Friday, July 22, 2011

HOWTO create an encrypted TimeMachine Backup on an Apple software RAID using Lion FileVault2

My MacPro is filled with disks which implies that a single disk of the type "the biggest you can buy" is insufficient for my TimeMachine needs. So far I have been using an OSX software RAID for TimeMachine which worked rather well.
As I want to use 10.7 / Lion full disk encryption, the whole encryption is moot if the same data is stored as clear-text in TimeMachine.
Even before Lion it was possible to use encrypted sparse disk images (as TimeCapsule uses them) to encrypt TimeMachine but frankly I don't assume that a 4Gb disk image is adequate.

Lion allows you to specify that you want your backups to be encrypted, but in my case this was refused with a simple "not supported on raid".
Using diskutil I managed to get it work anyway.

WARNING This worked for me. Once. I think.
This procedure may trash your data or set your cat on fire. Proceed at your own risk.

This procedure will delete all data on the raid volume. I didn't care too much as this was TimeMachine history only.

In Terminal, dump the current disk layout for reference:
"diskutil list". In my case this looks like this:
/dev/disk0
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *256.1 GB   disk0
1:                        EFI                         209.7 MB   disk0s1
2:                  Apple_HFS SSD                     255.2 GB   disk0s2
3:                 Apple_Boot                         650.0 MB   disk0s5
/dev/disk1
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *2.0 TB     disk1
1:                        EFI                         209.7 MB   disk1s1
2:                 Apple_RAID                         2.0 TB     disk1s2
3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *2.0 TB     disk2
1:                        EFI                         209.7 MB   disk2s1
2:                 Apple_RAID                         2.0 TB     disk2s2
3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3
....


Note that the RAID volumes in my case were disk1s2 and disk2s2.

What I did was to delete the RAID in DiskUtility and to re-create it. You may not have to do this. Note that even if you do not re-create the RAID, you will still loose all data on the RAID-set.


Step 1: Create a RAID set:
diskutil ar create stripe myNewRaidSet JHFS+  disk1s2 disk2s2

Replace disk1s2, disk2s2 with the list of the partitions you want to use for this RAID-set.
If you don't want a "stripe" RAID0 you can use other types:
o   "stripe" - Striped Volume (RAID 0)
o   "mirror" - Mirrored Volume (RAID 1)
o   "concat" - Concatenated Volume (Spanning)

All the usual Apple RAID options can be used, including stacked RAIDs like RAID 10, RAID 0+1 etc. "man diskutil" or DiskUtility is your friend.


Now you should have a new RAID-set. Let's check:
diskutil list
...
/dev/disk4
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:                  Apple_HFS myNewRaidSet           *4.0 TB     disk4

Good. disk4 is the name of the Raid-set

We now have to create a CoreStorage Logical Volume Group.
CoreStorage is the new volume manager in Lion which is the foundation for FileVault2).

diskutil cs create myNewLvg disk4


(Replace "disk4" with the name of your AppleRaid)


We now should have a CoreStore Logical Volume Group.
"diskutil cs list" will print it out:
iomp:~ io$ diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 0CBCF265-CCC0-4564-90D2-30F5F3080FAB
=========================================================
Name:         myNewLvg
Sequence:     1
Free Space:   3999958884352 B (4.0 TB)
|
+-< Physical Volume 3C01045D-9391-4707-B0D8-5DC1551BF459
----------------------------------------------------
Index:    0
Disk:     disk4
Status:   Online
Size:     4000109887488 B (4.0 TB)
Excellent. We still don't have a volume that we can use, this is created in the next step:
diskutil cs createVolume 0CBCF265-CCC0-4564-90D2-30F5F3080FAB jhfs+ MyEncryptedRaid 100% -stdinpassphrase
The parameters in details:
  • The lengthy hex string must be the UUID of the logical volume group you've created in the previous step. See above "myNewLvg"
  • JHFS+ tells disktuil that we want a journaled HFS+ volume (which should be fine)
  • 100% means - "use 100% of the logical volume group for this volume". You can create multiple smaller volumes if you fancy those.
  • -stdinpassphrase will cause diskutil to ask for an encryption pass phrase.
Make sure this is a decent (long, non-dictionary and complex) password and *DO NOT LOOSE IT*. If you loose this, your volume becomes noise. I have not quite understood the whole key recovery deal but that key appears to be stored nowhere except with you. So play it safe. After a few seconds, you should see the new volume mounted. Check the details via "diskutil cs list":
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 0CBCF265-CCC0-4564-90D2-30F5F3080FAB
=========================================================
Name:         myNewLvg
Sequence:     2
Free Space:   0 B (0 B)
|
+-< Physical Volume 3C01045D-9391-4707-B0D8-5DC1551BF459
|   ----------------------------------------------------
|   Index:    0
|   Disk:     disk4
|   Status:   Online
|   Size:     4000109887488 B (4.0 TB)
|
+-> Logical Volume Family B290CE10-87A6-4D75-AE3A-EF3ECF401635
----------------------------------------------------------
Sequence:               2
Encryption Status:      Unlocked
Encryption Type:        AES-XTS
Encryption Context:     Present
Conversion Status:      NoConversion
Has Encrypted Extents:  Yes
Conversion Direction:   -none-
|
+-> Logical Volume 948377BF-5F9B-47A1-A6D5-E98472F32072
---------------------------------------------------
Disk:               disk5
Status:             Online
Sequence:           2
Size (Total):       3999958884352 B (4.0 TB)
Size (Converted):   -none-
Revertible:         No
LV Name:            tm4cc
Volume Name:        tm4cc
Content Hint:       Apple_HFS


There your have it, an encrypted RAID-set.
Point TimeMachine to the new location and that's it.

I haven't yet looked into details of FileVault2 (details are also very hard to come by at this time) so the whole exercise may be plain idiotic. For example I haven't tried whether I can restore from this volume (as the backup of 1,4Tb is still ongoing). I will update the post once I have tried this. You may want to wait for this ;-)