Currently Being ModeratedAug 17, 2013 2:34 PM (in response to ItIsJustMe)
In response to your post in the original thread, yes that certainly sounds complicated and fraught with peril. I may still want to go down that path but a quick question first in the interest of simplifying life. The four partitions currently there are GPT, OSX main, Recovery for OSX, and Bootcamp/Win8, correct? Can I just remove the OSX recovery drive? I assume if I have a problem and need to restore OSX I'd have to start over from external media then but I'm fine with that. Thoughts?
Currently Being ModeratedAug 17, 2013 3:11 PM (in response to ItIsJustMe)
results of gpt -r -v show disk0
gpt show: disk0: mediasize=251000193024; sectorsize=512; blocks=490234752
gpt show: disk0: Suspicious MBR at sector 0
start size index contents
0 1 MBR
1 1 Pri GPT header
2 32 Pri GPT table
40 409600 1 GPT part - guid1
409640 244795992 2 GPT part - guid3
245205632 1269536 3 GPT part - guid3
246475168 243759544 4 GPT part - guid4
490234719 32 Sec GPT table
490234751 1 Sec GPT header
and fdisk /dev/disk0...
Disk: /dev/disk0 geometry: 30515/255/63 [490234752 sectors]
#: id cyl hd sec - cyl hd sec [ start - size]
1: EE 1023 254 63 - 1023 254 63 [ 1 - 409639] <Unk ID>
2: AC 1023 254 63 - 1023 254 63 [ 409640 - 244795992] <Unk ID>
3: AB 1023 254 63 - 1023 254 63 [ 245205632 - 1269536] Darwin Boot
*4: 07 1023 254 63 - 1023 254 63 [ 246475168 - 243759544] HPFS/QNX/AUX
Currently Being ModeratedAug 17, 2013 4:02 PM (in response to ItIsJustMe)
GPT 2 is Core storage, presumably using Filevault 2, so GPT 3, Recovery HD is required and can't be deleted.
So after the obligatory backing up you need to do first, the next step after that is you need to resize this NTFS volume (GPT 4). What utility you use will determine which partition map will be corrects so you have to know these things or you'll experience data loss. Doing it in Windows will change the MBR, so the MBR will show the correct start and end LBA for the Windows partition, the GPT will not. Doing it in OS X will first require a utility that can resize NTFS like building NTFS-3G with Macports, and this will only update the GPT. The MBR will no longer be valid.
The other alternatives are to use a Linux Live CD/DVD that has NTFS-3G tools already built and installed, and use something like gparted to resize. Or buy a 3rd party utility like Camptune, iPartition, or WinClone.
You'll have to check Bitlocker documentation as to how big this unencrypted volume needs to be, and if it needs a unique partition type code, and what that is.
Currently Being ModeratedAug 17, 2013 4:06 PM (in response to Christopher Murphy)
If you use a Linux Live CD/DVD and gparted that'll probably modify the GPT. The only way to be certain is to output the MBR and GPT before you start and then see which changes.
If you use the listed 3rd party (not free) products, they will correctly modify the GPT and MBR.
Currently Being ModeratedAug 18, 2013 1:41 PM (in response to ItIsJustMe)
If you dont have really really secret stuff or is an agent then dont use these things if your system crash you lose everything
If you dont you can always put the hd in a ext box and save your data
Currently Being ModeratedAug 18, 2013 2:38 PM (in response to Rudegar)
That's a fairly silly response. First of all I stated I'm on a rMBP, the "hd" is soldered to the board, there's no taking it out and putting in any "ext box" to save data. Secondly, the specifics of my situation aside this is FUD against encrypting data. If you are worried about a systems crash (which we all should be) then you should be recommending for proper backup processes instead, after all that crash could be the drive itself and then what are you planning to do to save your data. Laptop loss or theft is a very real concern and I rather my personal and corporate information (possibly extending to client data) not be exposed to some ne'er-do-well who has suddenly gained access to my system. Preaching proper backup policies would be doing people a better service than scaring them from encryption.
Currently Being ModeratedAug 18, 2013 3:03 PM (in response to Christopher Murphy)
Thanks for all the feedback. Given the complexity of pulling this off, lack of assurances of future compatibilty and stability, and that I plan to update to both Mavericks and Win8.1 in the next couple months, I've decided not to attempt this.
For future folks who are interested in doing something similar I'll archive a bit of my research here. My goal was to have dual booting with OSX and Windows (bootcamp) as well as VM support via Parallels against the bootcamp install of Windows and have both OSes encrypted. The Parallels aspect only becomes a complication for one approach (more on that in a moment) but it appears that given current technology this is not possible without hacks and even that appears to be a bit iffy. Here are the approaches I looked into:
FileVault2: this is installed and working on the OSX partition, it does occupy a partition as the recovery partition is then manditory, more on that below.
Bitlocker: I was able to bypass the TPM requirement (this is well documented elsewhere, Google it) but with FileVault2 in place I could not provide enough partitions to use Bitlocker on the bootcamp system drive for Windows. Christopher has provided theoretical guidance above but this appears difficult and fraught with upgrade risk. If you did not need FileVault2 it appears that you could remove the recovery drive partition and then Bitlocker just on the Win/bootcamp side would be possible. I did not test that though as I want FileVault2 as well.
TrueCrypt: I looked into this next but it appears this has problems with the OSX GPT and not having enough space prior to the table to install required boot process code. In other words not currently supported for OSX with bootcamp. http://apple.stackexchange.com/questions/94135/bootcamp-and-macbook-pro-and-true crypt
Symantec PGP Drive Encryption: this appears to be a possibility if I were not trying to run the bootcamp install as a "VM" in parallels. Big warning though, Symantec's own documentation contridicts itself as whether whole drive encryption is possible with bootcamp. The latest guide states both that it IS and IS NOT possible. I found a statement from a Symantec support tech stating that it IS but the post was incoherent and seemed to be regurgitating some KB article without any real understanding of the underlying tech. This wasn't a valid solution for me but if you decide to pursue I would get confirmation from someone knowledgeable at Symantec first. http://www.symantec.com/connect/forums/justification-needed-how-does-pgp-wde-ens ure-security-apple-boot-camp
What I've decided to do is remove bootcamp. Since setting it up and immediately installing Parallels I've never hit bootcamp direct again and really never plan to as I the performance of Parallels has always been great for me. I always access it as a Parallels VM within OSX. I'll be importing to a Parallels VHD and relying on the fact that FileVault2 will be encrypting the VHD withing my OSX partition as my strategy. I may be back for advice on how to clean up the bootcamp partition and reclaim the space soon
Thank you Christopher and I hope my research is beneficial to someone else down the line.
Currently Being ModeratedAug 18, 2013 5:14 PM (in response to ItIsJustMe)
Another option, is to convert the disk to MBR only. This has two consequences: the disk can't be larger than 2.2TB or remaining space won't be uable; firmware updates won't be possible as the EFI System partition is needed to stage firmware updates. Otherwise, OS X can boot from MBR only disks. Such a disk would have OS X on the first partition and Recovery HD on the 2nd partition, leaving two primary partitions for other OS's. You could boot OS X off an different disk that uses GPT and has an EFI System partition, should you need to apply firmware updates down the road.
This is probably the most reliable and lease invasive option, short of figuring out how to get Windows 8 to install on a Mac in EFI mode (obviating Boot Camp Assistant, the CSM, and the need for a hybrid MBR).
As for getting spare disk space into an encrypted FileVault volume, this is tricky. I'm pretty sure officially, you're supposed to disable FileVault 2, wait for it to fully decrypt the OS X volume, resize it to consume all space, then re-enable FileVault 2. This obviously will take some time. There is a way to add the unneeded partition as a Core Storage Physical Volume to the existing Logical Volume Group used for the FileVault 2 OS X volume. And then grow the Logical Volume (on which OS X resides). It may sound a little screwy, but this sort of thing has been done on Linux with LVM for around 15 years. Two partitions are added to a volume group, and a single logical volume is created from the volume group. So it looks and behaves like a single volume even though it's made from two partitions (it would work this way if it were made from two disks, which is how fusion drives are created). The encryption is applied because a logical volume family (LVF) with an encryption attribute is attached to the Logical Volume.
I don't yet know of a GUI way of doing any of this, however, only by using the diskutil coreStorage commands.
Currently Being ModeratedAug 26, 2013 12:57 AM (in response to Christopher Murphy)
OK, I've converted bootcamp to a parallels vhd so I'm ready to dump bootcamp altogether and reclaim the space for OSX. Now that I've gone through the pain of all this reconfig I'd like to get to as supported a state as possible (read "minimal hacks" ). If the best path there then to delete the bootcamp partition, remove filevault, resize the primary partition to use all available space, then reinstate filevault? Will that allow the recovery partition to move or will I need to kill it and rebuild it as one of those steps? Would you mind chiming on best practice and steps for me?
Thanks again, you're a wealth of knowledge!
Currently Being ModeratedAug 26, 2013 4:42 PM (in response to ItIsJustMe)
The "easist" method is the one done entirely in the GUI and is documented. It also takes a long time. Hours in each direction to decrypt, then encrypt again.
That version is to disable FileVaul2, then use Bootcamp Assistant to remove Windows which should also resize the OS X volume to its original full consumption of the disk (minus a few hundrew MB), and then reenable FileVault 2.
I think it's equally acceptable to change the Windows partition into a CoreStorage PV (physical volume) by adding it to the existing CoreStorage VG (volume group) and then growing the existing LV. Functionally it'll be the same result.
Currently Being ModeratedAug 29, 2013 12:57 AM (in response to Christopher Murphy)
I disabled FV2, used the bootcamp assistant app to remove the bootcamp partition (that automatically resized the original partition), then reenabled FV2. This worked perfectly and only took 14 min to decrypt and 22 to reencrypt (fast machine with small SSD, YMMV).