Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.7: Using FileVault2 to encrypt a second hard drive with user folders System 10.7
FileVault2 is an excellent addition to Lion. Amusingly though, Apple has done exactly the same thing as Microsoft did when it introduced Bitlocker in Vista (which it corrected with Windows 7). Apple has made it easy to encrypt the system drive, and difficult to encrypt other drives.

This hint describes how to place a user home directory on a FileVault2 encrypted partition on a second hard drive and have that partition load automatically on boot.

The primary issue is that when the user home directory is on a secondary encrypted drive it will not automatically unlock when the user logs on, thus resulting in a logon error for that user. Once unlocked the partition with the user home directory will automatically mount.

Note: Once these operations have been performed, Disk Utility cannot be used to modify the second disk. Terminal and diskutil need to be used instead.

Prerequisites
  • An OS X Lion installation with a FileVault2 encrypted system disk (System Preferences » Security & Privacy » FileVault).
  • A second hard drive using a GUID Partition Table and a Mac OS Extended partition. We will assume in the examples that the partition is named 'Data HD.'
  • An admin user in the /Users folder on the system drive.
  • A standard user with their home directory in the /Volumes/Data HD/Users directory and advanced user properties specifying that location as their home folder. There are hints about how to do that; search if you need to find them.
Once you have all that, here are the instructions for setting up the encryption:
  • Logoff all users.
  • Login as the admin user.
  • Start Terminal.
  • Use diskutil to determine the IDENTIFIER of the Data HD partition:

    diskutil list

  • Using diskutil and the following command convert Data HD to be an encrypted volume. Ensure you keep a copy of the passphrase in a safe place. If you lose it you will not be able to get your data from the partition.

    diskutil coreStorage convert [IDENTIFIER] -passphrase [passphrase]

  • Reboot.
  • Try to Logon as the normal user. You should see an error that you cannot logon. Note: I only tested after the disk fully encrypted, so the behaviour on a partially encrypted drive is not tested. I am assuming it has the same behaviour as an encrypted drive.
  • Logon as the admin user.
  • When asked for the password to unlock Data HD enter your password and save it to your Keychain.
  • Open the admin user's Keychain using /Applications/Utilities/Keychain Access.
  • Unlock the System Keychain
  • Copy the Keychain password from the admin user Keychain to the System Keychain.
  • Create a plist to automatically unlock Data HD (see below).
  • Using diskutil note the UUID of the encrypted partition.

    diskutil coreStorage list

  • Create the file /Library/LaunchDaemons/filevault2.unlock.plist using the contents below. Replace [UUID] and [passphrase] with your values. Saving the [passphrase] in the plist is the reason the system disk must also be encrypted. If it were not, a malicious user could simply read your passphrase from the system disk.
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      <key>Label</key>
      <string>filevault2.unlock</string>
      <key>ProgramArguments</key>
      <array>
      <string>diskutil</string>
      <string>cs</string>
      <string>unlockVolume</string>
      <string>[UUID]</string>
      <string>-passphrase</string>
      <string>[passphrase]</string>
      </array>
      <key>QueueDirectories</key>
      <array/>
      <key>RunAtLoad</key>
      <true/>
      <key>WatchPaths</key>
      <array/>
      </dict>
      </plist>
      
  • 16. Reboot and logon as the normal user. Logon should now work.

[crarko adds: I haven't tested this one. I'd suggest trying this one with a test system and user to get comfortable with the process before trying it on a production machine. At minimum, have a known good backup of everything.]
    •    
  • Currently 4.00 / 5
  You rated: 2 / 5 (5 votes cast)
 
[14,702 views]  

10.7: Using FileVault2 to encrypt a second hard drive with user folders | 5 comments | Create New Account
Click here to return to the '10.7: Using FileVault2 to encrypt a second hard drive with user folders' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.7: Using FileVault2 to encrypt a second hard drive with user folders
Authored by: aproudlove on Sep 07, '11 08:53:27AM

Hi,
I have a dual drive system and have been looking for a way to solve this issue to. I came across this script/utility that will check any disks that are encrypted and add them so that they are unlocked at boot. Heres the page https://github.com/jridgewell/unlock#readme

I confess that I haven't tried it yet, as my second drive is a 750GB HDD and half full, so I need to run the encryption from the terminal as opposed to using Disk Utility (which would erase it), I just haven't found time to do it yet.

Anyways, hope it helps.

--------------------------------------------
http://aproudlove.squarespace.com



[ Reply to This | # ]
10.7: Using FileVault2 to encrypt a second hard drive with user folders
Authored by: ckoerner on Sep 07, '11 12:13:56PM
Nice tip. I just set up my Mac in a similar fashion, but used the Unlock utility to perform the final step. If you have a secondary hard drive with multiple partitions can you still use boot camp on that drive? I would think not.

[ Reply to This | # ]
10.7: Using FileVault2 to encrypt a second hard drive with user folders
Authored by: rakmod on Sep 10, '11 03:45:38AM

Firstly, thanks to crarko for nicely marking up the hint. I really must learn to do that one day.....

The unlock utility looks nice and definitely easier than following the hint.

For people who still want to use the hint to make it more secure chmod 600 /Library/LaunchDaemons/filevault2.unlock.plist so that only root can read the file.

I have a 40GB Windows partition at the end of the secondary drive. Apart from having to use the diskutil command line to shrink the encrypted partition and manually creating the Windows partition it works just like a normal bootcamp partition. This partition has been swapped between Windows and OSX a couple of times. When it is an OSX partition it detects the two encrypted partitions and prompts for a password. Windows just ignores the encrypted partitions (although they can be seen in disk management).

Thanks for the feedback,

Regards,
rakmod



[ Reply to This | # ]
10.7: Using FileVault2 to encrypt a second hard drive with user folders
Authored by: fourCC on Nov 05, '11 11:49:06AM

Hey guys, I'm desperate. I followed all these steps carefully and now I can't access my secondary disk that I just encrypted. The password I set is not accepted. It is not that the password is wrong, something happened during the encryption that makes the disk now completely unreachable.

some minutes after executing the command: "diskutil coreStorage convert [IDENTIFIER] -passphrase [passphrase] ". I rebooted the machine and now I think that because of this, the encryption process got corrupted and now there is no way to fix this.

In this disk I had very important stuff that now it looks like it is lost forever. Ye, I backed this stuff up but as I'm a bit retarded, by mistake I left the back up (sparse image in the same disk thinking it was another one.

the question is. What could I do? Is there anything that I could try?

To revert the process, to change the password, to encrypt on top?

Any help would be highly appreciated.

Thanks in advance.



[ Reply to This | # ]
10.7: Using FileVault2 to encrypt a second hard drive with user folders
Authored by: fourCC on Nov 08, '11 10:33:07AM

I got back all my stuff.

Just to let everybody know in case that this happens to other people.

I think that the reason that this encryption failed was because I interrupted the encryption process in the middle.
I thought that this was going to be like in the Filevault 2 encryption in Settings, that if you reboot the machine, as soon as you are logged in again, it simply continues.

For any reason, the encryption failed and it didn't continue and was stacked in the middle of the encryption process. This was the reason of my problem of not being able to decrypt my hard-drive after login, and also what made possible that I've been able to get all my stuff back.

For the operating system this was an encrypted hard-drive. The password didn't work because the encryption process didn't finnish so for some reason, to put the right decryption password didn't work.

Then I used Data rescue 3, as the hard-drive was not completely encrypted, for this application was still possible to reach all the not yet encrypted data. After scanning the hard-drive for several hours, Data Rescue 3 found all the stuff there with the right folder hierarchy and from there I was able to get back all my stuff.

Just in case this could help anybody in a similar situation.



[ Reply to This | # ]