I want to encrypt my external drive, but I am required to use a filesystem like exFAT for using the drive on different operating systems like Windows. I wanted to use VeraCrypt for this purpose, but I noticed that it requires a system kernel extension on macOS, and from what I understood, it isn’t very secure.
Are there other options available? I thought of using Cryptomator, but I don’t know if its suitable for encrypting a drive.
Yes you should not use kernel extension. macOS 10.15 introduced system extensions to move away from kernel extension. You can find more information about them here.
Unfortunately there is no true cross-platform encryption as there is no encryption standard that is recognisable across platforms. Third-party encryption solutions ends up, sooner or later, causing problems.
The solutions I can think of
Using a VM with USB pass-through (e.g: parallels on macOS)
creating two partitions of the device using two different file formats.
Encrypt files/folder with something like openpgp
I am not sure about cryptomator as I have never used it.
I am not sure if this is possible; You may be able to set up a Network drive where decryption and encryption handle on the network side
First of all, there is no “system kernel extension,” there are system extensions (run between kernel and user space) and kernel extensions (run in kernel space.) I think @sbeve 's answer is causing confusion. The macFUSE addon required for VeraCrypt or Cryptomator already uses system extensions and have deprecated kernel extensions, so it is using the latest security and abides to latest Mac development standards. Unfortunately it is impossible to not install any system or kernel extension and just let the encryption app run in user space, or the app won’t be able to integrate with Finder & the file system. Because of this, you should choose a open-source and reputable app to encrypt your external drive, VeraCrypt and Cryptomator being good choices that are 3rd-party audited for security and shouldn’t contain backdoors.
I am using VeraCrypt right now, and as you can see when I run kextstat -l | grep -v com.apple there is no output, because the app doesn’t install kernel extensions, while systemextensionsctl list outputs the system extension installed by macFUSE (required to run VeraCrypt). The insecure kexts are already deprecated and now there is not much added security risk from running these encryption apps.
VeraCrypt is made for encrypting local storage while Cryptomator is made for encrypting cloud storage.