Friday, July 22, 2011

HOWTO create an encrypted TimeMachine Backup on an Apple software RAID using Lion FileVault2

My MacPro is filled with disks which implies that a single disk of the type "the biggest you can buy" is insufficient for my TimeMachine needs. So far I have been using an OSX software RAID for TimeMachine which worked rather well.
As I want to use 10.7 / Lion full disk encryption, the whole encryption is moot if the same data is stored as clear-text in TimeMachine.
Even before Lion it was possible to use encrypted sparse disk images (as TimeCapsule uses them) to encrypt TimeMachine but frankly I don't assume that a 4Gb disk image is adequate.

Lion allows you to specify that you want your backups to be encrypted, but in my case this was refused with a simple "not supported on raid".
Using diskutil I managed to get it work anyway.

WARNING This worked for me. Once. I think.
This procedure may trash your data or set your cat on fire. Proceed at your own risk.

This procedure will delete all data on the raid volume. I didn't care too much as this was TimeMachine history only.

In Terminal, dump the current disk layout for reference:
"diskutil list". In my case this looks like this:
/dev/disk0
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *256.1 GB   disk0
1:                        EFI                         209.7 MB   disk0s1
2:                  Apple_HFS SSD                     255.2 GB   disk0s2
3:                 Apple_Boot                         650.0 MB   disk0s5
/dev/disk1
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *2.0 TB     disk1
1:                        EFI                         209.7 MB   disk1s1
2:                 Apple_RAID                         2.0 TB     disk1s2
3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:      GUID_partition_scheme                        *2.0 TB     disk2
1:                        EFI                         209.7 MB   disk2s1
2:                 Apple_RAID                         2.0 TB     disk2s2
3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3
....


Note that the RAID volumes in my case were disk1s2 and disk2s2.

What I did was to delete the RAID in DiskUtility and to re-create it. You may not have to do this. Note that even if you do not re-create the RAID, you will still loose all data on the RAID-set.


Step 1: Create a RAID set:
diskutil ar create stripe myNewRaidSet JHFS+  disk1s2 disk2s2

Replace disk1s2, disk2s2 with the list of the partitions you want to use for this RAID-set.
If you don't want a "stripe" RAID0 you can use other types:
o   "stripe" - Striped Volume (RAID 0)
o   "mirror" - Mirrored Volume (RAID 1)
o   "concat" - Concatenated Volume (Spanning)

All the usual Apple RAID options can be used, including stacked RAIDs like RAID 10, RAID 0+1 etc. "man diskutil" or DiskUtility is your friend.


Now you should have a new RAID-set. Let's check:
diskutil list
...
/dev/disk4
#:                       TYPE NAME                    SIZE       IDENTIFIER
0:                  Apple_HFS myNewRaidSet           *4.0 TB     disk4

Good. disk4 is the name of the Raid-set

We now have to create a CoreStorage Logical Volume Group.
CoreStorage is the new volume manager in Lion which is the foundation for FileVault2).

diskutil cs create myNewLvg disk4


(Replace "disk4" with the name of your AppleRaid)


We now should have a CoreStore Logical Volume Group.
"diskutil cs list" will print it out:
iomp:~ io$ diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 0CBCF265-CCC0-4564-90D2-30F5F3080FAB
=========================================================
Name:         myNewLvg
Sequence:     1
Free Space:   3999958884352 B (4.0 TB)
|
+-< Physical Volume 3C01045D-9391-4707-B0D8-5DC1551BF459
----------------------------------------------------
Index:    0
Disk:     disk4
Status:   Online
Size:     4000109887488 B (4.0 TB)
Excellent. We still don't have a volume that we can use, this is created in the next step:
diskutil cs createVolume 0CBCF265-CCC0-4564-90D2-30F5F3080FAB jhfs+ MyEncryptedRaid 100% -stdinpassphrase
The parameters in details:
  • The lengthy hex string must be the UUID of the logical volume group you've created in the previous step. See above "myNewLvg"
  • JHFS+ tells disktuil that we want a journaled HFS+ volume (which should be fine)
  • 100% means - "use 100% of the logical volume group for this volume". You can create multiple smaller volumes if you fancy those.
  • -stdinpassphrase will cause diskutil to ask for an encryption pass phrase.
Make sure this is a decent (long, non-dictionary and complex) password and *DO NOT LOOSE IT*. If you loose this, your volume becomes noise. I have not quite understood the whole key recovery deal but that key appears to be stored nowhere except with you. So play it safe. After a few seconds, you should see the new volume mounted. Check the details via "diskutil cs list":
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 0CBCF265-CCC0-4564-90D2-30F5F3080FAB
=========================================================
Name:         myNewLvg
Sequence:     2
Free Space:   0 B (0 B)
|
+-< Physical Volume 3C01045D-9391-4707-B0D8-5DC1551BF459
|   ----------------------------------------------------
|   Index:    0
|   Disk:     disk4
|   Status:   Online
|   Size:     4000109887488 B (4.0 TB)
|
+-> Logical Volume Family B290CE10-87A6-4D75-AE3A-EF3ECF401635
----------------------------------------------------------
Sequence:               2
Encryption Status:      Unlocked
Encryption Type:        AES-XTS
Encryption Context:     Present
Conversion Status:      NoConversion
Has Encrypted Extents:  Yes
Conversion Direction:   -none-
|
+-> Logical Volume 948377BF-5F9B-47A1-A6D5-E98472F32072
---------------------------------------------------
Disk:               disk5
Status:             Online
Sequence:           2
Size (Total):       3999958884352 B (4.0 TB)
Size (Converted):   -none-
Revertible:         No
LV Name:            tm4cc
Volume Name:        tm4cc
Content Hint:       Apple_HFS


There your have it, an encrypted RAID-set.
Point TimeMachine to the new location and that's it.

I haven't yet looked into details of FileVault2 (details are also very hard to come by at this time) so the whole exercise may be plain idiotic. For example I haven't tried whether I can restore from this volume (as the backup of 1,4Tb is still ongoing). I will update the post once I have tried this. You may want to wait for this ;-)

5 comments:

  1. Thanks for these instructions. I tried this out on a test AppleRAID set that I created, and it looks like this step:

    diskutil cs create myNewLvg disk4

    Wipes out the data on the RAID volume. So, since my home directory is on a RAID, this means that if I want to encrypt it, I'll have to do a backup, encrypt, and restore.

    ReplyDelete
  2. Huge thanks for these! Since it's clearly possible to create CoreStorage volumes on AppleRAID contrary to the warning, then I cannot believe Apple took the time to add an AppleRAID specific error instead of simply supporting them within the convert command, and a large portion of Mac Pro users are going to have such volumes!

    Anyway, I've done the same as described; encrypted my Time Machine RAID (two external drives), and all seems to be working as expected, now I just need to wait for 16 hour initial backup to finish…

    One thing I find interesting is that while there is an unlock command to mount an encrypted core-storage volume there appears to be no-way to properly unmount one, meaning that once it's unlocked it stays unlocked, even if the volume isn't mounted, so you can test your password by simply unmounting then re-mounting, you need to restart your computer. I'm going to investigate the extend of this, as it likely means that if you have a multiple user machine then simply logging in with another user will grant access to the mounted encrypted volume, which isn't very promising!

    ReplyDelete
  3. I just got a WD MyBook Thunderbolt Duo which I also wanted to encrypt. The same method can be applied here as well

    ReplyDelete
  4. Works great. Thank you for the excellent documentation.

    ReplyDelete
  5. I created a corestorage volume and tried to use it as a network drive. It didn't work. Now I want to get my harddrive back as it was. Disk Utility can't format it.

    Can anyone help me getting my external hard drive back as one visible partition. In Finder I can see both partitions. But I'm not able to do anything with it from Disk Utility.

    ReplyDelete