Jump to content
MacWiesel

How can I encrypt data on a hackintosh?

13 posts in this topic

Recommended Posts

Hi there,

 

I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times.

 

What are the best options for encrypting at least the user data (if not the whole system) without losing usability?

 

In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that.

Options I am aware of but do not now the best way of implementing it:

  • TrueCrypt/VeraCrypt
    needs second user for decryption (?)

     
  • Legacy Filevault
    considered unsafe(?)

     
  • EncFS
    this would lose file versioning

     

My setup: 120 GB SSD for System, 2 TB HDD for user data.

 

Thank you very much for your consideration.

 

/ ONE SOLUTION IN POST #9

Share this post


Link to post
Share on other sites
Advertisement

Hi there,

 

I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times.

 

What are the best options for encrypting at least the user data (if not the whole system) without losing usability?

 

In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that.

Options I am aware of but do not now the best way of implementing it:

  • TrueCrypt/VeraCrypt

    needs second user for decryption (?)

     

  • Legacy Filevault

    considered unsafe(?)

     

  • EncFS

    this would lose file versioning

     

My setup: 120 GB SSD for System, 2 TB HDD for user data.

 

Thank you very much for your consideration.

FileVault 2 is only supported by Ozmosis (I think).

 

I personally am using on my boot drive the legacy FileVault and on other drives FileVault 2.

With some modification you can use the same encryption type on legacy FileVault, therefore it is as secure and fast as FileVault 2.

Share this post


Link to post
Share on other sites

FileVault 2 is only supported by Ozmosis (I think).

 

I personally am using on my boot drive the legacy FileVault and on other drives FileVault 2.

With some modification you can use the same encryption type on legacy FileVault, therefore it is as secure and fast as FileVault 2.

Is there a guide one could follow? Ozmosis hardware support unfortunately is very limited. But any kind of encryption would be wonderful.

Share this post


Link to post
Share on other sites

Thanks I read this guide of course but due to it's age (4,5 years) I thought there must have been changes on the way... How do you use FV2 on non-system drives... just by using "Encrypt "Volume"" from context menu? This is all very confusing and it is interesting that information is so scattered and limited (me thinks).

 

Thanks again.

Share this post


Link to post
Share on other sites

Thanks I read this guide of course but due to it's age (4,5 years) I thought there must have been changes on the way... How do you use FV2 on non-system drives... just by using "Encrypt "Volume"" from context menu? This is all very confusing and it is interesting that information is so scattered and limited (me thinks).

 

Thanks again.

Yes, the article is old, but it works. Be sure to make backups first.

If I remember correctly, you need to create a master password first (see https://support.apple.com/en-us/HT202385 for it) and at the end you could use the dscl command* instead of editing the plist file.

*

dscl . -create /Users/fv1user HomeDirectory “<home_dir><url>file://localhost/Users/fv1user/fv1user.sparsebundle</url></home_dir>”

To enable FileVault 2 on non boot disk use diskutil command (see man diskutil about coreStorage encrypt option) or use context menu as you described.

Share this post


Link to post
Share on other sites

FileVault2 + ZFS on a non system drive (Test)


Update 2019-09-13: With native ZFS Encryption, this is no longer necessary.

TL;DR: ZFS on top of a FileVault2 volume works!

 

I followed this guide at openzfsonosx.org

I encrypted my second HDD with FV2 as simple as:

1. Fastest way to encrypt:

Disk Utility > Erase partition > choose 'OSX Extended (Journaled, Encrypted)'

> jump to Step 2!

 

1a. (ALTERNATIVE) The terminal way to encrypt:

  # convert disk to Logical Volume

$ diskutil coreStorage convert /dev/partitionID

  # find out name of Logic Volume

$ diskutil list

  # encrypt Logical Volume

$ diskutil coreStorage encryptVolume /dev/'NewLogicVolumeID'

2. Then I created a dataset (or zpool?) on the new Logic Volume:

 

  # unmount Volume

$ diskutil unmount "/Volumes/PARTITIONNAME"

  # mount zfs volume (dataset) on 'NewLogicalVolumeID'

$ sudo zpool create -f -o ashift=12 ZFS_DISKNAME /dev/'NewLogicVolumeID'

# HERE are recommendations for a few more settings. I used the strikedthrough for one drive only (which only makes sense when you got a pefect backup):

$ sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O atime=off -O normalization=formD ZFS_DISKNAME /dev/'NewLogicVolumeID'

# Now I'm using these settings for two mirrored drives (added compression and utf8):

$ sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O atime=off -O normalization=formD -O compression=lz4 -O utf8only=on ZFS_DISKNAME mirror 'diskX' 'diskY'

3. Now I had to take ownership

 

# the dataset was created with sudo so the owner was wrong (not sure if this is the real reason)

$ sudo chown $(whoami):admin /Volumes/ZFS_DISKNAME/ && sudo chown -R $(whoami):admin /Volumes/ZFS_DISKNAME/

That's pretty much all!
 

4. Considerations and Observations

 

After the next reboot, OSX will ask you for a password for the encrypted drive and you can save the pw in your Keychain. The ZFS Volume will mount automatically.

I had a view hickups along the way:

  • I encrypted an existing partition and didn't know that could take a long time. I didn't wait and did some speedtest which were devastating.
    Tipp: Erase an existing partition and choose 'OSX Extende (Journaled, Encrypted)'. No wait time!
  • I rebooted into a bootloop the first time and have no idea why. I coud boot if I deactivated the second drive in BIOS but not if i disconnected it... Had to boot into Recovery from the USB Install Drive and Erase the partition again.
  • !!! Beware: File Versioning and Time Machine Backups are not possible (yet) !!!

After that it worked (no changes).

Speedtests say: about 77 MB/s write, 117 MB/s read

WRITE SPEED

$ mkfile 32k /Volumes/THEDISK/testfilesmall
$ time dd if=/dev/zero bs=1024k of=/Volumes/THEDISK/testfilesmall count=1024
  1024+0 records in
  1024+0 records out
  1073741824 bytes transferred in 13.874609 secs (77388979 bytes/sec)

  real    0m13.884s
  user    0m0.002s
  sys    0m0.609s

READ SPEED

$ time dd if=/Volumes/THEDISK/testfilesmall bs=1024k of=/dev/null count=1024
  1024+0 records in
  1024+0 records out
  1073741824 bytes transferred in 9.139895 secs (117478574 bytes/sec)

  real    0m9.147s
  user    0m0.002s
  sys    0m0.458s

Thought I'd share my findings.

Edited by MacWiesel

Share this post


Link to post
Share on other sites

@Mac Wiesel  

 

Many thanks for posting, have just started experimenting with ZFS and is starting to realizing its potential.

 

Did not know it could be done on external drive with filevault2.

 

Great detailed examples. 

 

 In ZFS is mirrored disk an exact copy of original ? In other words if 2d disk fails could I clonezilla 1st disk and then restore to new 2d drive and mirroring working again ?   Appears to be a problem recovering from an encrypted mirror (2 disks, main disk and mirror, both encrypted, when one fails).

 

Anyway, thanks again !

Share this post


Link to post
Share on other sites

@UbuntuNoHiRes

Not a ZFS pro, but it should manage all that automatically. You can simply import the new 2nd drive in ZFS and it will 'resilver' = copy missing data to new disk.

Share this post


Link to post
Share on other sites

Aha, I thought so.   But not in [Caution:off topic for a moment] PC-BSD using Geli to encrypt whole disk - it wants you to enter the encryption pass wordings for both disks, one at a time, at boot up - so when 2d disk failes,  not able to enter 2d password and entire boot up stops and drops to grub "rescue" mode.  Some Ubuntu user posted some elaborate intramfs script for similar problem that happened on Ubuntu under similar circumstances.  Will see soon enough on Mac, later next week when having time.

 

On Mac I forgot to mention that it seems, after entering the Filevault2 password,  disk icon not appear on desktop until you type: sudo zpool import mypoolname,

and you got to enter sudo zpool export mypoolname when you are going to disconnect zfs disk.

 

Still taking baby steps till getting more comfortable but the range of options and things you can do seems REALLY powerful.

 

Thanks

UnH

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By kvonlinee
      Hi everyone!
      xubuntu 15.10 come on raid0 and encryption make me re-think ubuntu-base responsive.
      I have few small ssds around and I need a bigger storage on the boot drive that why I pick raid0 to combine for storage, I am no really looking for speed on this set-up. about the encryption is for security reason in-case of lost or stolen computer make me not worry for un-authorize access data. so we start like this:
             In case if you just want on a single disk you can get xubuntu iso from http://xubuntu.org/getxubuntu/#regularand install.
             now, you want raid0, get the iso on from ubuntu server 15.10 at http://releases.ubuntu.com/15.10/ubuntu-15.10-server-amd64.iso.torrentand make iso boot-able to install server first.
             on the server install first drive, partition a /boot for 500MB as ext4, the rest of drive for a partition for hardware raid. the second drive and third drive is 1 partition for hardware raid.
            configure those raid as raid0 or whatever level you like, then make its to encryption ( chose a 20 to 30 characters pharepass for high security)
            configure that encryption to LVM then make 1 group that could contain root, swap, and home. then format and mount its according to its set-up.
           now install as regular server, may chose its as ssh server, create user... done, reboot
      then to add xubuntu GUI to its.
       update 
                sudo apt-get update
                sudo systemctl enable ufw            ( for firewall auto start)
                sudo apt-get install xubuntu-desktop      ( it may take a-while for 500MB download and extract plus install)
      done and reboot, login and install following as optional
                sudo apt-get install vlc sshguard fail2ban
                sudo systemctl disable sshd              ( to stop ssh to your server)
       
      turn out I can't disable sshd so I remove it it instead
                     sudo apt-get purge openssh-server    
       
      you may want to install compton to reduce screen-tearing.
                sudo apt-get install comtpon  ( use it with file I attach)
       
       Xubuntu 15.10 have a great performment, fast cut and paste file to samba as 50 MB/s.
      have fun and enjoy.
       
      Edit: somehow the compton setting, it is best with radeon graphics card, mine is radeon 7950 and 8750, its provide no tearing at all. On the nvidia GTX-660ti, still has tearing and cpu process goes much higher on the same application.
      compton.zip
    • By reifreak
      I have a Mac Mini running Yosemite 10.10.3. It's in a generally open area, so physical security is a bit of a concern. I'm the only user with an account on the system. I have guest access disabled. I have set a password on recovery mode. 
       
      Recently I've become suspicious that someone may be trying to get some files off my machine or gain access to install remote/spy software. I found that this had happened on one of my Windows-based PC's in the past, which is why I went with a Mac this time. I'll attach a log file that shows activity from the time I logged out of it yesterday until the time I logged in next (this morning at 8:35).
       
      I'm a noob to the Apple universe, so some parts of the log may look alarming to me but be harmless. I would be grateful to the community and anyone who could review the log file for anything out of the usual. I would like to call attention to a few entries:
       
      6/30/15 5:45:01.017 AM com.apple.xpc.launchd[1]: (com.apple.quicklook[56530]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook
       
      And this series:
      6/30/15 5:45:24.000 AM kernel[0]: hfs: mounted Recovery HD on device disk0s3
      6/30/15 5:45:24.864 AM mds[58]: (Volume.Normal:2464) volume:0x7fd628881000 ********** Bootstrapped Creating a default store:0 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Recovery HD
      6/30/15 5:45:24.866 AM mdworker[56249]: (ImportBailout.Error:1325) Asked to exit for Diskarb
      6/30/15 5:45:24.868 AM mdworker[56398]: (ImportBailout.Error:1325) Asked to exit for Diskarb
      6/30/15 5:45:24.871 AM mdworker[56496]: (ImportBailout.Error:1325) Asked to exit for Diskarb
      6/30/15 5:45:24.873 AM mdworker[56397]: (ImportBailout.Error:1325) Asked to exit for Diskarb
      6/30/15 5:45:24.903 AM fseventsd[45]: Logging disabled completely for device:1: /Volumes/Recovery HD
      6/30/15 5:45:25.000 AM kernel[0]: hfs: unmount initiated on Recovery HD on device disk0s3
      6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  securityd_message_with_reply_sync Failed to talk to secd after 4 attempts.
      6/30/15 5:45:26.920 AM softwareupdate_download_service[46785]:  SecOSStatusWith error:[-25291] The operation couldn’t be completed. (com.apple.security.xpc error 3 - <connection: 0x7f9ad3c45880> { name = com.apple.securityd.xpc, listener = false, pid = 0, euid = 4294967295, egid = 4294967295, asid = 4294967295 }: Connection invalid)   Another set of eyes on the log as a whole would be great. I know this is asking a lot of the community. All my techie colleagues that I usually go over these things with are strictly MS. Thank you in advance for the help!   2015 06-29 to 06-30 night log.rtf
    • By Uptown_J
      I have come across some articles and doing my best to avoid a flame war. I am not trolling here. I love hackintoshing, custom macs, etc. I have been doing this since 2007. What I read recently from fireeye is disturbing. In case anyone is unaware, APT28 is a possible Russian cyber infiltration unit responsible for much of our enterprise data breeches.
       
      Before I continue, I do not nor would I never use a hackintosh in a corporate environment. I do not wear a tin foil hat on my head. I do know that fighting malware is daily occurrence on Windows PCs from my own personal experience.
       
      What I would like to know is if anyone has bothered to verify the tools we use for security? Let's face it. I love all of developers but an unusually high number are coming from Russia. Does that mean all Russians are bad? Not at all. Is it something that keeps me up at night? No. Do I have a cause for concern? Absolutely. I am slowly moving toward actual Apple laptops and Desktops especially after reading about the spying that is going on.
       
      Does that mean my own country in which I love is innocent? No way. I love my country but I know "it goes on" everywhere. I don't want to go down that road. I am merely putting this out there: Have we tested these tools for security?
    • By The_Moves
      Does anyone know when Apple will stop releasing Security Updates for OS X 10.7 (Latest 10.7.5 of course)?
       
      I've just setup an 2007 Macbook for a friend and 10.7 was the latest release I could put on there without hacking the OS. In my quick google searches, different terms, I couldn't find anything that pointed to a date for when OS X Lion would stop receiving security updates. The only hits were for Snow Leopard, one idiot blogger, and the WOW forum - nothing looking Apple official.
       
      Here is the latest security update from Apple:
       
      http://support.apple.com/kb/HT6207
    • By WhiteWitch
      Has anyone update to Security Update 2011-006 from 10.6.8 i've worked hard on my hackintosh hate to start again!
×