1

On a Mac running OS X Lion 10.7.5 I have attempted to encrypt an external drive using Disk Utility.

Since this is 10.7, there is no option of right-clicking to encrypt in Finder. Also, there's no option to create an encrypted partition when formatting. So, here's what I did:

  1. I reformatted the drive like this:

    /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_HFS Heap 1.7 TB disk1s2 3: Apple_HFS Time Machine 300.0 GB disk1s3 4: Microsoft Basic Data EXCHANGE 49.5 GB disk1s4

  2. Then I wanted to encrypt all Apple_HFS partitions, starting with Heap. The only way to accomplish this using the GUI seems to be the following:

    1. Select the volume you want to encrypt in the sidebar on the left side.
    2. Select the tab "erase" on the right side.
    3. Choose an option of your liking in "Format:" enter image description here
    4. Click "Erase..." to reformat the partition as an encrypted volume. You have to create a password to continue.

  3. If this were Mountain Lion, this would be it. All I'd have to do is waiting for the encryption to finish. So, I checked the status in the terminal using:

    diskutil cs list

    And to my surprise there's no conversion happening:

    Sequence: 2 Encryption Status: Unlocked Encryption Type: AES-XTS Encryption Context: Present Conversion Status: NoConversion // OH NOES!!! WHY THIS? WHY ME? :( Has Encrypted Extents: Yes Conversion Direction: -none-

    But I did expect something like this:

    Encryption Status: Unlocked Encryption Type: AES-XTS Conversion Status: Converting // This is what I expected. Conversion Direction: forward Has Encrypted Extents: Yes Fully Secure: No Passphrase Required: Yes

Question

What is going on here? Am I just interpreting the diskutil output the wrong way?

Improve this question

1 Answer 1

Reset to default
1

I believe you need a Recovery HD on that volume to let FileVault 2 do it's business. Here's the article on how to FileVault 2.

I believe the section where it says FileVault 2 requires OS X Lion or Mountain Lion and Recovery HD installed on your startup drive is not technically correct, since the keys to decrypt an external drive would only be stored on the internal drive of the Mac doing the encryption.

I know this isn't true since I've had encrypted external drives that I've taken to several Mac and had all of them read it. You could start by letting Time Machine encrypt the external drive since that's the canonical GUI manner to get FileVault 2 on an external drive.

You can do everything in terminal though. Here is your recipe - bookmark this guy's web site - Rich is an asset to the community for documenting how to wrangle encryption and many other things.

Here is what a functioning external without FileVault 2 looks like to me (warning - this is all on Mountain Lion).

/dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *500.1 GB disk2 1: EFI 209.7 MB disk2s1 2: Apple_HFS HEAP 10.0 GB disk2s2 3: Apple_HFS Time Machine 300.0 GB disk2s3 4: Microsoft Basic Data EXCHANGE 189.6 GB disk2s4

So, you can convert things thusly:

Air:~ me$ diskutil cs convert /Volumes/HEAP -passphrase New passphrase for converted volume: Confirm new passphrase: Started CoreStorage operation on disk2s2 HEAP Resizing disk to fit Core Storage headers [ | 0%..10%.............................................. ]

After a short delay, the progress will end and you will get this notice:

Air:~ me$ diskutil cs convert /Volumes/HEAP -passphrase New passphrase for converted volume: Confirm new passphrase: Started CoreStorage operation on disk2s2 HEAP Resizing disk to fit Core Storage headers Creating Core Storage Logical Volume Group Attempting to unmount disk2s2 Switching disk2s2 to Core Storage Waiting for Logical Volume to appear Mounting Logical Volume Core Storage LVG UUID: 4FA72C96-80B5-4794-B6C9-D5E94B3194C8 Core Storage PV UUID: A60F4F77-18F7-4972-9A37-4873390BE326 Core Storage LV UUID: 02A09627-7955-4671-84F7-BD26FE1D9B93 Core Storage disk: disk3 Finished CoreStorage operation on disk2s2 HEAP Encryption in progress; use `diskutil coreStorage list` for status

Setting aside whether Lion has the same output (since it likely will not end the command until the encryption is done) - here is the end result of what the diskutil list command shows once the external has been encrypted:

/dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *500.1 GB disk2 1: EFI 209.7 MB disk2s1 2: Apple_CoreStorage HEAP 10.0 GB disk2s2 3: Apple_Boot Boot OS X 134.2 MB disk2s6 4: Apple_HFS Time Machine 300.0 GB disk2s3 5: Microsoft Basic Data EXCHANGE 189.6 GB disk2s4

It appears that disk2s6 gets shaved off the 10.0 GB disk2s2 and serves to hold the keys for [en|de]crypting HEAP.

Improve this answer
1
  • Thank you very much for this answer. I will try this solution. Still, I can't exactly follow your argument for why there needs to be a recovery partition on the external drive (is it the one called 'Boot OS X' volume?) Every Mac that wants to read the external encrypted volume still needs a password to unlock the drive. Commented Dec 1, 2012 at 17:22

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.