Ever since I upgraded to an OCZ Vertex 3 SSD and bought a Drive Adapter so that I could put my old 750GB in the spot of the optical drive in my 15” Macbook Pro, I’ve wanted to extend my FileVault to the secondary drive also.
Apple does not make this an easy task, and the sources for how to do this are incomplete, and scattered around the net, so I decided to write this up, mostly for my own reference, and also for anyone else who ventures down this path.
For those who are more adventerous than I, and have placed one or more User homedirs on your secondary drive, there’s also a nice Unlock app which solves a problem you’ll have, with your secondary drive not being mounted early enough in the boot process. I did not have to use this, as I want my homedir to be sped up by the SSD!
The magical terminal command line to kick things off is:
diskutil cs convert [disk name] -passphrase
Now, everyone else on the net ends that with [Passphrase] and tries to convince you to type your passphrase on the command line. Its common knowledge in the security world that putting sensitive information in a command-line string is a no-no, as it can be seen by other users on the system, and gets logged in your command-line history. Instead exclude it, and the command will prompt you interactively to supply the password.
Here is my command:
diskutil cs convert /dev/disk1s2 -passphrase
How did I get disk1s2? Well, running “diskutil list” is helpful. As is just running df and seeing what you have mounted.
Next I ran:
diskutil cs list
to check the activity of the conversion. I was met with only a Logical Volume Group and Physical Volume (no new encrypted partition called Logical Volume Family and Logical Volume). After waiting eons, and being concerned, I finally decided to reboot.
Upon reboot, I was prompted by OSX to enter the passphrase to mount the encrypted volume. (Damn them for not allowing me to paste it in from 1Password), then I ran the list command and it now showed everything correctly for the new encrypted drive, however it said ‘Sequence 4’ and claimed to be converting, but said Conversion Direction: -none- and Size (Converted): -none-
My console log reported:
corestoraged: 0x7fff76b19960 startBackgroundConversion: there was a problem starting background encryption on the logical volume
I figured it may have not started yet again due to not having the encryption passphrase on boot. Rebooted yet again.
Finally! The list command now reported Sequence 6 for the Logical Family Volume, conversion direction Forward and Logical Volume showed Size (Converted) growing.
Albeit this will take far longer than my SSD to convert, as its going about 5 times slower; but now I will no longer have to be concerned about ANY of my data being readable should my machine fall in to evil hands!
These are the sources I used while reading about doing this:
- Macworld article on using FileVault2 to encrypt a second hard drive with users folders (again, only partially relevant to me, as I’m keeping my homedirs on my SSD)
- Lion’s Whole-Disk Encryption
- MacRumors forum post on FileVault with multiple drives - The referenced blog there is now 404, because its actually here:
- Using File Vault 2 with multiple drives (Unfortunately at the time of me writing this, the commands in the blog have Liquid rendering errors)
Update 1/5/2012: Apparently its not possible to encrypt drives larger than 3TB and/or through USB. I get the error:
Error: -69730: Unable to create boot loader partition due to the specifics of your partition map layout
But word is that its fixed in OSX 10.7.3, whenever that gets released.
Disclaimer: I made the top two product links referral links