Zum Inhalt

OS X Lion: FileVault-Encrypt external HDD with „Home“ on it

UPDATE: The solution described below still works with the just released Mac OS X 10.7.1. (Aug, 16 2011)

So, I have this urge for security when it comes to my personal data. I really love how FileVault2 in OS X 10.7 Lion doesn’t only encrypt the Home directory of a user, but the whole disk instead.
What I learned today: this doesn’t work for power users and if power uses get it to work, there’s a creepy and scary and dangerous monster lurking in the dark. A bug.

This is the story of how I managed to encrypt my external (or rather: second) HDD with the home directory on it, how I rebooted my machine and couldn’t mount that device during boot/login anymore, how I logged in as a second user and couldn’t mount that device anymore (even with superuser privileges), how I almost started crying, how I thanked Steve for TimeMachine and how I found a bug that luckily others found before me and developed workarounds for it.

But let’s do this step by step…

The Problem

Like many power users I upgraded my MacBook Pro with a SSD. I have my System and my Apps on that SSD, the rest (= the home directory) is on a second HDD that sits where the optical drive used to sit.

FileVault2 brings some great improvements over the old version. Especially that it encrypts whole drives is just great. I used this feature since the second or third developer’s preview of Lion and never ran into any problems.
It was just this morning, when I found out that activating FileVault2 will indeed encrypt the whole disk but only that disk. Meaning: my system and my apps were encrypted, the data I really value was just lying around on the second HDD without any protection.

I already knew that one can encrypt external devices using FileVault2 by starting Disk Utily and ERASING AND REFORMATTING the whole device. There had to be another way, since FileVault2 encrypted my whole SSD with the System and Apps on it without erasing everything first.

The Solution

The one logical step to find out anything about Lion’s new features is going to Siracusa’s review of it. Sure enough he has an in-depth section on FileVault2.

It was there where I learned how I could easily check which drives/partitions are encrypted and which aren’t.
The command „diskutil list“ in Terminal app shows a list of all disks and partitions. Here’s the output from my Mac:

/dev/disk0

#:                       TYPE NAME                    SIZE       IDENTIFIER

0:      GUID_partition_scheme                        *64.0 GB    disk0

1:                        EFI                         209.7 MB   disk0s1

2:          Apple_CoreStorage                         63.0 GB    disk0s2

3:                 Apple_Boot Recovery HD             792.2 MB   disk0s3

/dev/disk1

#:                       TYPE NAME                    SIZE       IDENTIFIER

0:      GUID_partition_scheme                        *320.1 GB   disk1

1:                        EFI                         209.7 MB   disk1s1

2:                  Apple_HFS Macintosh HD            319.7 GB   disk1s2

/dev/disk2

#:                       TYPE NAME                    SIZE       IDENTIFIER

0:                  Apple_HFS MacBookPro             *62.7 GB    disk2

/dev/disk3

#:                       TYPE NAME                    SIZE       IDENTIFIER

0:     Apple_partition_scheme                        *20.4 GB    disk3

1:        Apple_partition_map                         32.3 KB    disk3s1

2:                 Apple_HFSX sebastianschack         20.4 GB    disk3s2

On disk0 Lion stored the EFI, CoreStorage and the Recovery HD. Disk1 is the secondary HDD, containing nothing but ALL OF MY PERSONAL DATA. Disk2, then, is the boot device (my SSD) with the System and the Apps on it. Disk3 is my MobileMe iDisk.

If you want to see, which disks are encrypted, you need to execute the command „diskutil coreStorage list“ (or „diskutil cs list“). On my Mac this results in the following output:

CoreStorage logical volume groups (1 found)

|

+– Logical Volume Group 23EAAE58-1AB0-49D2-AE80-8BD556B04979

=========================================================

Name:         MacBookPro

Sequence:     1

Free Space:   0 B (0 B)

|

+-< Physical Volume 03D45EC1-91DB-4043-B2CD-0B03A2687865

|   —————————————————-

|   Index:    0

|   Disk:     disk0s2

|   Status:   Online

|   Size:     63021330432 B (63.0 GB)

|

+-> Logical Volume Family 81D41AEF-E811-4934-B8B2-72FED3FDCDF0

———————————————————-

Sequence:               9

Encryption Status:      Unlocked

Encryption Type:        AES-XTS

Encryption Context:     Present

Conversion Status:      Complete

Has Encrypted Extents:  Yes

Conversion Direction:   -none-

|

+-> Logical Volume EBD69020-2732-49B1-8F09-FC2C249154CD

—————————————————

Disk:               disk2

Status:             Online

Sequence:           4

Size (Total):       62702559232 B (62.7 GB)

Size (Converted):   -none-

Revertible:         Yes (unlock and decryption required)

LV Name:            MacBookPro

Volume Name:        MacBookPro

Content Hint:       Apple_HFS

This means nothing but: disk2 is encrypted, nothing else is.

Success!

Without giving it much more thought, I decided to go for it and executed the following command, which converts a disk in to an encrypted one WITHOUT erasing its contents first:

 

Sebastians-MacBook-Pro:~ iSchack$ diskutil cs convert disk1s2 -passphrase TOPSECRET

Started CoreStorage operation on disk1s2 Macintosh HD

Resizing disk to fit Core Storage headers

Creating Core Storage Logical Volume Group

Attempting to unmount disk1s2

Switching disk1s2 to Core Storage

Couldn’t unmount disk1s2; converted volume won’t appear until it’s unmounted

Core Storage LVG UUID: BE41A2CF-2AD8-4D21-9804-603BA0602729

Core Storage PV UUID: 2213C36B-5CA2-42FD-AE22-93C6F2529F66

Core Storage LV UUID: BD1A069A-9301-476E-8F12-A45BF3E4BF64

Finished CoreStorage operation on disk1s2 Macintosh HD

Encryption in progress; use `diskutil coreStorage list` for status

This means: everything went well, except we couldn’t unmount unmount the disk (probably because it is in use), and that it won’t show up until it’s unmounted (and re-mounted) again. Furthermore the encryption itself is in progress and that progess will be shown when you enter the command „diskutil coreStorage list“.

This, too, showed me that everything seemed to have worked well. The second disk showed up as being encrypted (the disk in question is now called disk3 but that’s OK, since Lion had to add a Logical Volume Group and renumber a few things):

CoreStorage logical volume groups (2 found)

|

+– Logical Volume Group 23EAAE58-1AB0-49D2-AE80-8BD556B04979

|   =========================================================

|   Name:         MacBookPro

|   Sequence:     1

|   Free Space:   0 B (0 B)

|   |

|   +-< Physical Volume 03D45EC1-91DB-4043-B2CD-0B03A2687865

|   |   —————————————————-

|   |   Index:    0

|   |   Disk:     disk0s2

|   |   Status:   Online

|   |   Size:     63021330432 B (63.0 GB)

|   |

|   +-> Logical Volume Family 81D41AEF-E811-4934-B8B2-72FED3FDCDF0

|       ———————————————————-

|       Sequence:               10

|       Encryption Status:      Unlocked

|       Encryption Type:        AES-XTS

|       Encryption Context:     Present

|       Conversion Status:      Complete

|       Has Encrypted Extents:  Yes

|       Conversion Direction:   -none-

|       |

|       +-> Logical Volume EBD69020-2732-49B1-8F09-FC2C249154CD

|           —————————————————

|           Disk:               disk1

|           Status:             Online

|           Sequence:           4

|           Size (Total):       62702559232 B (62.7 GB)

|           Size (Converted):   -none-

|           Revertible:         Yes (unlock and decryption required)

|           LV Name:            MacBookPro

|           Volume Name:        MacBookPro

|           Content Hint:       Apple_HFS

|

+– Logical Volume Group BE41A2CF-2AD8-4D21-9804-603BA0602729

=========================================================

Name:         Macintosh HD

Sequence:     1

Free Space:   0 B (0 B)

|

+-< Physical Volume 2213C36B-5CA2-42FD-AE22-93C6F2529F66

|   —————————————————-

|   Index:    0

|   Disk:     disk2s2

|   Status:   Online

|   Size:     319728959488 B (319.7 GB)

|

+-> Logical Volume Family 8BC96A5B-626C-4396-8033-6DEFCFCBF0B7

———————————————————-

Sequence:               7

Encryption Status:      Unlocked

Encryption Type:        AES-XTS

Encryption Context:     Present

Conversion Status:      Converting

Has Encrypted Extents:  Yes

Conversion Direction:   forward

|

+-> Logical Volume BD1A069A-9301-476E-8F12-A45BF3E4BF64

—————————————————

Disk:               disk3

Status:             Online

Sequence:           4

Size (Total):       319410188288 B (319.4 GB)

Size (Converted):   40720924672 B (40.7 GB)

Revertible:         Yes (unlock and decryption required)

LV Name:            Macintosh HD

Volume Name:        Macintosh HD

Content Hint:       Apple_HFS


I didn’t really know how to unmount the disk where my home directory is stored on while being logged in, so I did the next best thing: reboot.

New problem and a first work-around…

The machine booted up normally, asked me for my password (as I was used to since I stared using FileVault2, then Lion tried to auto-login my default user and failed to do so because disk1s2 couldn’t be mounted.
Wait. What? I would expect that it tries to mount it, learns that that disk is encrypted and asks me for the password. No, it didn’t.

One single word came to my mind. I feared for my data for about five seconds, then started breathing again when I remembered that all my data is backup’ed with TimeMachine AND Backblaze.

Then I started thinking again. I remembered, that I once created a second account on that machine, so that a friend could use it for a day, without having direct access to my files.
I logged in as that user and sure enough couldn’t mount the disk in question neither. Bummer. This however did work after I rebooted the machine again and directly logged in as that guest user.

OK, so all of my data was still there. The funny thing is: after logging out (not restarting the machine) and trying to log in as my default user, everything worked well again. This is a work-around and works everytime: reboot machine, log in as different user, log out again, log in as main user, start working.
I don’t reboot my machine that often and I am certain I will have forgotten about this the next time I do and will die of a panic/heart attack.
So, I started to investigate some more (= I googled).

The real problem

 

What FileVault2 does at boot time is: unlocking and mounting the startup volume. What it doesn’t do: unlocking ANY other volume before the user is logged in. A user cannot log in when its home directory cannot be found. This seems to be a bug in either FileVault2 or CoreStorage.

Enter my saviour: jridgewell

jridgewell wrote a script that repairs this behaviour and was kind enough to put it up in a Github repository.
This scripts „allows“ the system to mount and unlock CoreStorage encrypted disks at boot time, thus solving my (and his) problem.

All you need to do to get this working for you is entering the following command in Terminal app:

bash <(curl -s https://raw.github.com/jridgewell/Unlock/master/install.sh)

This downloads and executes the script. You will be asked for your password and the passwords need to unlock both of your encrypted disks. When the script did its magic, you can reboot your Mac safely and log in as /the/ user.

Published inAllgemein

14 Comments

  1. Mario Mario

    I am in the same situation right now.

    The script sounds nice. I am wondering if the whole thing gets broken with an OS update like 10.7.1 …?

    Mario

    • That will depend on what Apple does/changes in 10.7.1. Maybe they’ll even fix this problem themselves?
      You’ll want to make sure, to keep a second account on the Mac, so that you can do that little trick I described above, in case a 10.7.1 update should break the work-around without fixing the problem itself.

      • Mario Mario

        At the moment, I don’t have any encryption enabled. I have a SSD with the system on it and a HDD with my home directory.
        I only want to enable encryption on the HDD.
        Will this work with the script? At the moment I don’t really understand the system with the keychains and the passwords…

        • Well, the script does not encrypt the HDD. It „only“ enables the system to mount a second encrypted drive _before_ the user has logged in.
          I don’t understand why you’d want to only encrypt the HDD and not the SSD… however, this _should_ work, yes. But it’s completely untested (at least by me).

          • Mario Mario

            Mh.. on the SSD there are only programs, no data at all. I just want to keep it performant. Why should I want to encrypt it?
            On the HDD, there is all my data, that is what I want to protect.
            I did some testing with an USB stick. It seems to work without an encryption of the system disk. The script adds a key to the „system“ keychain. Am I right to think that this key is only accessible with my user account although the keychain is called „system“?
            So another user would not have access to this drive?

          • Blast Blast

            hi Mario. what a miss this thing of filevault in lion. ufffff. I have a trouble like yours and had already tried this way of encrypting just the data partition instead the whole disk, leaving so the system partition without ecryption so having some gain in performance. the bug there is that a malicious user can acces the system unencrypted partition to get the password for the encrypted partition since it is stored in the admin keychan 🙁 and the above script does it this way. I downloaded it hoping it encrypt the password but it makes the same that other solutions around the net. What other people suggest is to encrypt both partitions or HDDs, so the Data encrypted partition keeps it password safe in the system encrypted partition, and with this tricks pf scripts and so, they can boot OK. sorry my english 🙂 hope this helps

  2. Mario Mario

    I am in the same situation right now.

    The script sounds nice. I am wondering if the whole thing gets broken with an OS update like 10.7.1 …?

    Mario

    • That will depend on what Apple does/changes in 10.7.1. Maybe they’ll even fix this problem themselves?
      You’ll want to make sure, to keep a second account on the Mac, so that you can do that little trick I described above, in case a 10.7.1 update should break the work-around without fixing the problem itself.

      • Mario Mario

        At the moment, I don’t have any encryption enabled. I have a SSD with the system on it and a HDD with my home directory.
        I only want to enable encryption on the HDD.
        Will this work with the script? At the moment I don’t really understand the system with the keychains and the passwords…

        • Well, the script does not encrypt the HDD. It „only“ enables the system to mount a second encrypted drive _before_ the user has logged in.
          I don’t understand why you’d want to only encrypt the HDD and not the SSD… however, this _should_ work, yes. But it’s completely untested (at least by me).

          • Mario Mario

            Mh.. on the SSD there are only programs, no data at all. I just want to keep it performant. Why should I want to encrypt it?
            On the HDD, there is all my data, that is what I want to protect.
            I did some testing with an USB stick. It seems to work without an encryption of the system disk. The script adds a key to the „system“ keychain. Am I right to think that this key is only accessible with my user account although the keychain is called „system“?
            So another user would not have access to this drive?

          • Blast Blast

            hi Mario. what a miss this thing of filevault in lion. ufffff. I have a trouble like yours and had already tried this way of encrypting just the data partition instead the whole disk, leaving so the system partition without ecryption so having some gain in performance. the bug there is that a malicious user can acces the system unencrypted partition to get the password for the encrypted partition since it is stored in the admin keychan 🙁 and the above script does it this way. I downloaded it hoping it encrypt the password but it makes the same that other solutions around the net. What other people suggest is to encrypt both partitions or HDDs, so the Data encrypted partition keeps it password safe in the system encrypted partition, and with this tricks pf scripts and so, they can boot OK. sorry my english 🙂 hope this helps

  3. jpdoffay jpdoffay

    hi .. i need help and i dont know what to do… similar to what you have done is update my MBP 2011 with a SSD and replaced my optical drive with the optibay and installed my 500GB in it. now withought realising the i had filevaulted my 500gb and now all is in place and i have moved the required files across and want to format the 500 for clean storage and i simply cant… in all ways posible it telles me that the drive is locked.. mounted… and so many wordings and in simple terms i cant for mat the drive… please help anyone…

    regards

    jp

  4. Nomrom Nomrom

    I’m trying to figure out how I can get my files from a TM backup that was encrypted with filevault 1. I have taken the iMac and drive in to the genius bar with no results in getting my files. Any suggestions?

Kommentar verfassen

%d Bloggern gefällt das: