As I want to use 10.7 / Lion full disk encryption, the whole encryption is moot if the same data is stored as clear-text in TimeMachine.
Even before Lion it was possible to use encrypted sparse disk images (as TimeCapsule uses them) to encrypt TimeMachine but frankly I don't assume that a 4Gb disk image is adequate.
Lion allows you to specify that you want your backups to be encrypted, but in my case this was refused with a simple "not supported on raid".
Using diskutil I managed to get it work anyway.
WARNING This worked for me. Once. I think.
This procedure may trash your data or set your cat on fire. Proceed at your own risk.
This procedure will delete all data on the raid volume. I didn't care too much as this was TimeMachine history only.
In Terminal, dump the current disk layout for reference:
"diskutil list". In my case this looks like this:
/dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *256.1 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_HFS SSD 255.2 GB disk0s2 3: Apple_Boot 650.0 MB disk0s5 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_RAID 2.0 TB disk1s2 3: Apple_Boot Boot OS X 134.2 MB disk1s3 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk2 1: EFI 209.7 MB disk2s1 2: Apple_RAID 2.0 TB disk2s2 3: Apple_Boot Boot OS X 134.2 MB disk2s3 ....
Note that the RAID volumes in my case were disk1s2 and disk2s2.
What I did was to delete the RAID in DiskUtility and to re-create it. You may not have to do this. Note that even if you do not re-create the RAID, you will still loose all data on the RAID-set.
Step 1: Create a RAID set:
diskutil ar create stripe myNewRaidSet JHFS+ disk1s2 disk2s2
Replace disk1s2, disk2s2 with the list of the partitions you want to use for this RAID-set.
If you don't want a "stripe" RAID0 you can use other types:
o "stripe" - Striped Volume (RAID 0) o "mirror" - Mirrored Volume (RAID 1) o "concat" - Concatenated Volume (Spanning)
All the usual Apple RAID options can be used, including stacked RAIDs like RAID 10, RAID 0+1 etc. "man diskutil" or DiskUtility is your friend.
Now you should have a new RAID-set. Let's check:
diskutil list ... /dev/disk4 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS myNewRaidSet *4.0 TB disk4
Good. disk4 is the name of the Raid-set
We now have to create a CoreStorage Logical Volume Group.
CoreStorage is the new volume manager in Lion which is the foundation for FileVault2).
diskutil cs create myNewLvg disk4
(Replace "disk4" with the name of your AppleRaid)
We now should have a CoreStore Logical Volume Group.
"diskutil cs list" will print it out:
iomp:~ io$ diskutil cs list CoreStorage logical volume groups (1 found) | +-- Logical Volume Group 0CBCF265-CCC0-4564-90D2-30F5F3080FAB ========================================================= Name: myNewLvg Sequence: 1 Free Space: 3999958884352 B (4.0 TB) | +-< Physical Volume 3C01045D-9391-4707-B0D8-5DC1551BF459 ---------------------------------------------------- Index: 0 Disk: disk4 Status: Online Size: 4000109887488 B (4.0 TB)Excellent. We still don't have a volume that we can use, this is created in the next step:
diskutil cs createVolume 0CBCF265-CCC0-4564-90D2-30F5F3080FAB jhfs+ MyEncryptedRaid 100% -stdinpassphraseThe parameters in details:
- The lengthy hex string must be the UUID of the logical volume group you've created in the previous step. See above "myNewLvg"
- JHFS+ tells disktuil that we want a journaled HFS+ volume (which should be fine)
- 100% means - "use 100% of the logical volume group for this volume". You can create multiple smaller volumes if you fancy those.
- -stdinpassphrase will cause diskutil to ask for an encryption pass phrase.
CoreStorage logical volume groups (1 found) | +-- Logical Volume Group 0CBCF265-CCC0-4564-90D2-30F5F3080FAB ========================================================= Name: myNewLvg Sequence: 2 Free Space: 0 B (0 B) | +-< Physical Volume 3C01045D-9391-4707-B0D8-5DC1551BF459 | ---------------------------------------------------- | Index: 0 | Disk: disk4 | Status: Online | Size: 4000109887488 B (4.0 TB) | +-> Logical Volume Family B290CE10-87A6-4D75-AE3A-EF3ECF401635 ---------------------------------------------------------- Sequence: 2 Encryption Status: Unlocked Encryption Type: AES-XTS Encryption Context: Present Conversion Status: NoConversion Has Encrypted Extents: Yes Conversion Direction: -none- | +-> Logical Volume 948377BF-5F9B-47A1-A6D5-E98472F32072 --------------------------------------------------- Disk: disk5 Status: Online Sequence: 2 Size (Total): 3999958884352 B (4.0 TB) Size (Converted): -none- Revertible: No LV Name: tm4cc Volume Name: tm4cc Content Hint: Apple_HFS
There your have it, an encrypted RAID-set.
Point TimeMachine to the new location and that's it.
I haven't yet looked into details of FileVault2 (details are also very hard to come by at this time) so the whole exercise may be plain idiotic. For example I haven't tried whether I can restore from this volume (as the backup of 1,4Tb is still ongoing). I will update the post once I have tried this. You may want to wait for this ;-)
Thanks for these instructions. I tried this out on a test AppleRAID set that I created, and it looks like this step:
ReplyDeletediskutil cs create myNewLvg disk4
Wipes out the data on the RAID volume. So, since my home directory is on a RAID, this means that if I want to encrypt it, I'll have to do a backup, encrypt, and restore.
Huge thanks for these! Since it's clearly possible to create CoreStorage volumes on AppleRAID contrary to the warning, then I cannot believe Apple took the time to add an AppleRAID specific error instead of simply supporting them within the convert command, and a large portion of Mac Pro users are going to have such volumes!
ReplyDeleteAnyway, I've done the same as described; encrypted my Time Machine RAID (two external drives), and all seems to be working as expected, now I just need to wait for 16 hour initial backup to finish…
One thing I find interesting is that while there is an unlock command to mount an encrypted core-storage volume there appears to be no-way to properly unmount one, meaning that once it's unlocked it stays unlocked, even if the volume isn't mounted, so you can test your password by simply unmounting then re-mounting, you need to restart your computer. I'm going to investigate the extend of this, as it likely means that if you have a multiple user machine then simply logging in with another user will grant access to the mounted encrypted volume, which isn't very promising!
I just got a WD MyBook Thunderbolt Duo which I also wanted to encrypt. The same method can be applied here as well
ReplyDeleteWorks great. Thank you for the excellent documentation.
ReplyDeleteI created a corestorage volume and tried to use it as a network drive. It didn't work. Now I want to get my harddrive back as it was. Disk Utility can't format it.
ReplyDeleteCan anyone help me getting my external hard drive back as one visible partition. In Finder I can see both partitions. But I'm not able to do anything with it from Disk Utility.