- Joined
- Apr 13, 2011
- Messages
- 30
- Motherboard
- Gigabyte G41MT-S2PT (rev. 2.1)
- CPU
- Q9650
- Graphics
- HD 6670
- Classic Mac
- Mobile Phone
I was searching the forums to confirm, that there is no way of enabling FileVault 2, on a boot OS X volume; right?
I know some of the alternatives mentioned, was TrueCrypt; but I found out, that there is a way to at least use the older version of FileVault... Meaning, it doesn't encrypt the entire hard drive, but it will encrypt your entire home folder; which for most people, will contain their most important, personal data.
The following information was taken from a weblog, and will work for Lion and Mountain Lion; I have not tried it under Mavericks.
I must warn you though, I highly recommend this guide, only for people who have a firm grasp on OS X and the Terminal... Otherwise...
Some of the syntax below, may be incorrect, so you will want to go to the exact post on the blog, to make sure you see all the code properly:
http://lab.maiux.com/en/os-x/cripta...n-utente-usando-legacy-filevault-in-os-x-lion
I know some of the alternatives mentioned, was TrueCrypt; but I found out, that there is a way to at least use the older version of FileVault... Meaning, it doesn't encrypt the entire hard drive, but it will encrypt your entire home folder; which for most people, will contain their most important, personal data.
The following information was taken from a weblog, and will work for Lion and Mountain Lion; I have not tried it under Mavericks.
I must warn you though, I highly recommend this guide, only for people who have a firm grasp on OS X and the Terminal... Otherwise...
Some of the syntax below, may be incorrect, so you will want to go to the exact post on the blog, to make sure you see all the code properly:
http://lab.maiux.com/en/os-x/cripta...n-utente-usando-legacy-filevault-in-os-x-lion
Create a master password
- Open System Preferences and select the Users & Groups preference pane.
- If locked, click the lock icon to authenticate.
- Click the Services button and then select "Set Master Password…" from the pop-up menu.
- Create a master password using the sheet that appears. You can use the Password Assistant to help you create a strong password. Once set, the following files are created:
/Library/Keychains/FileVaultMaster.cer
/Library/Keychains/FileVaultMaster.keychain- Copy the /Library/Keychains/FileVaultMaster.keychain file to a safe location for storage, such as an external drive or an encrypted disk image on another physical disk. This file contains the private key required to unlock the encrypted disc. You can safely delete the /Library/Keychains/FileVaultMaster.cer file.
It seems that, once disabled, you cannot enable Legacy FileVault again in OS X Lion: you must use FileVault 2. rEFIt users may dislike it and if you rely only on System Preferences actually you can’t re-enable it. After some searching and experiments I found a way to encrypt a new user’s home using FileVault 1 (aka Legacy FileVault). This procedure works also with existing accounts. Only requirement: FileVault Master Password must be already set, otherwise requested certificate may be not available.
Ultimate update:Released update 10.7.4 fixes the problem. But you have to clean secure.log files which may display password in clear.
Update:
With 10.7.3 release has come a bug that displays password in clear text of the Legacy Filevault account because of a DEBUG flag. Waiting for 10.7.4 that maybe will fix, this is a possible workaround. (fonte: ZDNet)
Some notes before start:
In summary: if something will happen to you, to your Mac or to your loved ones using informations provided in this post, don’t come crying to me because I will tell you: “I told you to leave it alone!”
- you will use mostly command line in Terminal and sudo command, available only to Mac users with administrative privileges
- if it’s not deeply clear what you are doing, you can have data loss or make the whole system unusable. So make a full backup with Time Machine before start and get a bootable CD, DVD o USB key (i.e: OS X installation media) to restore your system if needed
- I don’t know about any offical Apple documentation ensuring good results of these procedures; I can say that it worked on my MacBook Air with OS X Lion (an upgrade from Snow Leopard with FileVault 1 enabled)
- this is an experiment and who tries it, will do it at his own risk
Have you discouraged? Or just curious? Ok, let’s start.
Open System Preferences > Users and Groups. Make sure logon user is an administrator.
System Preferences > Users and Groups
Before operating with an existing user, make a try with a new user, creating it with + button. If button is disabled, unlock the padlock. A Standard user is enough, eg:
user: fv1user
password: fv1pwd Now open Terminal: you will find in in bold every command you must give in it, surrounding text is commands’ output.
Enter superuser mode, using current user’s password (the one has administrative privileges):
mbair:~ fabio$ sudo su
Password:
sh-3.2# Prompt will change: instead of $ will be # . Now some preliminary operation:
sh-3.2# umask 077
sh-3.2# export SBUSERNAME="fv1user"
sh-3.2# export SBUID=$(id -u $SBUSERNAME)
sh-3.2# export SBGID=$(id -g $SBUSERNAME)
sh-3.2# echo Username $SBUSERNAME - UserID $SBUID GroupID $SBGID
Username fv1user - UserID 504 GroupID 20 $SBUSERNAME, $SBUID e $SBGID variables must contain user name, his User ID and his Group ID. Your User ID may differ from above. Just make sure you write the right user name in the 2nd row above and the two IDs (drawn using OS X) are numeric.
You will launch all the next commands from the new user’s home dir, so type:
sh-3.2# cd /Users/"$SBUSERNAME"
sh-3.2# pwd
/Users/fv1user Now you must create a sparsebundle disk image. Will be asked a password, use the new user’s one (fv1pwd):
sh-3.2# hdiutil create -size 300g \
-encryption -agentpass \
-certificate /Library/Keychains/FileVaultMaster.cer \
-uid $SBUID -gid $SBGID \
-mode 0700 -fs "HFS+J" -type SPARSEBUNDLE -layout SPUD \
-volname "$SBUSERNAME" "$SBUSERNAME".sparsebundle
Inserisci una nuova password per proteggere "fv1user.sparsebundle":
Reinserisci la nuova password:
created: /Users/fv1user/fv1user.sparsebundle Now set permissions required by FileVault:
sh-3.2# chown -R "$SBUSERNAME":staff "$SBUSERNAME".sparsebundle
sh-3.2# Now mount the sparsebundle image using a local dir as mount point (sbdest) and again the same password (fv1pwd):
sh-3.2# mkdir sbdest
sh-3.2# hdiutil attach -owners on -mountpoint sbdest \
-stdinpass "$SBUSERNAME".sparsebundle
Enter disk image passphrase:
/dev/disk1 Apple_partition_scheme
/dev/disk1s1 Apple_partition_map
/dev/disk1s2 Apple_HFS /Users/fv1user/sbdest Copy the fv1user‘s home dir contens avoiding recursive copy via –exclude:
sh-3.2# rsync -avxHE ./ sbdest/ \
--exclude="$SBUSERNAME".sparsebundle/ --exclude="sbdest/"
building file list ... done
./
.CFUserTextEncoding
._.
Desktop/
._Desktop
Documents/
._Documents
Downloads/
._Downloads
Library/
._Library
Movies/
._Movies
Music/
._Music
Pictures/
._Pictures
Public/
._Public
(...)
sent 14196177 bytes received 4142 bytes 28400638.00 bytes/sec
total size is 14170359 speedup is 1.00 File list may differ from Mac to Mac. Unmount the image and remove the local dir used as mount point:
sh-3.2# hdiutil detach sbdest
"disk1" unmounted.
"disk1" ejected.
sh-3.2# rmdir sbdest
sh-3.2# Image is ready, you must tell OS X to use it as fv1user‘s home directory. Edit his plist, making a backup copy first:
sh-3.2# cd /private/var/db/dslocal/nodes/Default/users/
sh-3.2# cp fv1user.plist fv1user.plist.backup
sh-3.2# plutil -convert xml1 fv1user.plist
sh-3.2# nano fv1user.plist Open nano and search for:
<key>home</key>
<array>
<string>/Users/fv1user</string>
</array> add the bold text, editing it to reference your right sparsebundle path:
<key>home</key>
<array>
<string>/Users/fv1user</string>
</array>
<key>home_loc</key>
<array>
<string><home_dir><url>
file://localhost/Users/fv1user/fv1user.sparsebundle
</url></home_dir></string>
</array> Write text between <string> e </string> in just one row. Convert plist file in binary format again:
sh-3.2# plutil -convert binary1 fv1user.plist
sh-3.2# All is done: you can login with new user to check if FileVault 1 is active. Some way:
$ mount
- open System Preferences > Security and privacy and check the FiIeVault and Legacy FileVault buttons presence
- open a terminal window and launch a mount command:
(...)
/dev/disk1s2 on /Users/fv1user (hfs, local, nodev, nosuid, journaled,
nobrowse)
Once sure about changes made, you can remove any previous content from the home dir using another user via superuser, except fv1user.sparsebundle directory which owns the encrypted version.
- create a file in home dir, logout and check with another user (via superuser) if the new file exists in /Users/fv1user/. If not found, it’s ok because it is in sparsebundle image. Not sure? Login again with new user and you’ll find the file!
P.S. using FileVault 1 you know that at logout OS X will compact the sparsebundle,displaying for few moments the compact dialog. If you are using battery power this doesn’t happen: you must logout while Mac is on ac power.
Thanking Jeff McCune for his original post