Securing your data against unauthorized access is fundamental to the design of Pro Data. Learn how setting up passwords enables strong protection of your data.
All data stored in your Pro Data device is encrypted, with encryption keys protected by a hardware Secure Enclave inside the device. Passwords that you provide are securely authenticated by the Enclave in order to unlock the encryption keys, and enable access to your data from a connected computer. Strong passwords ensure your files cannot be accessed if Pro Data is out of your sight. Whether lost, stolen, or simply left unattended, if an unauthorized user tries to access Pro Data, the Secure Enclave will repel a brute-force attack aimed at guessing your password. Without access to encryption keys, none of your data can be accessed – even if an attacker were to remove the SSD modules.
Pro Data has two levels of password protection: a single mandatory device password which grants access to all containers, and optional per-container custom passwords which can be used to control access to individual containers when collaborating within a workgroup. If you want to encrypt data but not require a password to unlock it, you can also assign no password to a container.
To make security easy and convenient, iodyne Utility integrates seamlessly with macOS Keychain so that once passwords are secured within your macOS account, you won't be prompted to enter them when rebooting your desktop or connecting your laptop.
With the combination of strong encryption, the hardware Secure Enclave, and a simple but powerful scheme for managing passwords, you can feel confident your data is safe on Pro Data. In the rest of this article, you'll see examples of how to configure the different types of passwords.
Device Passwords
Assigning Pro Data a device password is required at initial setup during the Identify & Secure step:
Setting a device password is mandatory. Containers cannot be provisioned until a device password is specified. Be sure to backup your device password in a third-party password management utility, or by backing up your startup drive when the device password is stored in macOS Keychain.
Sharing the device password with multiple containers
When provisioning a new container, it can inherit the device password for ease of use. Select the Inherit password type in the Provision dialog if you want a container to adopt the device password. When selecting the Inherit password type, iodyne Utility will either validate the device password with the macOS Keychain, or display a Device Password field for manual entry if there is no record to compare against; if the computer hasn't validated access to the Pro Data before, iodyne Utility will request the Device Password.
Using the device password to access any container
Device passwords can always be used as a fail-safe to gain access to a container when its custom password is lost or unknown. When loaning Pro Data out to a third party, you may need this feature to access or delete their containers upon its return.
Changing the device password
A device password can be changed at any time by selecting Change Password… under the Devices menu in iodyne Utility.
To change a device password, you must provide the current device password then enter and confirm a new password.
After changing the device password from one computer, you will need to provide the new device password on other computers that share Pro Data when they re-connect: this will refresh the Keychain on your other computers with a saved copy of the new device password.
Custom Container Passwords
A custom container password can be set when provisioning a new container. A custom container password is useful when sharing Pro Data with other computers in a team, where other team members should only have access to a particular container on Pro Data. In iodyne Utility, select Custom as the password type, then provide and confirm the new custom password. Once the container is created, you can share the custom password with team members so they can use Storage Handoff.
Team members can also provision new containers with custom passwords without needing to know the device password, so that the owner of Pro Data does not need to share the device password.
Changing container passwords
Custom container passwords can be changed at any time by using the container Action menu item Change Password…
Either the current container password or the device password must be provided to change a custom container password. To authenticate with the device password, check Use device password in the Change Password dialog.
Password-less Containers
Containers may also have no password assigned when they are provisioned by selecting None from the Type menu in the provisioning dialog. This option may be convenient for testing or sharing containers with computers to offload automated tasks, or when the container is used for public data that has no reason to be protected.
Passwords and Storage Handoff
Pro Data provides Storage Handoff to share containers between connected computers in a workgroup. If Alice and Bob are each working from a Mac laptop connected to Pro Data, and Alice uses iodyne Utility to handoff a container to Bob, then Alice's computer safely ejects the container and its filesystem, and then Bob's computer attaches the container and mounts its filesystem, and Alice's files are now visible to Bob. When handing off a password-protected container, iodyne Utility will validate against the macOS Keychain for its password, and prompt Bob if a password is not found.
Pro Data also remembers what computer is attached to each container: if Bob trips over his Thunderbolt cable and yanks it out, Pro Data still knows Bob is using that container. The container will remember this attachment, so that when Bob plugs his cable back in, the attached container and its filesystem will immediately re-mount on Bob's computer for Bob to resume his work.
Storage Handoff allows collaborating users to share data by changing container attachments in real-time. But another situation that may arise is when Pro Data is disconnected from one computer, and connected to a new computer at a later time. For example, if Alice is shooting a video, and has stored her raw footage on Pro Data for Bob, she could ship Pro Data to Bob through the mail as a "shuttle". When Bob connects his computer to Pro Data, he can see the containers in his iodyne Utility, but none of them will mount on his computer, because his computer is not yet attached to any container.
In this situation, knowing that Alice is no longer connected or using her containers, Bob can use iodyne Utility to Attach the containers he wants to use. iodyne Utility will warn that a prior attachment exists, and to override Alice's prior attachment, Bob can Force Attach the container and become the new owner. If the container has a password, Bob will be prompted to enter the password at this time.
Password Security
Device and container passwords are always verified by Pro Data's Secure Enclave. The Secure Enclave also protects the passwords from unauthorized disclosure, and from common attacks like dictionary attacks. When an incorrect device or container password is provided multiple times, the Secure Enclave enters a temporary lockout state, preventing further attempts for a short period of time. The Enclave will automatically exit the lockout state after a certain amount of time, without any intervention required by the user.
Password Backup and Restore
The iodyne Utility stores all passwords in your macOS Keychain. Doing so allows the iodyne Utility to securely retrieve the password when it is needed by the Secure Enclave on Pro Data, without having to prompt you to re-enter it.
If you should forget the device password or a container password, or if you need to share a password to another member of your team, you can always view the passwords the iodyne Utility has stored in your macOS Keychain. To learn how, see Recovering your Pro Data device password from macOS Keychain.