Jump to content
13 posts in this topic

Recommended Posts

Hi there,

 

I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times.

 

What are the best options for encrypting at least the user data (if not the whole system) without losing usability?

 

In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that.

Options I am aware of but do not now the best way of implementing it:

  • TrueCrypt/VeraCrypt
    needs second user for decryption (?)

     
  • Legacy Filevault
    considered unsafe(?)

     
  • EncFS
    this would lose file versioning

     

My setup: 120 GB SSD for System, 2 TB HDD for user data.

 

Thank you very much for your consideration.

 

/ ONE SOLUTION IN POST #9

Hi there,

 

I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times.

 

What are the best options for encrypting at least the user data (if not the whole system) without losing usability?

 

In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that.

Options I am aware of but do not now the best way of implementing it:

  • TrueCrypt/VeraCrypt

    needs second user for decryption (?)

     

  • Legacy Filevault

    considered unsafe(?)

     

  • EncFS

    this would lose file versioning

     

My setup: 120 GB SSD for System, 2 TB HDD for user data.

 

Thank you very much for your consideration.

FileVault 2 is only supported by Ozmosis (I think).

 

I personally am using on my boot drive the legacy FileVault and on other drives FileVault 2.

With some modification you can use the same encryption type on legacy FileVault, therefore it is as secure and fast as FileVault 2.

  • Like 1

FileVault 2 is only supported by Ozmosis (I think).

 

I personally am using on my boot drive the legacy FileVault and on other drives FileVault 2.

With some modification you can use the same encryption type on legacy FileVault, therefore it is as secure and fast as FileVault 2.

Is there a guide one could follow? Ozmosis hardware support unfortunately is very limited. But any kind of encryption would be wonderful.

Is there a guide one could follow? Ozmosis hardware support unfortunately is very limited. But any kind of encryption would be wonderful.

There you go: http://lab.maiux.com/en/os-x/criptare-la-home-directory-di-un-utente-usando-legacy-filevault-in-os-x-lion

  • Like 1

Thanks I read this guide of course but due to it's age (4,5 years) I thought there must have been changes on the way... How do you use FV2 on non-system drives... just by using "Encrypt "Volume"" from context menu? This is all very confusing and it is interesting that information is so scattered and limited (me thinks).

 

Thanks again.

Thanks I read this guide of course but due to it's age (4,5 years) I thought there must have been changes on the way... How do you use FV2 on non-system drives... just by using "Encrypt "Volume"" from context menu? This is all very confusing and it is interesting that information is so scattered and limited (me thinks).

 

Thanks again.

Yes, the article is old, but it works. Be sure to make backups first.

If I remember correctly, you need to create a master password first (see https://support.apple.com/en-us/HT202385 for it) and at the end you could use the dscl command* instead of editing the plist file.

*

dscl . -create /Users/fv1user HomeDirectory “<home_dir><url>file://localhost/Users/fv1user/fv1user.sparsebundle</url></home_dir>”

To enable FileVault 2 on non boot disk use diskutil command (see man diskutil about coreStorage encrypt option) or use context menu as you described.

  • Like 1

FileVault2 + ZFS on a non system drive (Test)


Update 2019-09-13: With native ZFS Encryption, this is no longer necessary.

TL;DR: ZFS on top of a FileVault2 volume works!

 

I followed this guide at openzfsonosx.org

I encrypted my second HDD with FV2 as simple as:

1. Fastest way to encrypt:

Disk Utility > Erase partition > choose 'OSX Extended (Journaled, Encrypted)'

> jump to Step 2!

 

1a. (ALTERNATIVE) The terminal way to encrypt:

  # convert disk to Logical Volume

$ diskutil coreStorage convert /dev/partitionID

  # find out name of Logic Volume

$ diskutil list

  # encrypt Logical Volume

$ diskutil coreStorage encryptVolume /dev/'NewLogicVolumeID'

2. Then I created a dataset (or zpool?) on the new Logic Volume:

 

  # unmount Volume

$ diskutil unmount "/Volumes/PARTITIONNAME"

  # mount zfs volume (dataset) on 'NewLogicalVolumeID'

$ sudo zpool create -f -o ashift=12 ZFS_DISKNAME /dev/'NewLogicVolumeID'

# HERE are recommendations for a few more settings. I used the strikedthrough for one drive only (which only makes sense when you got a pefect backup):

$ sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O atime=off -O normalization=formD ZFS_DISKNAME /dev/'NewLogicVolumeID'

# Now I'm using these settings for two mirrored drives (added compression and utf8):

$ sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O atime=off -O normalization=formD -O compression=lz4 -O utf8only=on ZFS_DISKNAME mirror 'diskX' 'diskY'

3. Now I had to take ownership

 

# the dataset was created with sudo so the owner was wrong (not sure if this is the real reason)

$ sudo chown $(whoami):admin /Volumes/ZFS_DISKNAME/ && sudo chown -R $(whoami):admin /Volumes/ZFS_DISKNAME/

That's pretty much all!
 

4. Considerations and Observations

 

After the next reboot, OSX will ask you for a password for the encrypted drive and you can save the pw in your Keychain. The ZFS Volume will mount automatically.

I had a view hickups along the way:

  • I encrypted an existing partition and didn't know that could take a long time. I didn't wait and did some speedtest which were devastating.
    Tipp: Erase an existing partition and choose 'OSX Extende (Journaled, Encrypted)'. No wait time!
  • I rebooted into a bootloop the first time and have no idea why. I coud boot if I deactivated the second drive in BIOS but not if i disconnected it... Had to boot into Recovery from the USB Install Drive and Erase the partition again.
  • !!! Beware: File Versioning and Time Machine Backups are not possible (yet) !!!

After that it worked (no changes).

Speedtests say: about 77 MB/s write, 117 MB/s read

WRITE SPEED

$ mkfile 32k /Volumes/THEDISK/testfilesmall
$ time dd if=/dev/zero bs=1024k of=/Volumes/THEDISK/testfilesmall count=1024
  1024+0 records in
  1024+0 records out
  1073741824 bytes transferred in 13.874609 secs (77388979 bytes/sec)

  real    0m13.884s
  user    0m0.002s
  sys    0m0.609s

READ SPEED

$ time dd if=/Volumes/THEDISK/testfilesmall bs=1024k of=/dev/null count=1024
  1024+0 records in
  1024+0 records out
  1073741824 bytes transferred in 9.139895 secs (117478574 bytes/sec)

  real    0m9.147s
  user    0m0.002s
  sys    0m0.458s

Thought I'd share my findings.

Edited by MacWiesel
  • Like 3
  • 5 months later...

@Mac Wiesel  

 

Many thanks for posting, have just started experimenting with ZFS and is starting to realizing its potential.

 

Did not know it could be done on external drive with filevault2.

 

Great detailed examples. 

 

 In ZFS is mirrored disk an exact copy of original ? In other words if 2d disk fails could I clonezilla 1st disk and then restore to new 2d drive and mirroring working again ?   Appears to be a problem recovering from an encrypted mirror (2 disks, main disk and mirror, both encrypted, when one fails).

 

Anyway, thanks again !

Aha, I thought so.   But not in [Caution:off topic for a moment] PC-BSD using Geli to encrypt whole disk - it wants you to enter the encryption pass wordings for both disks, one at a time, at boot up - so when 2d disk failes,  not able to enter 2d password and entire boot up stops and drops to grub "rescue" mode.  Some Ubuntu user posted some elaborate intramfs script for similar problem that happened on Ubuntu under similar circumstances.  Will see soon enough on Mac, later next week when having time.

 

On Mac I forgot to mention that it seems, after entering the Filevault2 password,  disk icon not appear on desktop until you type: sudo zpool import mypoolname,

and you got to enter sudo zpool export mypoolname when you are going to disconnect zfs disk.

 

Still taking baby steps till getting more comfortable but the range of options and things you can do seems REALLY powerful.

 

Thanks

UnH

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...