Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: DenisMaillard
DenisMaillard Author
User level: Level 1
24 points

Cloning a Filevault 2 boot device with Disk Utility.

I have an iMac desktop and a MacBook laptop. I use the second one when

travelling (which happens fairy often). At any time, only one or the other of

the two Macs is current and in use, but not both.


Until recently, I was using Filevault 1 to protect confidential data in the two

user accounts.


Before any travel and after it, I boot the Mac in use on a USB key that contains

the current installation kit. I use the Disk Utility on the USB key to clone the

system disk on an external one (which also gives me a useful bootable system

backup). Then I boot the other Mac on the USB key to clone the external backup

on its (the second Mac's) internal hard drive. Then I only have to rename the

system (strictly speaking, this isn't even necessary) and reload one or two

icenses to have my current system available and ready on the second Mac.


Recently, just before upgrading from Mountain Lion to Mavericks, I disabled

Filevault 1, in order to encrypt the disk with filevault 2 after the upgrade.

The upgrade to 10.9.2 went well and I then activated Filevault 2. The internal

hard drive was encrypted without any trouble and the resulting system ran OK.


So far, so good.


But, the first time after the upgrade when I had to transfer the system from the

desktop to the laptop for yet another trip, I saw that Disk Utility (after

unlocking the desktop boot drive) produced an unencrypted version of the system

disk...


Not only was this highly unwanted (in case the external disk would be stolen, it

is unencrypted), but it also forced me to reactivate Filevault 2 on the laptop

after transferring the current system on it. This took time and, what's even

more undesirable, it defined a new different encryption key, that I needed to

store in place of the previous one, with a serious risk of confusion between

various versions of the key.


I don't wish to have to manually encrypt my bootable backups: producing them is

already time consuming enough. I don't even know if, after encryption, they'll

still be bootable (a very highly desirable feature). And I don't wish to have to

store a new version of the encryption key each time I have to switch from the

desktop to the laptop or vice-versa either.


So the question is: is there a way for the Disk Utility to clone a Filevault 2

encrypted system disk while preserving its encryption (meaning: keeping the same

passwords and encryption key to unlock the encrypted resulting device)?


Regards,

Denis MAILLARD.

Posted on Apr 21, 2014 1:56 AM

Reply
3 replies
User profile for user: DenisMaillard
DenisMaillard Author
User level: Level 1
24 points

Apr 24, 2014 4:30 AM in response to DenisMaillard

OK. While waiting for an answer, I did some tests. The results are comforting,

but I'd like to know whether what I found was working is actually supported or

not by OS X engineering.


My first test was to try and obtain an encrypted external and bootable clone of

the internal Filevault encrypted system disk. I used the Disk Utility that is

included in the installation kit on the USB key to obtain it. It worked and here

is how I did it:

- boot off the installation kit on the USB key.

- enter Disk Utility

- click on the intended target disk for the backup clone

- in the "erase" tag, chose as format "Mac OS extended (journalised, encrypted)"

(note: I'm not sure of the exact English wording, as my Macs are using French)

- click the "erase" button

- when prompted, define an encryption key and confirm it

- let the erasure take place

- once it is over, select the (greyed) internal encrypted system disk

- when an encrypted disk is selected, the grey "Mount" button in the tool bar

clears and its name becomes "Unlock"; click on it

- when prompted, answer with an authorised user's password or the Filevault

recovery key: the disk's name clears and it becomes available

- click the "restore" tag

- move the recently erased disk to the target field

- click the "restore" button and accept that this will erase the target disk


Once the restore is over, exit Disk utility and then OS X Utilities. When asked

to choose a boot device, choose the newly created external clone as boot device

and, when asked, give the encryption key you defined in the above steps to

unlock it.


The Mac boots happily on the external encrypted disk and works as usual. Note

that System preference will tell you that Filevault is activated and that a key

has been defined, although, in order to boot, you must give the key that you've

defined above rather than an authorised password or the encryption key defined

by the system when Filevault was activated on the internal system disk.


So it is possible to create a usable encrypted bootable external clone of the

Filevault encrypted internal system disk with Disk Utility.



Now, I went further and tried another test, namely, to restore this external

encrypted clone on the internal system disk of the OTHER Mac.


First, you must remember that, as I previously obtained an unencrypted restore

when I last moved my system from one Mac to the other, I had to reactivate

Filevault on the second Mac, which means that the two Macs both had encrypted

internal system disks, with identical authorised user's passwords, but DIFFERENT

recovery keys...


Lets call them "Mac1" (the source for the first test above), encrypted with

recovery key "KEY1" and "Mac2" (the target of the present, second, test),

encrypted with recovery key "KEY2".


Here are the steps of the second test:

- boot Mac2 off the installation kit on the USB key.

- enter Disk Utility

- click on the internal system disk

- click the "Unlock" button

- when prompted, give an authorised user's password or the KEY2 recovery key to

unlock it

- click on the external encrypted clone of the system disk of Mac1

- click the "Unlock" button

- when prompted, give its encryption key (defined during the first test)

- click the "restore" tag

- move the internal system disk of Mac2 to the target field

- click the "restore" button and accept that this will erase the target disk


Once the restore is over, exit Disk Utility and then OS X Utilities. When asked

to choose a boot device, choose the newly created internal disk as boot device,

reboot and, when asked, give an authorised user's password or the KEY2 recovery

key.


The reboot goes on fine and the system disk is shown in System Preference as

encrypted with Filevault.


This means that I can transfer a Filevault encrypted system disk from one Mac to

another through an external clone and keep the same authorised user's passwords.

But two important remarks must be made:


- 1 The resulting disk on the target system will be Filevault encrypted if and

only if the previous version of the system on that disk was already

Filevault encrypted


- 2 While the passwords of the authorised users will remain the same, the

recovery key on the target system will be the previous recovery key on this

system disk and NOT the recovery key of the disk on the source system


Therefore, with this method, I'm condemned to have TWO DIFFERENT recovery keys.

Each was generated on a Mac when Filevault was activated on it and cannot be

transferred to the other MAC (at least, not using this method).


I'm also not sure of what would happen if I were to transfer a system disk from

one Mac to another that does not have identical Filevault authorised users. I

did not test it and don't intend to.


Now the big question is: is this method of cloning and transferring Filevault

encrypted disks acknowledged and supported by OS X engineering? Or it there a

risk that a future version will break it?


Regards,

Denis MAILLARD.

Reply

Cloning a Filevault 2 boot device with Disk Utility.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up