FileVault with multiple drives

[ufdlim]

Lion is all setup and running smoothly and I have moved my home folder on to a secondary hard drive (with Lion installed on my SSD boot drive). FileVault works fine for the boot drive, but currently does not encrypt the secondary containing the home directory (which is where most of the sensitive information is stored anyways!).

I am trying to encrypt the secondary drive with no success. When I follow the blog entry here:
http://www.joshkerr.com/2011/06/using-file-vault-2-with-multiple-drives/

There is no progress in the encryption of the drive. It needs to be unmounted, but to do so you need to log off. However, you can't continue encryption without logging in - which you won't be able to do because the partition is partially encrypted.

I also tried erasing the secondary drive as a encrypted partition and copying the home folder over, with all files encrypted on transfer. However, the boot process does not let you mount a encrypted partition and therefore you still can't log in.

 

[iVoid]

You probably have to login with a user that has it's home directory on another disk then do the encryption.

Or move the home directory on that disk elsewhere, do the encryption, and copy the home directory back.

Pain in the but, but it's your fault for doing something other than Apple's way.

 

[ufdlim]

Yeah I've tried that. Can't figure out a way to get Lion to boot an encrypted disk with a home folder in it. It can't be accessed prior to login lol...

 

[acurafan]

do you have a 30 sec delay on shutdowns w/FV2 enabled?

 

[ufdlim]

Now that this forum has quieted down... going to bump it to see if anyone else knows.

@acurafan: I have a SSD so its not 30 seconds. But there is definitely a delay.

 

[ootoaoo]

Anyone ever figure this out? I'm in the same boat :/

SSD is encrypted, but big deal - the data is on drive 2 on my macbook pro!

 

[ufdlim]

Bump! Still have an unencrypted second drive =\

 

[marc11]

Did you set up the secondary account on the second drive? I needed two user accounts with admin priv. One on my boot drive and one on my secondary data drive. Then after the encrypt was done I deleted the second account on my data drive.

 

[swixo]

Lion is all setup and running smoothly and I have moved my home folder on to a secondary hard drive (with Lion installed on my SSD boot drive). FileVault works fine for the boot drive, but currently does not encrypt the secondary containing the home directory (which is where most of the sensitive information is stored anyways!).

I am trying to encrypt the secondary drive with no success. When I follow the blog entry here:
http://www.joshkerr.com/2011/06/using-file-vault-2-with-multiple-drives/

There is no progress in the encryption of the drive. It needs to be unmounted, but to do so you need to log off. However, you can't continue encryption without logging in - which you won't be able to do because the partition is partially encrypted.

I also tried erasing the secondary drive as a encrypted partition and copying the home folder over, with all files encrypted on transfer. However, the boot process does not let you mount a encrypted partition and therefore you still can't log in.

I have this working - but it was a bit of a nuisance.

1. Copy everything off the second drive to a backup.
2. Use disk utility - format Disk 2 as Encrypted FS
3. Copy everything back

First time you log in you have to unlock it - tell keychain to remember and you are all done.

If Step 2 fails because of locked files - reboot into recovery, run disk util there.

s

 

[ssn637]

Has anyone tried this solution yet?

https://github.com/jridgewell/unlock

I've gone back to Snow Leopard so I can't verify the script myself.

 

[ufdlim]

I can confirm that this works! Finally!

Create an administrator local to the SSD (home directory should not be on the disk you want to be encrypting).

From local administrator account, encrypt the secondary drive with
diskutil cs convert /dev/ disk#s# -passpharse [password]

While it is encrypting (will take a while), install Unlock from github (must be done after the encryption process has started). It should ask if you want to unlock the currently encrypting volume on startup, then the passphrase. Done.

After encryption is done, restart computer and try logging in. If all goes well, delete the temporary local account.

 

[Fourcc]

Hey guys, I'm desperate. I followed all these steps carefully and now I can't access my secondary disk that I just encrypted. The password I set is not accepted. It is not that the password is wrong, something happened during the encryption that makes the disk now completely unreachable.

some minutes after executing the command: "diskutil cs convert /Volumes/Data -passphrase [yourPasswordHere] ". I rebooted the machine and now I think that because of this, the encryption process got corrupted and now there is no way to fix this. I thought it was going to be like the standard Filevault of Settings.

In this disk I had very important stuff that now it looks like it is lost forever. Ye, I backed this stuff up but as I'm a bit retarded, by mistake I left the back up (sparse image) in the same disk thinking it was another one.

the question is. What could I do? Is there anything that I could try?

To revert the process, to change the password, to re-encrypt the volume?

Any help would be highly appreciated.

Thanks in advance.

 

[iVoid]

In this disk I had very important stuff that now it looks like it is lost forever. Ye, I backed this stuff up but as I'm a bit retarded, by mistake I left the back up (sparse image) in the same disk thinking it was another one.

I'd get yourself a copy of Disk Rescue 3 and try to see if it can find anything on the drive. If it didn't encrypt everything, it should be able to find something on a full scan.

I'm not sure what else can be done. But you could try the genius bar. Who knows, maybe they have a back door into it.


And BTW, a backup on the same physical drive is pretty much useless, as you just found out. Sorry about that.


Personally, I'd only encrypt a blank drive and copy data to it afterwards. Much safer, especially with the buggy Lion.

 

[Fourcc]

Thanks IVoid, I will try the Data rescue option...although after having checked other Data sources I have, I realized that I only lost my Music Library and the last summer photos. All the rest I had it backed up somewhere else...

 

[Fourcc]

IVoid you were right, Thanks!

I got back all my stuff.

Just to let everybody know in case that this happens to other people.

I think that the reason that this encryption failed was because I interrupted the encryption process in the middle.
I thought that this was going to be like in the Filevault 2 encryption in Settings, that if you reboot the machine, as soon as you are logged in again, it simply continues.

For any reason, the encryption failed and it didn't continue and was stacked in the middle of the encryption process. This was the reason of my problem of not being able to decrypt my hard-drive after login, and also what made possible that I've been able to get all my stuff back.

For the operating system this was an encrypted hard-drive. The password didn't work because the encryption process didn't finnish so for some reason, to put the right decryption password didn't work.

Then I used Data rescue 3, as the hard-drive was not completely encrypted, for this application was still possible to reach all the not yet encrypted data. After scanning the hard-drive for several hours, Data Rescue 3 found all the stuff there with the right folder hierarchy and from there I was able to get back all my stuff.

Just in case this could help anybody in a similar situation.

 

[rdav]

Lion FileVault-2 does not like split Drive configurations.

From reading all this it seems that Lion FileVault-2 does NOT like systems split between two+ disks. Such as an SSD (with OS & Apps) and an HHD (User & Data) - [which we have on a Mac Pro]. It can be engineered to work, but may be unstable. Risky. Which is unfortunate, since the potential for enhanced security was one of the reasons for switching from SL 10.6

Good explanation here:
http://www.macworld.com/article/162999/2011/10/complete_guide_to_filevault_2_in_lion.html

Partial quote:
FileVault is a model of simplicity for most Mac setups, but not all. For one thing, FileVault requires a standard-configuration Lion drive, which means one that has a single visible volume along with Lion's hidden Recovery HD partition. If you've partitioned the drive on which you installed or want to install Lion, if you don't have the Recovery HD volume, or if your startup drive is part of a RAID, you'll run into problems with FileVault—for example, Mac OS X may let you enable the feature, but doing so may leave the drive un-bootable. FileVault also won't work if all FileVault-authorized users have their home directories residing on volumes other than the startup disk.