Filevault 2 user home on secondary disk
Hi everyone,
I am rebuilding my Late 2012 Mac Mini Server - which I have modified to have a 256 GB SSD and one of the original 1TB mechanical disks.
My goal is that both disks will be encrypted with Filevault full disk encryption and my users home dir on the secondary disk. And as we all know this is pretty much an impossible task!
Currently, I have Mountain Lion installed to the SSD and Filevault active (working!), I have the secondary mechanical disk encrypted (using diskutil cs convert) and this is working great as well. However, as expected, moving my home dir to the secondary disk means the volume is not decrypted until after login, which means that the home dir is not available and login fails. This can, of course, be worked around by logging in as a user with their home dir on the boot device, and then logging out/in as my user with their home dir on the secondary. This is, workable, but annoying...
I have done a lot of reading and research by trawling google and these discussions and have come up with a number of possible solutions.
1. Convert the SSD+HDD to a fusion volume
2. Run the home dir on the SSD and symlink the larger directories (Pictures, Movies, etc) to the HDD
3. Run the home dir on the SSD and symlink the entire home dir to the HDD
4. Run the home dir on the HDD without encryption
5. Use the workaround documented here: http://hints.macworld.com/article.php?story=20110723223309186 (essentially, use LaunchDaemons to unlock the drive before login, storing the passphrase in a plist file in plaintext)
7. Hope that Maverick's fixes the issue!
8. 3rd Party encryption utility like TrueCrypt, PGP, etc.
9. Move the users keychain to the SSD but the home dir on the HDD
10. Something else!
In the meantime, heres my thoughts on my options 1-9, would love to hear everyone elses thoughts/opinions/2 cents and how you solved the issue đ
1. Im too much of a control freak to do this! I like to have a system drive, and a data drive - I always have, I like to know where my data is and I like to decide where the data should be. Also, I prefer to use clones to restore boot disks and backups to restore data. In this way, I can always replace the boot drive/reinstall etc, and my data need not be affected. Thus, at thsi stage, this is not really an option im considering.
2. This is an option, I have done simillar things in the past, though not a neat solution, it would be workable, relatively safe, and usable across OS upgrades. In the event of rebuilding the boot device, one would just have to recreate the links. Downside might be if utilities follow links, and thus instead of removing the link, it removed the target - small risk i guess.
3. Probably wouldn't work as the keychain access would be unavailable still...(unless im mistaken)
4. Would defeat the prupose and goal! I would probably rather run with symlinks (#2) than this đ
5. I'm not sure why, but I don't like the idea of having the passphrase in plain text on the disk. With the correct permisions, it shouldn't be readable unless you already have the username/password to the account, in which case with the passphrase in the keychain you already have access, but still... makes me slightly uncomfortable.. a possibility though. Would need to be taken into consideration during upgrades etc.
6. This is a nice solution, and a bit of ingenious thought. Relying on someone else's github code with regards to security (no offense to Jason!) is nothing im always comfortable. With a good code review to ensure nothing nefarious is going on, could be a very workable solution. So far, a google search hasn't shown any concerns with the code. It doesn't appear to have been updated recently, and some people say it works with ML some it didnt, and no mention of Mavericks.
7. Haven't seen any documentation of blogs to say anything - i doubt there has been a change though
8. FV2 is probably the most efficient and optomized for the CPU and OS, and I haven't seen anything else mentioned about TrueCrypt or PGP handling this specific user case
9. Not even sure if this is possible or would work? I think it unlikely it would work, as the home dir would still not be available?
10. Anything i've missed?!
So, I think the best is to use Unlock, after a good code review and test. Failing this symlink the bigger directories out?
The optimal solution would be to not use hacks and workarounds, as they would obviously be more robust and reliable at upgrade time. Unless you have the time and ability to bug trace etc, then you don't want to be relying on your hacks/workarounds to work after an upgrade, or waiting to see others who use your hacks/workarounds to upgrade first!
On a related note:
1. If the user keychain is requried to get the passphrase to unlock the drive and login to make the home dir available, then how does logging in as another user who has their home dir on the boot drive, then switching users make it work? This doesn't make sense to me, and would love an explanation!
2. I know that the login process is replaced, and that you actually boot off the recovery partition, provide username/pass which then unlocks the main boot drive, and so the options to user username/pass in system prefs has no effect once the boot drive is under filevault, but does anyone know of a way to make the system use username/pass instead of a list of usernames?
Thanks in advance! It seems that Apple really assume you won't ever have two seperate drives or move your home dir away from the main drive... hopefully they fix this in the future, but im not holding my breath!
Mac mini, OS X Mountain Lion (10.8.5), Filevault
