Mac OS X Lion: How to enable Filevault 2 on boot drive without Recovery HD or on external drive

by Klaus on June 12, 2012

in Mac OS X

In Mac OS X Lion, Apple completely re-designed how Filevault 2 works. Not it encrypts your entire drive, and not just the home folder. Supposedly, Filevault 2 is also a lot more stable. I never bothered trying the last version of Filevault because of all the horror stories, but everybody seems to have good things to say about this new version.

Before you proceed, make sure you have a working backup of your boot drive. I’d recommend using SuperDuper to simply clone your entire drive to an external drive, so in case something goes bad, you’ll be able to restore again. Either way, I take no responsibility if you loose any data or UFO’s abduct you :)

The normal way you’d enable Filevault 2 on your Mac OS X Lion install is by going to System Preferences and enable it from there. That will only work on your boot drive though, and only if you have the “Recovery”-partition present on your boot drive as well, which Lion creates when you first install it.

However, since I recently upgraded my MacBook Pro with a SSD drive and then cloned my Lion installation from the old 7200rpm HDD to the new and much faster SSD, the “Recovery” partition wasn’t included – and I wasn’t aware of it, until I decided to try and enable Filevault 2 for added security.

Note, however, that there is two downsides to having Filevault enabled: If your Mac ever gets stolen, the thief cannot login using a “Guest” account so you can track your Mac using software such as Undercover from Orbicule, which also provides you with screenshots and webcam photos of the thief etc. Second, full-disk encryption does mean a drop in performance as your CPU will need to encrypt and decrypt on the fly. Newer Mac’s are likely to have AES built-in to the CPU which will speed things up. However, tests I’ve seen show that the performance hit is little that you’ll be unlucky to ever feel it in real life. On the plus side, Filevault protects all your data so that at least nobody will be able to read your e-mail, view your family photos etc. So it depends on what matters most to you – increased chances of ever getting your stolen Mac back with Undercover or similar, or knowing that all your data will remain safe?

Let’s get back to how to do this. According to an article on Cnet, Apple uses the Recovery partition to store information about your encrypted boot drive, so without the recovery partition, you can’t enable Filevault 2 (like Apple also mentions in some KB articles). However, you can actually, and here’s how – you’re not going to believe how easy it is. Before we proceed, I should mention that it’s possible that another partition is being created in the background by doing this, as I now see an “Apple_Boot” partition named “Boot OS X” on my boot drive, one that is hidden normally but revealed by the “diskutil list” command. Maybe that’s what Lion will do when the “Recovery” partition is not present, in that case, I don’t understand why Apple would prevent you from using the user interface to enable Filevault 2? Anyway, let’s get on with it…

First you need to figure out the identifier of your boot disk. Open up Terminal (use Spotlight to find it), then in Terminal you write:

diskutil list

Look for the name of your boot disk and the size of the partition and find the identifier for that listing. It’s probably disk0s3 or disk1s3.

Next you write, also in Terminal:

diskutil cs convert [identifier] -passphrase [password]

In the text above, remember to replace “[identifier]” with whatever identifier you have, for example “disk0s3″ and without the brackets. The same goes for “[password]“. This is the password you’ll need to enter whenever you start your computer, to unlock the drive. And that’s what, according to the Cnet article, is being stored somewhere on the “Recovery” partition, but apparently it still works fine for me, even though I don’t have that partition.

Now you need to restart your computer fully, so that it can get to work converting your drive – this happens live and while it’s running and working.

After restart, you can enter Terminal again and type the following:

diskutil cs list

This will list your encrypted volumes (CoreStorage) and you can see how far along it is with the encryption process. Here’s an example from mine, while it was still converting:

Size (Total):       239394664448 B (239.4 GB)
Size (Converted):   61402513408 B (61.4 GB)

Currently it has converted 61.4GB out of 239.4GB. It converts the entire drive, not only the data (mine’s a 240GB SSD drive).

That’s basically it. You can do the same for external drives too. I haven’t tried it with USB or Firewire attached drives, but I’ve done it to the second hard drive in my MacBook Pro which is connected instead of the optical drive, and it’s the same procedure – figure out the identifier and decide on a password that you can remember.

If you regret or decide you no longer want it encrypted, you just use “revert” instead of “convert” and that’s it, then it will decrypt the whole thing. Remember to restart.

Update: I’ve been using Filevault 2 for several months now without problems – I highly recommend enabling Filevault if you want to keep your data safe!

Related articles you might find interesting:

Comments & Leave a Comment

comments

{ 0 comments… add one now }

 

Leave a Comment

CommentLuv badge

Previous post:

Next post: