Core Storage Encryption on RAID External Drive

Question

Level 1

4 points

Core Storage Encryption on RAID External Drive

Hello, I have external hard disk "WD My Passport Pro". It's set up in RAID 0 (Mirroring). I have stored there backups etc. I wanted to encrypt entire drive with File Vault, but i couldn't with error something like "You can't convert Apple Raid to core storage". I have found work-around for this, which formats entire drive and then create core storage volume which later is able to be encrypted. I have been able to do that by following commands

diskutil list

diskutil cs createLVG DiskName disk4

diskutil cs list
diskutil cs createLV HDD_UID JHFS+ DiskName 100% -stdinpassphrase
This way worked perfectly, and i have ended up with encrypted raid 0 external hard drive, which works properly, asks for password before mounting properly, works fine between few OSX machines. My questions are
1. Why apple did not allowed this way to include in Finder interface but instead it results with error while it's possible to do that via command line? Is that because it can't be done without formatting and it would sound bad if they can't do that without formatting? and if can't be done without formatting - why? OSX can encrypt entire master drive on the go while user use system, files and applications.
2.If way i have used is fully safe for drive and data stored on drive and if drive still actually works in RAID 0 (mirroring) (WD Drive Utilities claims that both raid disks are online and both are displayed in Disk Utility)
I have also successfully encrypted another RAID external hard drive which also works properly, many people says also that this way works fine. But i would like to double or triple check if that's safe and proper way. I would like to hear replies only from people which are highly confident of their knowledge about this problem.
3.Question less related to problem. If Apple File Vault 2 is actually safe like TrueCrypt ? Or there might be some backdoors for authorities ? (I have not stored any key and password in iCloud or Keychain, if it's stored obviously encryption is less secure)
Sources i have used to found this tricky way
http://blog.bitmelt.com/2012/09/encrypted-raid-disk-on-os-x-mountain.html
http://apple.stackexchange.com/questions/81504/why-doesnt-filevault-work-on-a-raid-volume

MacBook Air, OS X Server

Posted on May 7, 2016 7:09 AM

Reply

Answer 1

ethereum Author

Level 1

4 points

May 12, 2016 12:52 AM in response to ethereum

anyone?

Reply

Answer 2

May 12, 2016 2:50 AM in response to ethereum

If the RAID is a hardware RAID this should effectively be invisible to the Mac operating system and therefore not cause any issues when then encrypting it.

With regards to using Apple Software RAID, I believe that the way Apple now do this is different to how it used to be and that these days it would start off as a CoreStorage volume when it creates the RAID thereby also simplifying matters. I suspect your RAID was created using an older version of Disk Utility.

In terms of safeness of FileVault2 vs. TrueCrypt. TrueCrypt was discontinued and did not support encrypting the Mac boot drive. I would therefore not recommend using TrueCrypt. There are various other similar packages e.g. Sophos Safeguard, CheckPoint Full Disk Encryption, PGP Disk and so on. All of these however suffer from the fact that when Apple releases an update to their operating system they are initially not compatible and upgrading them can often require fully decrypting the drive, uninstall their software, installing a newer compatible version, re-encrypting the drive in other words lots and lots of pain.

FileVault2 uses the same main encryption algorithm as used by most of these other tools which is AES (Advanced Encryption Standard), Apple have had their FileVault2 implementation of this certified by various government bodies and the most well known one is the US one referred to as FIPS 140-2.

Note: Even though there may be no changes in Apple's implementation each time they issue a new version of OS X the way these certifications work requires that Apple's implementation has to be re-certified each time. (This would presumably apply to other products as well e.g. Windows BitLocker.)

So getting back to how safe is FileVault2. It is safe in that it uses the same underlying encryption i.e. AES as used by most other products, it is safe in that it will always be compatible with the Mac operating system, it is safe in that it has been and will be certified, it is safe in that it is used by government departments themselves. I would not be able to say myself if there are any backdoors in it but Apple certainly would not knowingly have created such a backdoor - just look at all the press coverage over Apple being sued by the FBI and Justice Department over encrypted iPhones. I would also not be able to say that government organisations like the NSA or GCHQ might or might not be able to crack the encryption even without a back door again this is going to be as true or not as for other products.

Reply

Answer 3

ethereum Author

Level 1

4 points

May 12, 2016 2:01 PM in response to John Lockwood

Thanks for reply. It seems i have software apple raid, both disks has been configured over Yosemite, but with WD Utilities software as mirror 0 software raid, then i couldn't convert it to corestorage without erasing, i have did that via command line as i have mentioned. Is it correct way? Does anyone can confirm success with software raid and core storage with Disk Utility (i guess it would confirm that command line way is safe)?

Anyway, i was able now to decrypt and then encrypt entire drive with Finder Interface after disk is working on core storage, without jumping into terminal, so the trick is to prepare corestorage before.

+-- Logical Volume Group UID

=========================================================

Name: Storage

Status: Online

Size: 999860895744 B (999.9 GB)

Free Space: 5926912 B (5.9 MB)

|

+-< Physical Volume UID

| ----------------------------------------------------

| Index: 0

| Disk: disk4

| Status: Online

| Size: 999860895744 B (999.9 GB)

|

+-> Logical Volume Family UID

----------------------------------------------------------

Encryption Type: AES-XTS

Encryption Status: Unlocked

Conversion Status: Complete

High Level Queries: Fully Secure

| Passphrase Required

| Accepts New Users

| Has Visible Users

| Has Volume Key

|

+-> Logical Volume UID

---------------------------------------------------

Disk: disk5

Status: Online

Size (Total): 999502643200 B (999.5 GB)

Revertible: No

LV Name: Storage 1

Volume Name: Storage 1

Content Hint: Apple_HFS

Does diskutil response look correctly ? ( i have only removed disk UID)
One more thing, if there is a way to check if actually apple raid still works, and data is mirrored between both drives?

it's concerns me why disk utility does not see disk as Apple Raid, after converting it to Core Storage, check screenshot

Reply

Answer 4

ethereum Author

Level 1

4 points

May 24, 2016 12:03 AM in response to ethereum

anyone?

Reply

Answer 5

Barney-15E

Level 10

112,536 points

May 24, 2016 4:55 AM in response to ethereum

Nobody knows why Apple does anything. They rarely publish their reasoning for anything at all. Since none of us are Apple employees, we wouldn't have any idea why Apple made Disk Utility work the way it does. Any response you get would be speculation about Apple's policies which is completely forbidden on this forum.

Reply

Answer 6

ethereum Author

Level 1

4 points

May 24, 2016 5:47 AM in response to Barney-15E

My second reply is not about why and what they are doing, but if disk is set up correctly, and how to check if both disk in array are working correctly.

Reply

Answer 7

ethereum Author

Level 1

4 points

Jun 2, 2016 12:55 PM in response to ethereum

anyone?

Reply

Answer 8

Jun 23, 2017 3:31 PM in response to ethereum

That's just a plain old regular logical volume lol. No raid there. Also, RAID 0 is "striped", not "mirrored", which I'm guessing is the reason they did not enable FileVault support by default.

Reply