You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Scotch_Brawth
Scotch_Brawth Author
User level: Level 3
827 points

Dual-booting a FileVault 2-encrypted Mac mini

I'm reading around and getting confused as to whether it's possible to dual-boot OS X and Windows on a single SSD, where the OS X partition is FileVault 2-encrypted.


I'm currently booted into OS X on my 500GB HDD (see sig). At the moment my SSD drive has three partitions: EFI; Recovery HD; and an empty, unencrypted partition intended for OS X. My plan is to use Disk Utility to manually format the empty partition as HFS Encrypted, and then clone my current install of OS X onto it. This works and is Apple-supported. I would then use Boot Camp Assistant to create a Boot Camp partition on the SSD.


However, I read that:

If you plan to use Boot Camp, be sure to turn FileVault 2 off when you use Boot Camp Assistant to partition and install Windows. Once Windows is functional, you can turn FileVault 2 back on.

(http://macs.about.com/od/LionTipsNtricks/ss/Filevault-2-Using-Disk-Encryption-Wi th-Os-X-Lion.htm - sorry, my link creator won't work!)


But that's for Lion. And then I read:

Microsoft Windows and third-party FDE solutions for Windows don’t have the capability to interpret and utilize a volume managed under CoreStorage. This prevents the use of Boot Camp and Windows on an OS X system using FileVault 2 FDE technology.

(http://training.apple.com/pdf/WP_FileVault2.pdf)


Does anyone know any more than I do? There's one thing I know for sure: cloning my OS to the SSD and then turning on FileVault is a no-no, because it mucks up wear-levelling, as does turning FileVault off and on again as suggested in the first link.


Help?

Mac mini (Mid 2011), OS X Mountain Lion (10.8.2), 256GB SSD, 500GB HDD, 8GB RAM

Posted on Mar 8, 2013 10:02 AM

Reply
4 replies
User profile for user: Christopher Murphy
Christopher Murphy
User level: Level 3
560 points

Mar 8, 2013 10:46 AM in response to Scotch_Brawth

1. I'd like a URL for the recipe to make this happen: use Disk Utility to manually format the empty partition as HFS Encrypted, and then clone my current install of OS X onto it. This works and is Apple-supported.


I just don't see how this works. FileVault 2 is a specific kind of Core Storage encryption, that uses a reversible conversion. When enabled, it modifies Recovery HD to act as an unencrypted boot volume. That minimal boot system prompts you for a user login. It uses that password to decrypt the key used to encrypt the your OS X volume, and then it resumes the boot process from the (unlocked) encrypted volume.


When you do what you propose, it is not a FileVault 2 volume. It's a different encryption method that's not reversible, and I don't see how the Recovery HD boot becomes aware of the encrypted volume (the clone) it needs to complete booting from. I've never seen a guide for making this work.


2. Yes it's possible to end up with Windows and OS X on the same disk, with OS X using FileVault 2. But I don't see how it's possible the way you've described it, because an encrypted volume is not resizable. You're asking how to resize that encrypted clone. It's not possible.


No matter what you're going to have a non-standard layout, because Apple has chosen an ill conceived one. EFI System partition is, and should be the first partition. Recovery HD should be, but isn't, the 2nd. They put Recovery HD in between OS X and Windows, which is just completely ridiculous and causes all sorts of subsequent problems. And makes this a lot more difficult because now you have to decide what sort of layout you go with, and the instructions for doing so are completely different among them.


The prescribed procedure to get where you want, is to clone to the unencrypted partition, resize with Boot Camp Assistant, and then you can (in either order) install Windows and enable FileVault 2. Yes, that is the conversion method of encrypting, which takes a while (not too bad for an SSD, maybe 30 minutes), and probably does increase wear on the SSD unless Apple has some sort of SSD optimization to not encrypt unallocated sectors and instead issues TRIM commands for them.

Reply
User profile for user: Scotch_Brawth
Scotch_Brawth Author
User level: Level 3
827 points

Mar 8, 2013 12:07 PM in response to Christopher Murphy

Thank you for replying, and so quickly! 🙂

1. I'd like a URL for the recipe to make this happen: use Disk Utility to manually format the empty partition as HFS Encrypted, and then clone my current install of OS X onto it. This works and is Apple-supported.

Here you go. He refers to the same Apple PDF as I did above. Go to page 29 (actual numbering) in Apple's PDF for their (admittedly brief) description of what I'm attempting.


It's possible there's a subtle step that I'm not describing, and actually wasn't aware may be crucial, and that's, "to manually format the empty partition as HFS Encrypted" from the Recovery HD of the device itself. That's how I did it when I encrypted my SSD, and though I don't get the proper icon and text as I should on boot (I get a question mark in a circle, with the text "Update required"), I'm nevertheless prompted for my partition's password, and it boots just fine. The icon and text appear to be merely cosmetic flaws.


2. Yes it's possible to end up with Windows and OS X on the same disk, with OS X using FileVault 2. But I don't see how it's possible the way you've described it, because an encrypted volume is not resizable.

I suspected as much. That's why I wondered whether the best way to do this would be to use gdisk (or whatever's appropriate) and create the whole thing manually. That is:


1) create two partitions on the SSD first (other than the EFI and Recovery HD partitions, obviously)


2) then format one as HFS Encrypted, and clone my OS install to it


3) use gdisk to create the hybrid MBR around the appropriate partitions


4) install Windows 7


5) Profit!


I'm only guessing at the sequence of events, here. I wouldn't be surprised if (3) has to come first, or if there's an additional step or ten in there somewhere.


Just so you know, my current SSD partition layout is as follows (from diskutil list):

1:                        EFI                         
2:                  Apple_HFS Macintosh HD           
3:                 Apple_Boot Recovery HD

Partition 2 is just bog-standard Journaled HFS, and I'm using the GUID partition scheme.


Does this help?

Reply
User profile for user: Christopher Murphy
Christopher Murphy
User level: Level 3
560 points

Mar 8, 2013 3:14 PM in response to Scotch_Brawth

I understand the goal. I don't understand the steps. I've created an encrypted HFSJ vo lume while booted from the Recovery HD of the device itself. Then booted from install media, had to use Disk Utlity there to unlock the ecnrypted volume, and installed OS X to it. When I rebooted, I get a flashing question. I can boot off Recovery HD, and I get the recovery HD menu of options, but I can't boot off the encrypted volume at all. That was with Lion older than 10.7.4 however. So possibly something's different now.


As far as I know, dmcrypt/LUKS only works as you describe. The login user/password has nothing to do with volume encryption. And only relatively recently is there an option, not enabled by default, supporting TRIM passthrough from the (encrypted) logical block device to the actual physical device.


The cited PDF from Apple doesn't contain the term TRIM anywhere in the document. Regardless of how you configure FDE with OS X, without testing it's unclear if Core Storage passes through TRIM. I suspect at least with the build of 10.8.2 paired with recent Macs (and 10.8.3) that it does, in order to support TRIM for the SSD component of a "fusion" drive.

Reply
User profile for user: Scotch_Brawth
Scotch_Brawth Author
User level: Level 3
827 points

Mar 12, 2013 6:40 AM in response to Christopher Murphy

That was with Lion older than 10.7.4 however. So possibly something's different now.

All I can suggest is that this must be the deciding factor. I've just created the encrypted OS X partition following my method, and can boot from it fine.


I've decided to sidestep the whole problem by leaving my Boot Camp partition on the HDD instead of creating a new one on the SSD, and simply creating a data partition on the SSD from which my Boot Camp can access those things I really want to be sped up. I really should have thought of that in the first place 🙂


Thanks for your help.


S.

Reply

Dual-booting a FileVault 2-encrypted Mac mini

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up