lindsaar.net A Different View...

Encrypting Another Partition Using FileVault 2 on OSX Lion

Sat Aug 06 12:10:00 -0700 2011

After installing a second drive with my home folder on it in my MacBook Pro, I noticed that FileVault 2 had only encrypted my main volume.

This was a problem, because most of the sensitive data is on the second volume, with my home folder. So it had to be fixed.

The solution is quite simple:

Log into (or create and log into) a secondary administrator account, I call mine “restore”
Make sure the second account has their home folder on the main internal OS drive (not out on the secondary drive where your home folder it)

Once logged in as the restore user, find the device name of the secondary drive using df, in my case it is /dev/disk0s2:



  $ df

  Filesystem    512-blocks      Used Available Capacity  Mounted on

  /dev/disk2     466560312 169368416 296679896    37%    /

  devfs                392       392         0   100%    /dev

  /dev/disk0s2   976101344 558685488 417415856    58%    /Volumes/data

  map -hosts             0         0         0   100%    /net

  map auto_home          0         0         0   100%    /home

Once logged in, run the following command from the shell:
```
sudo diskutil coreStorage convert /dev/disk0s2 -passphrase ‘password’
```
make sure you change ‘password’ to something you will never forget :)
The system will start encrypting your drive. Hopefully you have no open files on the secondary drive so that the system can dismount and mount your drive again and start encrypting.
Complete the steps below.

This works, however, there is a problem. With your home folder now on the second drive, it has to be unlocked BEFORE you can log in. As you need to log in to get access to your keychain, this presents a chicken and egg problem.

The solution is a great script created by Mr Ridgewell called unlock

Before you logout of the restore user (assuming you didn’t need to reboot to start the encryption process due to open files), run the following from the terminal:
```
$ bash <(curl -s https://raw.github.com/jridgewell/Unlock/master/install.sh)
```
This will prompt you with “Do you want to automatically unlock this drive at boot?” for each encrypted volume it detects other than the boot partition. If you say yes, you’ll need to enter the password for that drive.
Once this process is complete, restart your mac and boot up and log into your normal user account, you should be all good. Further, if you go into disk utility, you will see that the File System type has changed to “Mac OS Extended (Journaled, Encrypted)” for both your main internal and secondary volumes.

Obviously, this is only safe if your main boot partition is also protected via FileVault otherwise your unlock key for the secondary drive would be in plain text on the boot partition. However, I am assuming you have FileVault 2 turned on for the main boot partition.

blogLater

Mikel

Albert P. Says:
Sat Nov 05 10:11:54 -0700 2011
I just found the place were the password is stored. It is in the keychain. But as I said, the password stored is exactly as I set it and if I re-try it, it fails again…
So it is not because I set a wrong password.
The failure is because of another reason.
Could it be that it failed because the encryption process didn’t finished and I rebooted the machine?
It is true that I rebooted the machine, but the process looked finished because I got this message in terminal:
“Finished CoreStorage operation on disk1s2 DESK-MAC-DAT”
Now that I know that the problem is not because of a wrong password. What else could I do?
To try to re-encrypt it? or this will get it worse?
I don’t know what to do. If you Mikel could give me any advise, I would really appreciate it.
Albert P. Says:
Sat Nov 05 10:17:23 -0700 2011
I checked again the output of the command “diskutil coreStorage list”
if the entry of the disk I was encrypting says:
“Conversion Status: Converting”
Could this mean that even that I rebooted the machine the encryption process is still running. And maybe when this encryption finishes, I will be able to unlock it?
this would be great. Could anyone confirm this?
Albert P. Says:
Sat Nov 05 10:20:17 -0700 2011
I don’t think so because I don’t see any diskutil process running in the activity monitor.
The question is. shall I execute again:
“diskutil coreStorage convert” command to see if the encryption continues where it was left?
Or this could make things even worse?
I’m gonna wait for an answer from somebody before proceeding again with the encryption.
albert P. Says:
Sat Nov 05 10:36:11 -0700 2011
Well…IF I retry to do the encryption it says:
“Error converting disk to CoreStorage: The target disk is already in use by Core Storage (-69753)”
But I’m afraid that this doesn’t mean that the encryption process is still running. I don’t see the process and in fact the volume is unmounted because it can’t be unlocked.
So probably this means that this hard drive is currently in nowhere’s land so probably it would be better to give up and reformat it and at least get back an empty disk to fill it up again.
As I said my dropbox stuff is backed up. My biggest problem is that there I had my home and the most important information I had there was my iTunes and iPhoto files. So it looks like I lost forever all the music and pictures of my whole life and the backed up profiles of my iPhone and iPad so probably my iDevices will get reseted next time I try to connect to a new iTunes that of course won’t recognize them.
Albert P. Says:
Tue Nov 08 02:39:09 -0800 2011
I got back all my stuff.
Just to let everybody know in case that this happens to other people.
I think that the reason that this encryption failed was because I interrupted to encryption process in the middle.
I thought that this was going to be like in the Filevault 2 encryption in Settings, that if you reboot the machine, as soon as you are logged in again, it simply continues.
For any reason, the encryption failed and it didn’t continue and was stacked in the middle of the encryption process. This was the reason of my problem of not being able to decrypt my hard-drive after login, and also what made possible that I’ve been able to get all my stuff back.
For the operating system this was an encrypted hard-drive. The password didn’t work because the encryption process didn’t finnish so for some reason, to put the right decryption password didn’t work.
Then I used Data rescue 3, as the hard-drive was not completely encrypted, for this application was still possible to reach all the not yet encrypted data. After scanning the hard-drive for several hours, Data Rescue 3 found all the stuff there with the right folder hierarchy and from there I was able to get back all my stuff.
Just in case this could help anybody in a similar situation.
ripenaxrau Says:
Tue Nov 08 19:27:46 -0800 2011
Thank you for a great post. Encryption on my secondary hd in progress!
Lion User Says:
Wed Nov 02 01:41:28 -0700 2011
Thank you for a great post. Encryption on my secondary hd in progress!
sdf34cc Says:
Thu Dec 22 17:06:05 -0800 2011
Well…IF I retry to do the encryption it says:
“Error converting disk to CoreStorage: The target disk is already in use by Core Storage (-69753)”
But I’m afraid that this doesn’t mean that the encryption process is still running. I don’t see the process and in fact the volume is unmounted because it can’t be unlocked.
So probably this means that this hard drive is currently in nowhere’s land so probably it would be better to give up and reformat it and at least get back an empty disk to fill it up again.lvaghubko sg tdeksuirr hg gwzfjrwfm te wufprcghm
As I said my dropbox stuff is backed up. My biggest problem is that there I had my home and the most important information I had there was my iTunes and iPhoto files. So it looks like I lost forever all the music and pictures of my whole life and the backed up profiles of my iPhone and iPad so probably my iDevices will get reseted next time I try to connect to a new iTunes that of course won’t recognize them.
Kodulehe disain Says:
Sun Jan 01 23:54:33 -0800 2012
i have tried Encryption on my secondary hd already! It works.
yacht charter croatia Says:
Tue Jan 10 01:50:34 -0800 2012
I will try to use your advice for the new encryption. Seems to be really strong and safe. I will be back with reviews.
Alaska Public Records Says:
Wed Jan 11 06:51:51 -0800 2012
maybe the above code will work. I want a simple solution for this situation!
valentines day cards Says:
Tue Jan 17 01:36:51 -0800 2012
Thanks for a brilliant effort in posting your article. One one can be more informative like this. Many things I can to know only after reading your wonderful article.
Software solutions Says:
Tue Jan 24 05:45:40 -0800 2012
isn’t there a simpler solution? i mean, not everybody is so techie and might not succeed and it could end up worse, if you mess us the partition
pregnant am i Says:
Sun Feb 05 20:17:06 -0800 2012
maybe the above code will work. I want a simple solution for this situation!
yacht booker Says:
Mon Feb 13 01:45:18 -0800 2012
I will try to use your code for my future projects. Seems to be a simple way to protect my data.
planet bounce Says:
Sun Feb 19 03:13:33 -0800 2012
indeed… seems to work just fine. I will use it in the future.
tapbuy.com Says:
Mon Feb 20 22:23:54 -0800 2012
Wholesale and Dropship for MID Tablets,Cell phones,Security and spy gadgets,Consumer electronics,Apple/Laptop accessories,Video games and More

lindsaar.net

A Different View...

Encrypting Another Partition Using FileVault 2 on OSX Lion

Sat Aug 06 12:10:00 -0700 2011

Leave a Reply

Latest posts

Latest comments

Categories

Tag Cloud

Archives