PDA

View Full Version : Filevault encryption on external disks questions




mpts
Oct 2, 2012, 02:05 PM
Hey there,

I started to like FileVault 2 for my Mac.

Speed
When I formatted my external disk I was prompted whether I wanted to encrypt that disk as well and I turned it on. However it seems that writing to this drive is now super slow, copying a 30GB folder now takes more than an hour (USB3, took a few minutes before). Does anyone experience this well? I'll add some before/after write speed tests later.

Security
What does actually happen to an encrypted disk? Can I access my data on other Macs? What if it gets stolen, is it as secure as the disk within my Macbook or can someone still access the data using a Windows machine or something similar?

Thanks guys!



Mal
Oct 2, 2012, 02:29 PM
An encrypted disk is going to have somewhat slower read/write speeds because the data has to be encrypted/deencrypted as it's accessed, but I'm not sure if the drop is normally as much as you're experiencing. Someone who has used it more should be able to provide some anecdotal evidence that may help there.

As for using the drive on another computer, if you connect it to a PC or a Mac running Snow Leopard or earlier, it simply won't recognize it. However, if you connect it to another computer running Lion or Mountain Lion, it will prompt for the disk password, and if you provide the password, it will mount it on the desktop and you can access the files.

jW

mpts
Oct 2, 2012, 02:43 PM
Perfect, thanks a lot!

I am copying files at the moment, once that's done I'll run a few tests for the speed!

mpts
Oct 2, 2012, 06:09 PM
Yup, before the encryption the disk was at roughly 75MB/s for both writing and reading. Now it's at 8 MB/s for writing while still being at 75MB/s for reading. Here a screenshot of the test after the encryption: http://mpts.co/JsPX

mpts
Oct 2, 2012, 10:19 PM
Another question: I just plugged the encrypted external hdd into my other Mac and it could be accessed as any other hdd. No need to type in a password or anything? Did I miss something here?

Weaselboy
Oct 3, 2012, 11:55 AM
Another question: I just plugged the encrypted external hdd into my other Mac and it could be accessed as any other hdd. No need to type in a password or anything? Did I miss something here?

Those passwords can be saved in Keychain. Could it be that you used the disk on the other machine once and typed in the password and it is now in Keychain on that machine... and thus auto mounts?

mpts
Oct 4, 2012, 03:28 AM
Actually I plugged the drive into another Mac after I have freshly installed Mac OS onto it and I can't recall syncing anything to the Mac yet. I'll check again.

----------

Just tried on another Macbook, which wasn't mine and thus couldn't have had any of my passwords in the keychain and still I could access all data. Did I miss a setting?

Weaselboy
Oct 4, 2012, 08:32 AM
That sounds like the drive is not really encrypted. What does it look like in Disk Util? You should be able to see the volume is encrypted there.

mpts
Oct 4, 2012, 08:18 PM
Well, I can't find anything that indicates it'd be encrypted. What should I be able to see? And if it's the case it's not ecrypted, what are my options? I definitely remember checking the mark when I first plugged the drive in to make it encrypted. And as I mentioned above, the write speed has decreased incredibly.

mfram
Oct 5, 2012, 02:35 AM
Unless your external drive is an externally powered RAID or an SSD, there's no way your will get 75MB/s average write speeds. Especially on a USB-powered hard disk that probably runs at 5400rpm at the most.

But that doesn't answer the question of how you can turn on encryption. It turns out you can turn on encryption on the fly. File Vault 2 does this for the system disk when you turn it on. And you can do it to external disks as well if you are comfortable using the Terminal. I didn't find a way to do it from the Disk Utility. The following are Terminal commands.

Your disk must already be formatted HFS+ using GUID Partition Table (GPT). If not, you probably can't change it on-the-fly.

You need to convert your external disk into a "Core Storage" volume. Then once it is using Core Storage, you can enable encryption on the fly.

1. Figure out the partition of your mounted volume. In my case, the test volume I tried this on is "teste".

> df

Filesystem Mounted on
...
/dev/disk2s2 /Volumes/teste

2. Convert the volume to CoreStorage using the partition name listed above.

> diskutil coreStorage convert /dev/disk2s2
Started CoreStorage operation on disk2s2 teste
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk2s2
Switching disk2s2 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: 196837F2-DCCB-4946-AF6E-AF606ADC9CEC
Core Storage PV UUID: 5A58FBAD-2316-4012-85E2-EA0995BB5D4B
Core Storage LV UUID: EFD3E02A-D54E-4B53-AA29-641C2F9C8E32
Core Storage disk: disk6
Finished CoreStorage operation on disk2s2 teste

3. Enable encryption using the logical volume ID above.

> diskutil coreStorage encryptVolume EFD3E02A-D54E-4B53-AA29-641C2F9C8E32

New passphrase for existing volume:
Confirm new passphrase:
Started CoreStorage operation on disk6 teste
Scheduling encryption of Core Storage Logical Volume
Core Storage LV UUID: EFD3E02A-D54E-4B53-AA29-641C2F9C8E32
Finished CoreStorage operation on disk6 teste

Now Mac OS will convert your volume to encrypted format. It will take a little time. You can see progress ...

> diskutil coreStorage info /Volumes/teste

When the Status changes from "converting" to "online", your volume is now completely encrypted.

Weaselboy
Oct 5, 2012, 09:39 AM
Well, I can't find anything that indicates it'd be encrypted. What should I be able to see? And if it's the case it's not ecrypted, what are my options? I definitely remember checking the mark when I first plugged the drive in to make it encrypted. And as I mentioned above, the write speed has decreased incredibly.

Plug the disk in and in Terminal enter "diskutil list" (without the quotes). That will list all volumes/partitions and how they are formatted.

A regular partiton will show "Apple_HFS" while an encrypted one will show "Apple_CoreStorage".

I have not tried encrypting an external myself yet with Mountain Lion, but I read in this tip (http://hints.macworld.com/article.php?story=20120725094628716) you can do it by a right click on the volume in Finder and select encrypt. I don't think any Terminal voodoo is needed.

mfram
Oct 5, 2012, 09:51 AM
I have not tried encrypting an external myself yet with Mountain Lion, but I read in this tip (http://hints.macworld.com/article.php?story=20120725094628716) you can do it by a right click on the volume in Finder and select encrypt. I don't think any Terminal voodoo is needed.

Hmmm. I tried "right" clicking but not control-clicking. I figured there must be a UI way to do it since it's technically possible. If that works, awesome!

mpts
Oct 7, 2012, 06:36 PM
Brilliant, thanks for the hints guys.

There actually is the right click in finder to encrypt the disk. Trying it out now. It's just odd that the write speed became so slow even before encrypting the disk.

----------

Unless your external drive is an externally powered RAID or an SSD, there's no way your will get 75MB/s average write speeds. Especially on a USB-powered hard disk that probably runs at 5400rpm at the most.

Well, not sure why you believe this, but I definitely have 70-75MB/s for both my external disks, that is if I can trust the performance check using AJA System Test for a 1GB file. I'm using a MBPr + 1TB Western Digital USB3 hard drives.

mpts
Oct 7, 2012, 08:05 PM
Alright, I encrypted the external disk and ever since I have major problems, such as:


write speed decreased even more to about 5MB/s (before the last format it was still at 75MB/s)
read speed decreased from 75MB/s to 30MB/s
Finder crashes a lot (!!) when the external drive is plugged in
Finder becomes really slow, many times won't load data even on my internal hdd when the external drive is connected


I will probably try to get the data from my disk and then reformat it and play around with the encryption and see if I get it working. I have a feeling that the reason why Finder is struggling at the moment is because I turned on the encryption when I already had about 250GB on the disk.

I am still confused by these two separate steps of turning on encryption:
1) the pop up dialog after formatting the drive with an optional checkmark to encrypt the disk (which seems it slowed down the disk without actually encrypting it)
2) right click on disk in Finder to encrypt (which encrypted it, but caused major problems)

I'll keep you posted!

micrors4racer
Oct 7, 2012, 10:22 PM
Are you letting it finish the encryption before doing the tests? My 4tb RAID external drive took about 2 days of constant conversion to finish encrypting with only 1.5tb of it used.

How long are you waiting after you enable encryption? There is no progress bar but you can tell its encrypting by the LED light on the drive and in the terminal if you type in diskutil cs list it will tell you its current status and how far along it is in the conversion.

mpts
Oct 7, 2012, 11:53 PM
Wow, my disk is basically not accessible anymore. Finder had more and more problems reading the disk and operating Finder became nearly impossible every time I connected the disk.

It seems I can't copy the files from the disk anymore. I am kind of screwed now. The repair functionality from disk utility won't work either. Anybody has a hint what I can do at this moment?

mpts
Oct 8, 2012, 12:29 AM
Are you letting it finish the encryption before doing the tests? My 4tb RAID external drive took about 2 days of constant conversion to finish encrypting with only 1.5tb of it used.

How long are you waiting after you enable encryption? There is no progress bar but you can tell its encrypting by the LED light on the drive and in the terminal if you type in diskutil cs list it will tell you its current status and how far along it is in the conversion.

I don't think I waited long enough to have it fully encrypted, but as you may imagine I didn't find any progress bar and it also slowed down my entire system so heavily that I couldn't use it anymore. Only when I unplugged the external disk I realized it was the disk and probably encryption process that paralyzed my Mac.

Anyway, I gave up on the disk, I almost can't do anything. I will see the first hierarchy of folders sometimes, but that's it. Can't copy or access my files. Now I actually just want to format it and even that won't work. That's the error I will get, even though I didn't chose it to be formatted in journaled/encrypted: http://mpts.co/JzKa

No matter what I do, I can't format and use the disk at the moment. Is there a way to format it using Terminal?

mpts
Oct 8, 2012, 01:33 AM
Tried with Terminal, getting "Unmounting disk
Error: -69888: Couldn't unmount disk" there...any hints how to save the disk? Thanks!

micrors4racer
Oct 8, 2012, 01:40 AM
All of this probably came from the disk still undergoing the encryption process. I don't blame you though. Apple says that you can continue working on your computer while it does its thing and when you unplug it and plug it back in it should resume but you know these things just don't work right sometimes.

I don't believe that you have a hardware issue yet with the drive. I just converted to OSX this year so I am not that good with its tricks to solve issues like this yet. But if you have a windows computer you can try plugging in the drive into that and accessing disk management from the control panel from there you can see the drive and just delete all the partitions on it if youre not interested in the data. Then plug it back into your Mac and format it with an HFS filesystem and try to encrypt it again. Check the progress of the encryption with the diskutil cs list command in the terminal.

mpts
Oct 8, 2012, 02:18 PM
Unfortunately I don't have a Windows PC at hand. Does anyone else know how to format my disk at this point? THX!

mpts
Oct 8, 2012, 03:30 PM
Alright, found a Windows PC and managed to format the disk. It finally worked on my Mac again, I reformatted it to Mac Journaled on my Mac, however it seems to have some difficulties still.

I used Mac Journaled, not encrypted and the write speed is now still only at 8.5MB/s while the read speed is still at 86MB/s, here a screenshot: http://mpts.co/K07z

That's really odd, because I made a test last week before initially turning on encryption and write speed was still at ca. 75MB/s (just as my other extern WD disk, same model). At the moment I can't figure out how to 'heal' the disk so it will have its write speed back. Any hints? Is it possible that encryption is still turned on?

micrors4racer
Oct 8, 2012, 05:21 PM
Maybe you can test it on the windows machine to rule out software issues with your mac. I think the program to test harddrives on windows is HD Tach. That would be the quickest way. You can also try reinstalling the test software or try another like BlackMagic Speed Test from the App Store and also try another usb port.

mpts
Oct 9, 2012, 02:22 PM
Yea, thanks. I will try that.

Btw, I just got a new hdd (WD http://mpts.co/K20C), just plugged it in and these are the speed results, amazing: http://mpts.co/K2GG

102MB/s write, 111MB/S read, fantastic!!