How do I encrypt all of my external drives?
How do I use the WIPE/ERASE feature if necessary?
Love my Lion! I call him Simba...
MacBook Pro, Mac OS X (10.7), Loaded 17"
Hasn't anyone run into this yet? I really would like to get an answer....
😀
I don't think you're supposed to. But you need to read up on the man page for diskutil, specifically the coreStorage verb.
Also this article has details: http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/13#lion-file-syst em
Well - it seems as if I "should" be able to do this, however, I may not have the skills or the nerves. I'm extremely happy with how the Encryption code in Lion worked seemlessly and flawlessly and I now have a full, encrypted main drive. My quest has been to encrypt all eight of my drives (seven external) - and frankly, I don't feel qualified enough to even follow those directions in the article. I tried the following in termanal:
/dev/disk2
and received this response
Permission denied
Which pretty well tells me I'd be in over my head! For grins, I checked ownership and permissions on my Drive 2 and I'm listed as an okee dokie kinda guy, but Apple - well Apple can "tell your level of geekness" - of this I'm sure of!
You've been very help ful - and I appreciate it. FYI: On Saturday, I was able to locate an article on Fire Vault 2, and a description. Both are now gone from the Apple site. Initially, the description DID describe an encryption process for all your drives. Then there was something called "Wipe" (I think that's what it was called) that in an emergency, allowed for an easy wipe of all files - permanently. Nothing about that is up there any more. I wonder if Apple has received more questions about this and realized maybe they needed to re-do their description and capabilities? It seems now that "encryption" is only mentioned in "Disk Utility". Hmmm!
Bob
Well, the information you mention seems to be here: http://www.apple.com/macosx/whats-new/features.html#filevault2
FileVault is enabled by going to System Preferences -> Security & Privacy -> FileVault
But you're only able to do it for the main system drive.
You can encrypt any drive volume by enter the following command in Terminal.app
diskutil coreStorage convert disk_identifier -stdinpassphrase
You get the "disk_identifier" by doing a Get Info on the disk in question in Disk Utility.app
Also the disk must be formatted with the "GUID Partition Table" partition map scheme beforehand
Note that encryption can take a while. You can check the progress by entering the following into Terminal.app
diskutil coreStorage list
And checking "Conversion Status" for chosen disk.
Thank you!
I entered:
trevor:~ MacBookBobMBP$ diskutil coreStorage convert disk_3 -stdinpassphrase
Could not find disk for disk_3
the part "trevor:~ MacBookBobMBP$" was already there
I verified that the drive is GUID.
Name : WD
Type : Disk
Partition Map Scheme : GUID Partition Table
Disk Identifier : disk3
Media Name : WD My Book Media
Media Type : Generic
Connection Bus : FireWire
Connection ID : 40718854072194925
Device Tree : IODeviceTree:/PCI0@0/RP03@1C,2/FRWR@0/node@90a99500a2576d/sbp-2@c000
Writable : Yes
Ejectable : Yes
Location : External
Total Capacity : 4 TB (4,000,781,090,816 Bytes)
Disk Number : 3
Partition Number : 0
S.M.A.R.T. Status : Not Supported
So - what am I missing here?
😀
You need to Get Info for the first disk *volume* on your firewire drive. The proper disk identifier in your case is probably disk3s2
Entering:
diskutil list
in Terminal.app should reveal the same
By the way: You can easily encrypt an external volume by choosing one of the encrypted formats when you erase the drive or volume via Disk Utility.app.
But if you want to convert an existing volume the instructions above still apply
Now we're getting somewhere!
So, after I enter the string: diskutil coreStorage convert disk3s2 -stdinpassphrase
I get: New passphrase for converted volume:
I want to put the passcode that was generated when I encrypted my primary hard drive. I don't seem to be able to copy that and paste it into terminal. I'm not even sure that will work. What does someone normally put there?
Thanks a million!
Bob
You just paste in your passcode at the "New passphrase for converted volume:" and press enter. It'll appears as if you've done nothing but this is standard terminal behavior when asking for secure input. When you press enter it should go about its business along the lines of:
Started CoreStorage operation on disk3s2 Untitled
Resizing disk to fit Core Storage headers
[ - 0%..10%.............................................. ]
...and so forth.
You could alternatively use the "-passphrase" option and specify the passphrase on the command line in which case the full command becomes
diskutil coreStorage convert disk3s2 -passphrase mynotsosecretpassphrase
But having your passphrase in the clear like this (even momentarily) is considered highly insecure
Does this function Convert or Format the external hard drive? Just confiming before I lose quite a bit of data. Thanks!
The Disk Utility.app erase function obviously deletes all data before encryption.
The command line
diskutil coreStorage convert disk_identifier -stdinpassphrase
...converts an existing disk. As always backing up beforehand is encouraged.
Well, for better or worse, I'm attempting this right now. A few notes / questions:
- First I typed the string : diskutil coreStorage convert disk3s2 -stdinpassphrase
- The response was: New passphrase for converted volume:
- I entered the pass phrase that was produced when I encrypted my main hard drive. I indcluded the dashes. It looked similar to this: JHWX-17HG- etc. I hope this was the correct way to do this?
- Assuming all goes well, the drive should encrypt and decrypt on the fly just as my primary drive does and if I've logged into my account correctly - Yes?
- If someone takes the external drive and plugs it into any other computer - is it all jibberish or what? And this can't be cracked?
- What command do I type in to see the progress. I've tried: diskutil coreStorage list but I get a list of the drive(s) and a message that one of them is curently "converting" but no percentage done, etc.
- I should be able to go about my normal daily routines without messing this up - correct?
- I should keep the terminal app open - Yes?
Such amazing help! Thank you so much!
Bob 😀
The passphrase can and should be something completely arbitrary. But it is absolutely imperative that you keep a record of it because it is the only way to decrypt your drive. When you disconnect your newly encrypted disk and then reconnect it you will be prompted for the decryption passphrase and be given the option of storing it in your keychain. Obviously storing it in your keychain will allow the passphrase to be automatically supplied when you connect your disk in the future.
Should a third party get a hold of your disk they will not be able to read it's contents without supplying the passphrase. I havn't tested but I assume it'll just go unrecognized on earlier Mac OS X systems.
You can monitor encryption progress by the command
diskutil coreStorage list
Look at it closely. You should be able to discern how many gigabytes are encrypted out of the total number of gigabytes for the given disk.
CoreStorage goes about its "magic" in the background. There's no need to keep the Terminal open. You can even work on the volume while it's encrypting. I believe you can even disconnect the disk and reconnect it later and encryption will resume where it left off. Don't hold me to that but I believe that's what happened when I tried it on a USB stick.
Darth - you have been amazingly helpful and I really appreciate all you've done! Thanks for taking the time to help me with this.
It seems to me that the Achilles heal in all of this is your log on password. It is no where near as complex as the pass-phrase for drives. As it stands at the moment, the password for logging in that I use is completely unknown to anyone, would not relate to me or family, and is (I believe) something that would not be guessed. I don't know how many attempts someone is given before you run out of tries, and I don't know what happens once you reach that point.
I encrypted because I have financial files that I don't want available. I also have photographs that I want to keep to myself. I'm not doing ****, drugs, or anything ileagle - I just like the security of the whole thing. I'm anal about it...
Finally, I don't get why Apple just didn't make an interface for Fire Vault that would allow all of this without the Terminal use. Maybe they will sometime.
Thanks again!
Bob
Glad to hear it's working for you.
The weakest link in any chain of security is always going to be the least complex password. Bear in mind though that you can create a separate keychain with a separate password and store the FileVault passphrase(s) in there. For the truly paranoid you can even move the separate keychain to external media such as a usb memory stick and put that under your pillow when you go to sleep at night.
If you have stuff you would mind if somebody got a look at if they stole your hard drive then encryption is the way to go. Nobody should pass judgement on a practice that is just common sense.
The new FileVault 2 (like the keychain) is one those wonderful "magic" Apple implementations that should just chug along in the background doing its thing and be completely invisibe to the user. Perhaps that's the reason why it's only a checkbox in a few select interfaces. Who knows. I bet Apple does :-)
Let me just round off this thread by underlining that Apple's chosen nomenclature for disk drive encryption is "FileVault 2" and not fire vault. Just in case anybody was wondering.
How to use Fire Vault 2 on all my external drives?
