MacWiesel Posted March 8, 2016 Share Posted March 8, 2016 Hi there, I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times. What are the best options for encrypting at least the user data (if not the whole system) without losing usability? In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that. Options I am aware of but do not now the best way of implementing it: TrueCrypt/VeraCryptneeds second user for decryption (?) Legacy Filevaultconsidered unsafe(?) EncFSthis would lose file versioning My setup: 120 GB SSD for System, 2 TB HDD for user data. Thank you very much for your consideration. / ONE SOLUTION IN POST #9 Quote Link to comment Share on other sites More sharing options...
bs0d Posted March 8, 2016 Share Posted March 8, 2016 Filevault 2 is supported in certain circumstances. 1 Quote Link to comment Share on other sites More sharing options...
MacWiesel Posted March 8, 2016 Author Share Posted March 8, 2016 Filevault 2 is supported in certain circumstances. It is? I can't find a single thing about that. Care for a source? Thanks. Quote Link to comment Share on other sites More sharing options...
smolderas Posted March 8, 2016 Share Posted March 8, 2016 Hi there, I'm using a hackintosh for quite some time and I know that FileVault is near impossible to ever be ported but encryption should be essential these times. What are the best options for encrypting at least the user data (if not the whole system) without losing usability? In my case it goes even deeper: I want to use ZFS on an second HDD, encrypt that drive and move most of my user data there. Not the whole User Folder but only /Downloads, /Documents and stuff like that. Options I am aware of but do not now the best way of implementing it: TrueCrypt/VeraCryptneeds second user for decryption (?) Legacy Filevaultconsidered unsafe(?) EncFSthis would lose file versioning My setup: 120 GB SSD for System, 2 TB HDD for user data. Thank you very much for your consideration. FileVault 2 is only supported by Ozmosis (I think). I personally am using on my boot drive the legacy FileVault and on other drives FileVault 2. With some modification you can use the same encryption type on legacy FileVault, therefore it is as secure and fast as FileVault 2. 1 Quote Link to comment Share on other sites More sharing options...
MacWiesel Posted March 8, 2016 Author Share Posted March 8, 2016 FileVault 2 is only supported by Ozmosis (I think). I personally am using on my boot drive the legacy FileVault and on other drives FileVault 2. With some modification you can use the same encryption type on legacy FileVault, therefore it is as secure and fast as FileVault 2. Is there a guide one could follow? Ozmosis hardware support unfortunately is very limited. But any kind of encryption would be wonderful. Quote Link to comment Share on other sites More sharing options...
smolderas Posted March 8, 2016 Share Posted March 8, 2016 Is there a guide one could follow? Ozmosis hardware support unfortunately is very limited. But any kind of encryption would be wonderful. There you go: http://lab.maiux.com/en/os-x/criptare-la-home-directory-di-un-utente-usando-legacy-filevault-in-os-x-lion 1 Quote Link to comment Share on other sites More sharing options...
MacWiesel Posted March 8, 2016 Author Share Posted March 8, 2016 There you go: http://lab.maiux.com/en/os-x/criptare-la-home-directory-di-un-utente-usando-legacy-filevault-in-os-x-lion Thanks I read this guide of course but due to it's age (4,5 years) I thought there must have been changes on the way... How do you use FV2 on non-system drives... just by using "Encrypt "Volume"" from context menu? This is all very confusing and it is interesting that information is so scattered and limited (me thinks). Thanks again. Quote Link to comment Share on other sites More sharing options...
smolderas Posted March 8, 2016 Share Posted March 8, 2016 Thanks I read this guide of course but due to it's age (4,5 years) I thought there must have been changes on the way... How do you use FV2 on non-system drives... just by using "Encrypt "Volume"" from context menu? This is all very confusing and it is interesting that information is so scattered and limited (me thinks). Thanks again. Yes, the article is old, but it works. Be sure to make backups first. If I remember correctly, you need to create a master password first (see https://support.apple.com/en-us/HT202385 for it) and at the end you could use the dscl command* instead of editing the plist file. * dscl . -create /Users/fv1user HomeDirectory “<home_dir><url>file://localhost/Users/fv1user/fv1user.sparsebundle</url></home_dir>” To enable FileVault 2 on non boot disk use diskutil command (see man diskutil about coreStorage encrypt option) or use context menu as you described. 1 Quote Link to comment Share on other sites More sharing options...
MacWiesel Posted March 9, 2016 Author Share Posted March 9, 2016 (edited) FileVault2 + ZFS on a non system drive (Test) Update 2019-09-13: With native ZFS Encryption, this is no longer necessary. TL;DR: ZFS on top of a FileVault2 volume works! I followed this guide at openzfsonosx.org I encrypted my second HDD with FV2 as simple as: 1. Fastest way to encrypt: Disk Utility > Erase partition > choose 'OSX Extended (Journaled, Encrypted)' > jump to Step 2! 1a. (ALTERNATIVE) The terminal way to encrypt: # convert disk to Logical Volume $ diskutil coreStorage convert /dev/partitionID # find out name of Logic Volume $ diskutil list # encrypt Logical Volume $ diskutil coreStorage encryptVolume /dev/'NewLogicVolumeID' 2. Then I created a dataset (or zpool?) on the new Logic Volume: # unmount Volume $ diskutil unmount "/Volumes/PARTITIONNAME" # mount zfs volume (dataset) on 'NewLogicalVolumeID' $ sudo zpool create -f -o ashift=12 ZFS_DISKNAME /dev/'NewLogicVolumeID' # HERE are recommendations for a few more settings. I used the strikedthrough for one drive only (which only makes sense when you got a pefect backup): $ sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O atime=off -O normalization=formD ZFS_DISKNAME /dev/'NewLogicVolumeID' # Now I'm using these settings for two mirrored drives (added compression and utf8): $ sudo zpool create -f -o ashift=12 -O casesensitivity=insensitive -O atime=off -O normalization=formD -O compression=lz4 -O utf8only=on ZFS_DISKNAME mirror 'diskX' 'diskY' 3. Now I had to take ownership # the dataset was created with sudo so the owner was wrong (not sure if this is the real reason) $ sudo chown $(whoami):admin /Volumes/ZFS_DISKNAME/ && sudo chown -R $(whoami):admin /Volumes/ZFS_DISKNAME/ That's pretty much all! 4. Considerations and Observations After the next reboot, OSX will ask you for a password for the encrypted drive and you can save the pw in your Keychain. The ZFS Volume will mount automatically. I had a view hickups along the way: I encrypted an existing partition and didn't know that could take a long time. I didn't wait and did some speedtest which were devastating. Tipp: Erase an existing partition and choose 'OSX Extende (Journaled, Encrypted)'. No wait time! I rebooted into a bootloop the first time and have no idea why. I coud boot if I deactivated the second drive in BIOS but not if i disconnected it... Had to boot into Recovery from the USB Install Drive and Erase the partition again. !!! Beware: File Versioning and Time Machine Backups are not possible (yet) !!! After that it worked (no changes). Speedtests say: about 77 MB/s write, 117 MB/s read WRITE SPEED $ mkfile 32k /Volumes/THEDISK/testfilesmall $ time dd if=/dev/zero bs=1024k of=/Volumes/THEDISK/testfilesmall count=1024 1024+0 records in 1024+0 records out 1073741824 bytes transferred in 13.874609 secs (77388979 bytes/sec) real 0m13.884s user 0m0.002s sys 0m0.609s READ SPEED $ time dd if=/Volumes/THEDISK/testfilesmall bs=1024k of=/dev/null count=1024 1024+0 records in 1024+0 records out 1073741824 bytes transferred in 9.139895 secs (117478574 bytes/sec) real 0m9.147s user 0m0.002s sys 0m0.458s Thought I'd share my findings. Edited September 13, 2019 by MacWiesel 3 Quote Link to comment Share on other sites More sharing options...
smolderas Posted March 9, 2016 Share Posted March 9, 2016 Nice of you to share your findings. I'm using snapRAID also with all my drives. It is a nice option to have. Quote Link to comment Share on other sites More sharing options...
UbuntuNoHiRes Posted August 26, 2016 Share Posted August 26, 2016 @Mac Wiesel Many thanks for posting, have just started experimenting with ZFS and is starting to realizing its potential. Did not know it could be done on external drive with filevault2. Great detailed examples. In ZFS is mirrored disk an exact copy of original ? In other words if 2d disk fails could I clonezilla 1st disk and then restore to new 2d drive and mirroring working again ? Appears to be a problem recovering from an encrypted mirror (2 disks, main disk and mirror, both encrypted, when one fails). Anyway, thanks again ! Quote Link to comment Share on other sites More sharing options...
MacWiesel Posted August 26, 2016 Author Share Posted August 26, 2016 @UbuntuNoHiRes Not a ZFS pro, but it should manage all that automatically. You can simply import the new 2nd drive in ZFS and it will 'resilver' = copy missing data to new disk. Quote Link to comment Share on other sites More sharing options...
UbuntuNoHiRes Posted August 26, 2016 Share Posted August 26, 2016 Aha, I thought so. But not in [Caution:off topic for a moment] PC-BSD using Geli to encrypt whole disk - it wants you to enter the encryption pass wordings for both disks, one at a time, at boot up - so when 2d disk failes, not able to enter 2d password and entire boot up stops and drops to grub "rescue" mode. Some Ubuntu user posted some elaborate intramfs script for similar problem that happened on Ubuntu under similar circumstances. Will see soon enough on Mac, later next week when having time. On Mac I forgot to mention that it seems, after entering the Filevault2 password, disk icon not appear on desktop until you type: sudo zpool import mypoolname, and you got to enter sudo zpool export mypoolname when you are going to disconnect zfs disk. Still taking baby steps till getting more comfortable but the range of options and things you can do seems REALLY powerful. Thanks UnH Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.