10.7: Using FileVault2 to encrypt a second hard drive with user folders
Sep 07, '11 07:30:00AM
Contributed by: rakmod
FileVault2 is an excellent addition to Lion. Amusingly though, Apple has done exactly the same thing as Microsoft did when it introduced Bitlocker in Vista (which it corrected with Windows 7). Apple has made it easy to encrypt the system drive, and difficult to encrypt other drives.
This hint describes how to place a user home directory on a FileVault2 encrypted partition on a second hard drive and have that partition load automatically on boot.
The primary issue is that when the user home directory is on a secondary encrypted drive it will not automatically unlock when the user logs on, thus resulting in a logon error for that user. Once unlocked the partition with the user home directory will automatically mount.
Note: Once these operations have been performed, Disk Utility cannot be used to modify the second disk. Terminal and diskutil need to be used instead.
Prerequisites
- An OS X Lion installation with a FileVault2 encrypted system disk (System Preferences » Security & Privacy » FileVault).
- A second hard drive using a GUID Partition Table and a Mac OS Extended partition. We will assume in the examples that the partition is named 'Data HD.'
- An admin user in the /Users folder on the system drive.
- A standard user with their home directory in the /Volumes/Data HD/Users directory and advanced user properties specifying that location as their home folder. There are hints about how to do that; search if you need to find them.
Once you have all that, here are the instructions for setting up the encryption:
- Logoff all users.
- Login as the admin user.
- Start Terminal.
- Use diskutil to determine the IDENTIFIER of the Data HD partition:
diskutil list
- Using diskutil and the following command convert Data HD to be an encrypted volume. Ensure you keep a copy of the passphrase in a safe place. If you lose it you will not be able to get your data from the partition.
diskutil coreStorage convert [IDENTIFIER] -passphrase [passphrase]
- Reboot.
- Try to Logon as the normal user. You should see an error that you cannot logon. Note: I only tested after the disk fully encrypted, so the behaviour on a partially encrypted drive is not tested. I am assuming it has the same behaviour as an encrypted drive.
- Logon as the admin user.
- When asked for the password to unlock Data HD enter your password and save it to your Keychain.
- Open the admin user's Keychain using /Applications/Utilities/Keychain Access.
- Unlock the System Keychain
- Copy the Keychain password from the admin user Keychain to the System Keychain.
- Create a plist to automatically unlock Data HD (see below).
- Using diskutil note the UUID of the encrypted partition.
diskutil coreStorage list
- Create the file /Library/LaunchDaemons/filevault2.unlock.plist using the contents below. Replace [UUID] and [passphrase] with your values. Saving the [passphrase] in the plist is the reason the system disk must also be encrypted. If it were not, a malicious user could simply read your passphrase from the system disk.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>filevault2.unlock</string>
<key>ProgramArguments</key>
<array>
<string>diskutil</string>
<string>cs</string>
<string>unlockVolume</string>
<string>[UUID]</string>
<string>-passphrase</string>
<string>[passphrase]</string>
</array>
<key>QueueDirectories</key>
<array/>
<key>RunAtLoad</key>
<true/>
<key>WatchPaths</key>
<array/>
</dict>
</plist>
- 16. Reboot and logon as the normal user. Logon should now work.
[crarko adds: I haven't tested this one. I'd suggest trying this one with a test system and user to get comfortable with the process before trying it on a production machine. At minimum, have a known good backup of everything.]
Comments (5)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20110723223309186