Partition Strategy for Bitlocker

Question

Level 1

25 points

Partition Strategy for Bitlocker

This conversation was started over here: https://discussions.apple.com/thread/4144252?answerId=22752994022#22752994022.

I run bootcamp and Parallels (the latter using the bootcamp installation as the guest OS) on a 15" rMBP with 256GB SSD. I use Win8 as the guest OS and Mountain Lion on the host. I have been trying to enable bitlocker in the guest OS and when I attempt to create another partition (required with bitlocker on a system drive) using the Win8 command:

BdeHdCfg.exe -target c: shrink -newdriveletter x: -size 1500 -quiet –restart

I receive the error:

Disk already has the maximum number of primary and extended partitions. Use the

'-driveinfo' command for a list of valid target drives.

This of course is related to the issue originally noted in this thread about hybrid MBR as I already have all four allowed partitions. It looks like there may be a way around this using some of the techniques described in this thread however rather than creating another partition visible to OSX (which is what OP did) I want to create two partitions visible to Win8. Would someone be so kind as to walk through how I would accomplish that?

Thank you!

In hopes of increasing the Google-ability of this thread for future people with this issue, Bitlocker Drive Encryption returns the message "Bitlocker Setup could not find a target system drive. You may need to manually prepare your drive for Bitlocker." The Event Log contains the following errors in the Bitlocker-DrivePreparationTool log:

Error Code: 0xC0A00007

Error Text: BitLocker Setup could not find a target system drive. You may need to manually prepare your drive for BitLocker.

and

A volume failed to meet the requirements for a target volume.

Volume Name: \\?\GLOBALROOT\Device\HarddiskVolume4

Reason: The system drive cannot be used for the merge operation.

Posted on Aug 17, 2013 2:30 PM

Reply

Answer 1

ItIsJustMe Author

Level 1

25 points

Aug 17, 2013 2:34 PM in response to ItIsJustMe

@Christopher Murphy

In response to your post in the original thread, yes that certainly sounds complicated and fraught with peril. I may still want to go down that path but a quick question first in the interest of simplifying life. The four partitions currently there are GPT, OSX main, Recovery for OSX, and Bootcamp/Win8, correct? Can I just remove the OSX recovery drive? I assume if I have a problem and need to restore OSX I'd have to start over from external media then but I'm fine with that. Thoughts?

Reply

Answer 2

ItIsJustMe Author

Level 1

25 points

Aug 17, 2013 3:11 PM in response to ItIsJustMe

results of gpt -r -v show disk0

gpt show: disk0: mediasize=251000193024; sectorsize=512; blocks=490234752
gpt show: disk0: Suspicious MBR at sector 0
      start       size  index  contents
          0          1         MBR
          1          1         Pri GPT header
          2         32         Pri GPT table
         34          6         
         40     409600      1  GPT part - guid1
     409640  244795992      2  GPT part - guid3
  245205632    1269536      3  GPT part - guid3
  246475168  243759544      4  GPT part - guid4
  490234712          7         
  490234719         32         Sec GPT table
  490234751          1         Sec GPT header

guid1: C12A7328-F81F-11D2-BA4B-00A0C93EC93B

guid2: 53746F72-6167-11AA-AA11-00306543ECAC

guid3: 426F6F74-0000-11AA-AA11-00306543ECAC

guid4: EBD0A0A2-B9E5-4433-87C0-68B6B72699C7

and fdisk /dev/disk0...

Disk: /dev/disk0     geometry: 30515/255/63 [490234752 sectors]
Signature: 0xAA55
         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------ 
 1: EE 1023 254  63 - 1023 254  63 [         1 -     409639] <Unk ID>
 2: AC 1023 254  63 - 1023 254  63 [    409640 -  244795992] <Unk ID>
 3: AB 1023 254  63 - 1023 254  63 [ 245205632 -    1269536] Darwin Boot 
*4: 07 1023 254  63 - 1023 254  63 [ 246475168 -  243759544] HPFS/QNX/AUX

Reply

Answer 3

Aug 17, 2013 4:02 PM in response to ItIsJustMe

GPT 2 is Core storage, presumably using Filevault 2, so GPT 3, Recovery HD is required and can't be deleted.

So after the obligatory backing up you need to do first, the next step after that is you need to resize this NTFS volume (GPT 4). What utility you use will determine which partition map will be corrects so you have to know these things or you'll experience data loss. Doing it in Windows will change the MBR, so the MBR will show the correct start and end LBA for the Windows partition, the GPT will not. Doing it in OS X will first require a utility that can resize NTFS like building NTFS-3G with Macports, and this will only update the GPT. The MBR will no longer be valid.

The other alternatives are to use a Linux Live CD/DVD that has NTFS-3G tools already built and installed, and use something like gparted to resize. Or buy a 3rd party utility like Camptune, iPartition, or WinClone.

You'll have to check Bitlocker documentation as to how big this unencrypted volume needs to be, and if it needs a unique partition type code, and what that is.

Reply

Answer 4

Aug 17, 2013 4:06 PM in response to Christopher Murphy

If you use a Linux Live CD/DVD and gparted that'll probably modify the GPT. The only way to be certain is to output the MBR and GPT before you start and then see which changes.

If you use the listed 3rd party (not free) products, they will correctly modify the GPT and MBR.

Reply

Answer 5

Rudegar

Level 10

170,652 points

Aug 18, 2013 1:41 PM in response to ItIsJustMe

If you dont have really really secret stuff or is an agent then dont use these things if your system crash you lose everything

If you dont you can always put the hd in a ext box and save your data

Reply

Answer 6

ItIsJustMe Author

Level 1

25 points

Aug 18, 2013 2:38 PM in response to Rudegar

@rugegar

That's a fairly silly response. First of all I stated I'm on a rMBP, the "hd" is soldered to the board, there's no taking it out and putting in any "ext box" to save data. Secondly, the specifics of my situation aside this is FUD against encrypting data. If you are worried about a systems crash (which we all should be) then you should be recommending for proper backup processes instead, after all that crash could be the drive itself and then what are you planning to do to save your data. Laptop loss or theft is a very real concern and I rather my personal and corporate information (possibly extending to client data) not be exposed to some ne'er-do-well who has suddenly gained access to my system. Preaching proper backup policies would be doing people a better service than scaring them from encryption.

</threadjack>

Reply

Answer 7

ItIsJustMe Author

Level 1

25 points

Aug 18, 2013 3:03 PM in response to Christopher Murphy

@Christopher Murphy

Thanks for all the feedback. Given the complexity of pulling this off, lack of assurances of future compatibilty and stability, and that I plan to update to both Mavericks and Win8.1 in the next couple months, I've decided not to attempt this.

For future folks who are interested in doing something similar I'll archive a bit of my research here. My goal was to have dual booting with OSX and Windows (bootcamp) as well as VM support via Parallels against the bootcamp install of Windows and have both OSes encrypted. The Parallels aspect only becomes a complication for one approach (more on that in a moment) but it appears that given current technology this is not possible without hacks and even that appears to be a bit iffy. Here are the approaches I looked into:

FileVault2: this is installed and working on the OSX partition, it does occupy a partition as the recovery partition is then manditory, more on that below.

Bitlocker: I was able to bypass the TPM requirement (this is well documented elsewhere, Google it) but with FileVault2 in place I could not provide enough partitions to use Bitlocker on the bootcamp system drive for Windows. Christopher has provided theoretical guidance above but this appears difficult and fraught with upgrade risk. If you did not need FileVault2 it appears that you could remove the recovery drive partition and then Bitlocker just on the Win/bootcamp side would be possible. I did not test that though as I want FileVault2 as well.

TrueCrypt: I looked into this next but it appears this has problems with the OSX GPT and not having enough space prior to the table to install required boot process code. In other words not currently supported for OSX with bootcamp. http://apple.stackexchange.com/questions/94135/bootcamp-and-macbook-pro-and-true crypt

Symantec PGP Drive Encryption: this appears to be a possibility if I were not trying to run the bootcamp install as a "VM" in parallels. Big warning though, Symantec's own documentation contridicts itself as whether whole drive encryption is possible with bootcamp. The latest guide states both that it IS and IS NOT possible. I found a statement from a Symantec support tech stating that it IS but the post was incoherent and seemed to be regurgitating some KB article without any real understanding of the underlying tech. This wasn't a valid solution for me but if you decide to pursue I would get confirmation from someone knowledgeable at Symantec first. http://www.symantec.com/connect/forums/justification-needed-how-does-pgp-wde-ens ure-security-apple-boot-camp

What I've decided to do is remove bootcamp. Since setting it up and immediately installing Parallels I've never hit bootcamp direct again and really never plan to as I the performance of Parallels has always been great for me. I always access it as a Parallels VM within OSX. I'll be importing to a Parallels VHD and relying on the fact that FileVault2 will be encrypting the VHD withing my OSX partition as my strategy. I may be back for advice on how to clean up the bootcamp partition and reclaim the space soon 🙂

Thank you Christopher and I hope my research is beneficial to someone else down the line.

Reply

Answer 8

Aug 18, 2013 5:14 PM in response to ItIsJustMe

Another option, is to convert the disk to MBR only. This has two consequences: the disk can't be larger than 2.2TB or remaining space won't be uable; firmware updates won't be possible as the EFI System partition is needed to stage firmware updates. Otherwise, OS X can boot from MBR only disks. Such a disk would have OS X on the first partition and Recovery HD on the 2nd partition, leaving two primary partitions for other OS's. You could boot OS X off an different disk that uses GPT and has an EFI System partition, should you need to apply firmware updates down the road.

This is probably the most reliable and lease invasive option, short of figuring out how to get Windows 8 to install on a Mac in EFI mode (obviating Boot Camp Assistant, the CSM, and the need for a hybrid MBR).

As for getting spare disk space into an encrypted FileVault volume, this is tricky. I'm pretty sure officially, you're supposed to disable FileVault 2, wait for it to fully decrypt the OS X volume, resize it to consume all space, then re-enable FileVault 2. This obviously will take some time. There is a way to add the unneeded partition as a Core Storage Physical Volume to the existing Logical Volume Group used for the FileVault 2 OS X volume. And then grow the Logical Volume (on which OS X resides). It may sound a little screwy, but this sort of thing has been done on Linux with LVM for around 15 years. Two partitions are added to a volume group, and a single logical volume is created from the volume group. So it looks and behaves like a single volume even though it's made from two partitions (it would work this way if it were made from two disks, which is how fusion drives are created). The encryption is applied because a logical volume family (LVF) with an encryption attribute is attached to the Logical Volume.

I don't yet know of a GUI way of doing any of this, however, only by using the diskutil coreStorage commands.

Reply

Answer 9

ItIsJustMe Author

Level 1

25 points

Aug 26, 2013 12:57 AM in response to Christopher Murphy

@Christopher Murphy

OK, I've converted bootcamp to a parallels vhd so I'm ready to dump bootcamp altogether and reclaim the space for OSX. Now that I've gone through the pain of all this reconfig I'd like to get to as supported a state as possible (read "minimal hacks" 🙂 ). If the best path there then to delete the bootcamp partition, remove filevault, resize the primary partition to use all available space, then reinstate filevault? Will that allow the recovery partition to move or will I need to kill it and rebuild it as one of those steps? Would you mind chiming on best practice and steps for me?

Thanks again, you're a wealth of knowledge!

Reply

Answer 10

Aug 26, 2013 4:42 PM in response to ItIsJustMe

The "easist" method is the one done entirely in the GUI and is documented. It also takes a long time. Hours in each direction to decrypt, then encrypt again.

That version is to disable FileVaul2, then use Bootcamp Assistant to remove Windows which should also resize the OS X volume to its original full consumption of the disk (minus a few hundrew MB), and then reenable FileVault 2.

I think it's equally acceptable to change the Windows partition into a CoreStorage PV (physical volume) by adding it to the existing CoreStorage VG (volume group) and then growing the existing LV. Functionally it'll be the same result.

Reply

Answer 11

ItIsJustMe Author

Level 1

25 points

Aug 29, 2013 12:57 AM in response to Christopher Murphy

I disabled FV2, used the bootcamp assistant app to remove the bootcamp partition (that automatically resized the original partition), then reenabled FV2. This worked perfectly and only took 14 min to decrypt and 22 to reencrypt (fast machine with small SSD, YMMV).

Thanks Christopher!

Reply

Answer 12

Jun 14, 2014 1:30 PM in response to Christopher Murphy

I'm a relative novice with computers, but I somehow got Filevault 2 and Bitlocker running on Windows 8.1 in a Bootcamp partition. I enabled Filevault first and then Bitlocker using Windows 8.1 update 1. Everything seems to be working as far as I can tell. Windows seems to have been able to create a new partition for Bitlocker inside the allocated Bootcamp space? I'm not sure but hopefully this keeps running OK. The hospital at which I work requires full disk encryption so I needed both sides encrypted. Any idea how this worked?

Reply

Answer 13

Jun 14, 2014 8:57 PM in response to Scott98981

Not sure. You could try posting the result from the following read only commands:

sudo fdisk /dev/disk0

sudo gpt -r -v show /dev/disk0

And if you have gdisk installed:

sudo gdisk -l /dev/disk0

It's actually possible that Microsoft is using logical partitions or dynamic disks or something to support this arranagement. In any case you'd definitely not want to make any changes, and the problem with that is that the OS X Disk Utility when clicked on a whole disk device (not just an OS X volume but the drive itself) and you ask it to repair the the disk, it will very likely totally hose this setup. If Windows is using dynamic disks or logical partitions then there's a good chance neither gpt nor fdisk will reveal them, it might even produce a bogus error message. I'm pretty sure gdisk understands MBR primary and logical partitions, but may not display them by default. You might have run the program:

sudo gdisk /dev/disk0 ## assuming the disk in question is disk0

Then in interactive mode you need to get to the expert menu with x. Then to display the MBR use o and to display the GPT use p. And then q to quit without having made changes or control-c.

Reply

Answer 14

Jun 15, 2014 11:05 AM in response to Christopher Murphy

Thanks for your quick response. It's interesting to learn about drive structure. I don't have gdisk installed but this is what fdisk showed in terminal. It's interesting that OS X only sees 4 partitions and windows sees 5. That makes sense what you wrote about not using disk repair. I imagine this setup would make things difficult for an OS X upgrade. If this is untstable I may have to use a VM instead of bootcamp, but my machine is a 4GB i5 2014 Macbook air so I was trying to avoid a VM. Thanks again.

Disk: /dev/disk0 geometry: 14751/255/63 [236978176 sectors]

Signature: 0xAA55

Starting Ending

#: id cyl hd sec - cyl hd sec [ start - size]

------------------------------------------------------------------------

1: EE 1023 254 63 - 1023 254 63 [ 1 - 236978175] <Unknown ID>

2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused

3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused

4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused

sorry about the poor pasting job, I kept getting errors unless I pasted in plain text

Reply

Answer 15

Jun 15, 2014 12:48 PM in response to Christopher Murphy

Here is some possibly helpful information from diskutil:

/dev/disk0

#: TYPE NAME SIZE IDENTIFIER

0: GUID_partition_scheme *121.3 GB disk0

1: EFI EFI 209.7 MB disk0s1

2: Apple_CoreStorage 80.0 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3

4: Microsoft Basic Data 40.0 GB disk0s4

5: DE94BBA4-06D1-4D40-A16A-BFD50179D6AC 471.9 MB disk0s5

/dev/disk1

#: TYPE NAME SIZE IDENTIFIER

0: Apple_HFS Macintosh HD *79.7 GB disk1

I think the partition 5 is the Bitlocker partition used to store the encryption information.

Reply