading from), so creating encrypted zip files isn't the most convenient solution.
Any ideas on the easiest way to do this?
You can partition the SSD into multiple drives, and have it show up as if it were two different devices. That would give you a (for example) E:\ drive you could encrypt and an F:\ drive you could leave unencrypted. See Create and Foramt a Hard Disk Partition (note this will involve wiping the drive).
The non-encrypted side will work across platforms, but AFAIK there's no standard encryption that all three platforms support out of the box. Currently I think the best option there is VeraCrypt, but I suggest you do further research on that, as my knowledge there is some years out of date.
posted by tiamat at 11:33 AM on February 13, 2022 [3 favorites]
The non-encrypted side will work across platforms, but AFAIK there's no standard encryption that all three platforms support out of the box. Currently I think the best option there is VeraCrypt, but I suggest you do further research on that, as my knowledge there is some years out of date.
posted by tiamat at 11:33 AM on February 13, 2022 [3 favorites]
Cryptomator is another cross-platform option.
posted by jaden at 2:15 PM on February 13, 2022 [2 favorites]
posted by jaden at 2:15 PM on February 13, 2022 [2 favorites]
Seconding TrueCrypt. Works seamlessly across OSs as long as the machine can read the host disk. The initial setup of the encrypted drive takes time, after that it's a simple matter of putting in your password to mount the drive, and reading/writing are not noticeably faster than standard unencrypted file operations. Free and open source.
posted by lhauser at 2:57 PM on February 13, 2022
posted by lhauser at 2:57 PM on February 13, 2022
I want to make it easy to recover these files in the event part of the SSD gets corrupted or something
This point makes my data integrity spidey senses tingle very hard. If your plan in the event of a backup getting corrupted involves doing data recovery from the corrupted drive, I don't believe you have enough backups.
Are you actually using that external SSD as a backup, in which case the correct plan in the case of corruption would be simply to make a new backup of everything that was on it, copying from the original sources onto a fresh drive; or is it in fact a data archive and therefore in need of backing up in its own right?
In either case, the standard best practice of maintaining two identical backups on two separate sets of media, preferably storing one set physically remote from the other most of the time, should make spontaneous data corruption something no longer really worth worrying about.
posted by flabdablet at 11:18 PM on February 13, 2022 [1 favorite]
This point makes my data integrity spidey senses tingle very hard. If your plan in the event of a backup getting corrupted involves doing data recovery from the corrupted drive, I don't believe you have enough backups.
Are you actually using that external SSD as a backup, in which case the correct plan in the case of corruption would be simply to make a new backup of everything that was on it, copying from the original sources onto a fresh drive; or is it in fact a data archive and therefore in need of backing up in its own right?
In either case, the standard best practice of maintaining two identical backups on two separate sets of media, preferably storing one set physically remote from the other most of the time, should make spontaneous data corruption something no longer really worth worrying about.
posted by flabdablet at 11:18 PM on February 13, 2022 [1 favorite]
Also, SSDs are typically a lot less forgiving than spinny disks when it comes to corruption. They're less likely overall to suffer any corruption than a spinny, but unlike spinnies that usually fail a few sectors at a time, the most common SSD failure mode is sudden total refusal to work at all.
This is another factor that makes maintaining additional backups, rather than planning for data recovery, an even sounder option for SSDs than it is for spinnies.
posted by flabdablet at 1:30 AM on February 14, 2022
This is another factor that makes maintaining additional backups, rather than planning for data recovery, an even sounder option for SSDs than it is for spinnies.
posted by flabdablet at 1:30 AM on February 14, 2022
There are a bunch of ways you could accomplish this, including by partitioning the portable drive so that it appears to the host as multiple devices, and using VeraCrypt in its "full disk" mode on one of them. This would probably get you the best performance.
However, my recommendation is that you keep the entire device as a single volume, formatted as either ExFAT (read/write on all platforms) or NTFS (r/w on Windows and most Linux, r/o on Mac without extra software), and then create a "virtual disk" file of whatever size you need for your confidential docs with VeraCrypt.
The advantage to the latter route (and the reason why I think it's worth the performance hit) is in making backups. It's substantially easier to back up a virtual disk file (even a relatively large, multiple-GB one) than to back up a raw disk partition.
posted by Kadin2048 at 3:38 PM on February 14, 2022
However, my recommendation is that you keep the entire device as a single volume, formatted as either ExFAT (read/write on all platforms) or NTFS (r/w on Windows and most Linux, r/o on Mac without extra software), and then create a "virtual disk" file of whatever size you need for your confidential docs with VeraCrypt.
The advantage to the latter route (and the reason why I think it's worth the performance hit) is in making backups. It's substantially easier to back up a virtual disk file (even a relatively large, multiple-GB one) than to back up a raw disk partition.
posted by Kadin2048 at 3:38 PM on February 14, 2022
What you'd effectively be doing by following Kadin2048's excellent recommendation is implementing a low performance but cross-platform and quite flexible logical volume management system. It's missing a lot of the tools that a full LVMS gives the system administrator, but it's missing most of the complexity as well and for home use that's probably a perfectly sound tradeoff.
But like any LVMS it will make recovery harder if things go wrong enough to make recovery the best option. Personally I would (and have) chosen to organize my own storage systems in such a way that recovery will never be the best option, and I recommend the same mindset to you. Backups, backups, backups.
posted by flabdablet at 10:16 AM on February 15, 2022
But like any LVMS it will make recovery harder if things go wrong enough to make recovery the best option. Personally I would (and have) chosen to organize my own storage systems in such a way that recovery will never be the best option, and I recommend the same mindset to you. Backups, backups, backups.
posted by flabdablet at 10:16 AM on February 15, 2022
This thread is closed to new comments.
posted by mhoye at 11:33 AM on February 13, 2022 [9 favorites]