PDA

View Full Version : Mountain Lion disk encryption advice




jrspies
Jun 2, 2013, 10:42 AM
jrspies
06/02/2013 08:36 AM PDT

I travel with my laptop regularly and recently learned that using password protection when booting your laptop does little to protect your data if your machine is stolen. I did some research and found that Mountain Lion offers full disk encryption.

I first encrypted my USB harddrive using time machine. It took 36 hours to encrypt a 1TB Western Digital My Passport drive. While this is a long time, it had a status indicator to show progress with an estimated time to completion that was very accurate.

After encrypting my external drive, I figured it would be beneficial to encrypt my laptop primary hard drive (macbook pro with 500 GB drive) using instructions found at macworld.com. I was VERY disappointed to learn there was no progress meter. The only evidence that the hard drive was encrypting was right clicking the drive icon on the desktop or in the finder and seeing the "encrypting" option greyed out.

I started the encryption process at 7PM and before I went to bed checked and saw the label read "encrypting" so I left the machine on overnight. The next morning it was still "encrypting".

I left it on again for another day and still it read "encrypting". After 2 1/2 days it still was saying "encrypting". Worried that it was stuck, I did research to find out how long it took to encrypt a hard drive. I found very little info on the internet to help me understand time to encrypt, so I decided to check the "Utilities" > "Activity Monitor". It appears there was minimal processor activity, so I assumed the drive encryption was stalled.

I held my breath and rebooted. I expected one of 3 outcomes.

1) Drive would be scrambled and lost forever

2) Encryption process was stalled and might restart

3) Encryption was complete, but there was no indication of completion

To my amazement and delight, the third option was the winner! The encryption was complete and all it well. MAJOR DEMERITS to the Apple software team for not providing a time estimate and status indicator. MAJOR FAIL!!!

For those that are stuck in my predicament, I would occasionally recommend checking the "Utilities" > "Activity Monitor" during the process. If you see heavy processor activity, it is safe to assume the encryption process is still underway. If however, you see little processor activity, it would be safe to assume the encryption is complete. Sadly there appears to be no better way to check the status of encryption.

I would also say the process would take 4-8+ hours, but since there is no way to know for sure, this is purely an educated guess.

Happy encrypting!



Weaselboy
Jun 2, 2013, 10:51 AM
I have a 2012 13" MBA and recently turned off FV2 encryption to apply a firmware update, then turned FV2 back on when finished. I have about 60GB of data on my SSD and the full encryption took about 45 minutes.

All during the encryption process there was a progress bar counting down the time in this screen. Not sure why you would not have had the same progress bar. Did you go to this same screen to check?

http://imgur.com/KaGpn8b.png

jrspies
Jun 2, 2013, 01:40 PM
I encrypted the entire disk, not just a few files. To see the instructions for encrypting the entire disk check this link... http://www.macworld.com/article/1168077/encrypt_any_disk_in_mountain_lion.html

When encrypting the entire disk using this command, there is no status indicator.

Weaselboy
Jun 2, 2013, 05:34 PM
I encrypted the entire disk, not just a few files. To see the instructions for encrypting the entire disk check this link... http://www.macworld.com/article/1168077/encrypt_any_disk_in_mountain_lion.html

When encrypting the entire disk using this command, there is no status indicator.

I also encrypted the entire disk. When you turn on FV2 through the system pref pane I showed, it does encrypt the entire disk and it shows a progress bar as it is happening.

The issue (problem) is you used the command line utility which has no progress indicator. If you had used FV2 full disk encryption as intended, you would have had a progress indicator like I did.

I honestly don't see the point of the article at all, unless I am missing something. If you have an external/secondary disk you just right click and select encrypt. If you want to encrypt the boot volume you just use the interface I posted. I don't see any reason to use the Terminal commands.

Bear
Jun 3, 2013, 10:58 AM
I encrypted the entire disk, not just a few files. To see the instructions for encrypting the entire disk check this link... http://www.macworld.com/article/1168077/encrypt_any_disk_in_mountain_lion.html

When encrypting the entire disk using this command, there is no status indicator.Those are directions for encrypting random disks, not a boot disk. For a boot disk, you want to use The FileVault tab under Security & Privacy in System Preferences. If you encrypt the system disk any other way, you are asking for potential trouble later on.

jrspies
Jun 4, 2013, 09:07 AM
Those are directions for encrypting random disks, not a boot disk. For a boot disk, you want to use The FileVault tab under Security & Privacy in System Preferences. If you encrypt the system disk any other way, you are asking for potential trouble later on.

Bear, you are saying that the method I used to encrypt is wrong or problematic. What kind of problems might I expect? Everything seems to be working fine right now.

If this method of encryption is not reliable, I wonder why this option is even available and why would Kirk McElhearn at Macworld advocate it?

I suppose I could decrypt the entire disk and then re-encrypt using file vault, but I would like to know more before going through all this work.

----------

I also encrypted the entire disk. When you turn on FV2 through the system pref pane I showed, it does encrypt the entire disk and it shows a progress bar as it is happening.

The issue (problem) is you used the command line utility which has no progress indicator. If you had used FV2 full disk encryption as intended, you would have had a progress indicator like I did.

I honestly don't see the point of the article at all, unless I am missing something. If you have an external/secondary disk you just right click and select encrypt. If you want to encrypt the boot volume you just use the interface I posted. I don't see any reason to use the Terminal commands.

Weasel, just to clarify, I performed the disk encryption by right clicking my system hard drive and selecting the "encrypt" option. I did not use Terminal commands, but maybe this method is identical to Terminal commands.

Bear
Jun 4, 2013, 09:23 AM
Bear, you are saying that the method I used to encrypt is wrong or problematic. What kind of problems might I expect? Everything seems to be working fine right now.

If this method of encryption is not reliable, I wonder why this option is even available and why would Kirk McElhearn at Macworld advocate it?

I suppose I could decrypt the entire disk and then re-encrypt using file vault, but I would like to know more before going through all this work.The article was pretty clear that the method they were describing was for disks other than the system disk. And it does work fine for those disks.

I do not know what issues if any you may come across using the method in the article for the system disk, I know that setting up FileVault on the system disk does change how the system boots because it now has to ask for your password at the start of booting to unlock the encryption on the system disk.

jrspies
Jun 4, 2013, 09:58 AM
The article was pretty clear that the method they were describing was for disks other than the system disk. And it does work fine for those disks.

I do not know what issues if any you may come across using the method in the article for the system disk, I know that setting up FileVault on the system disk does change how the system boots because it now has to ask for your password at the start of booting to unlock the encryption on the system disk.

Bear, my system now boots like you describe. Is it possible the method I used does exactly what file vault would do? If this method is not advisable, why is it even an option?

Weaselboy
Jun 4, 2013, 10:08 AM
Weasel, just to clarify, I performed the disk encryption by right clicking my system hard drive and selecting the "encrypt" option. I did not use Terminal commands, but maybe this method is identical to Terminal commands.

Okay... I am confused then. Since you linked the article and you specifically used the word "command" in relation to the article, it sounded like that is what you did. :confused:

I suspect you do not have a properly implemented FV2 setup now.

When you enable FDE through the security pane it reboots the machine and after entering your PW it gives you a second/backup decryption code and the option to send that code to Apple for retrieval with your AppleID. Or you can just print the code and store it yourself. Then the system encrypts. Part of this is it makes changes to the Recovery HD so when you boot the system the login screen is actually just the Recovery HD and not the main, Macintosh HD partition. This is a different looking login screen that a normal one and includes the option to boot to a Safari only guest account. The idea is a thief can boot to the Safari guest account and allow Find my Mac to see the machine.

I'm guessing you have none of these features due to the way you encrypted. If I were you, I would decrypt then do it again through the security pane so FV2 is setup properly.

Bear
Jun 4, 2013, 10:39 AM
Bear, my system now boots like you describe. Is it possible the method I used does exactly what file vault would do? If this method is not advisable, why is it even an option?It's meant to encrypt additional disks you may have attached to your system.