Home > FileVault 2, Mac administration, Mac OS X > Encrypting 10.7 non-boot volumes without erasing them

Encrypting 10.7 non-boot volumes without erasing them

In addition to using FileVault 2 to encrypt your boot partition, it’s possible to encrypt your non-boot storage on 10.7 using the same CoreStorage-based encryption. Apple provided a way to do this via Disk Utility, where you would need to erase the drive and have the new volume be set up as an encrypted volume.

It is also possible to encrypt the drive without erasing it first from the command line. This allows your existing data to stay on your drive while the drive is being encrypted. See below the jump for the procedure.

To encrypt a drive, run the following command:

diskutil cs convert /Volumes/your_drive_name_here -passphrase

Screen Shot 2012-01-06 at 9.14.13 AM

Note: You can use diskutil corestorage in place of diskutil cs

You’ll then be prompted for the passphrase you want to set and get output similar to what’s shown below:


computer name:~ username$ diskutil cs convert /Volumes/your_drive_name_here -passphrase
New passphrase for converted volume:
Confirm new passphrase:
Started CoreStorage operation on disk2s1 your_drive_name_here
Resizing disk to fit Core Storage headers
[ - 0%..10%.............................................. ]
Creating Core Storage Logical Volume Group
Attempting to unmount disk2s1
Switching disk2s1 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: D1EAB2C3-EC21-41DA-AD60-75E1302E247B
Core Storage PV UUID: 991C89E9-A628-408C-AAFF-39A561FCB95C
Core Storage LV UUID: 36483526-6C2C-43FA-A4B7-6F503473F1C2
Core Storage disk: disk3
Finished CoreStorage operation on disk2s1 your_drive_name_here
Encryption in progress; use `diskutil coreStorage list` for status

Screen Shot 2012-01-06 at 9.15.08 AM

Screen Shot 2012-01-06 at 9.16.21 AM

You’ll want to leave the Mac up and running while the drive is encrypting, as the encryption process will fail if interrupted. To check on its progress, run the following command:

diskutil corestorage list

Check the list displayed for the name of the drive you’re encrypting. When you find it, look for Size (Converted):, as that will tell you how far along the encryption is.

Screen Shot 2012-01-06 at 9.16.54 AM

Once the encryption is finished, it should report Conversion Status: Complete

In order to kick off the encryption process, the drive needs to unmount and remount. If the drive does not unmount, you may see output like this appear:


Started CoreStorage operation on disk2s2 your_drive_name_here
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk2s2
Switching disk2s2 to Core Storage
Couldn't unmount disk2s2; converted volume won't appear until it's unmounted
Core Storage LVG UUID: E8855450-E9B1-4DC7-84E3-27FE682A7FAB
Core Storage PV UUID: 74610185-5485-44B0-B76A-B5C5E1616D6E
Core Storage LV UUID: 3704705E-9645-4628-ABB7-A0E6999697C6
Finished CoreStorage operation on disk2s2 iLoad4
Encryption in progress; use `diskutil coreStorage list` for status

If the drive does not unmount, unmount it and unplug it (to make sure the Mac isn’t seeing it anymore), then replug it in. At that point, you should be prompted for the password you had set and the encryption process should begin.

If you check on its progress and encryption still has not begun, try unmounting, unplugging and replugging again. At that point, it should kick off.

To decrypt a drive from the command line, you would run the following command:

diskutil cs revert /Volumes/your_drive_name_here -passphrase

Screen Shot 2012-01-06 at 9.19.06 AM

You’ll be prompted for authentication before it will decrypt, so enter the password you had set when encrypting.

Screen Shot 2012-01-06 at 9.27.15 AM

Once entered, the drive will begin to decrypt.

Screen Shot 2012-01-06 at 9.27.39 AM

To check on its progress, run the following command:

diskutil corestorage list

Check the list displayed for the name of the drive you’re decrypting. When you find it, look for Size (Converted):, as that will tell you how far along the decryption is. Also, when decrypting, the conversion direction should be reported as Conversion Direction: backward

Screen Shot 2012-01-06 at 9.29.36 AM Screen Shot 2012-01-06 at 9.29.53 AM

You can also decrypt your encrypted drive using Disk Utility. To decrypt a drive from Disk Utility, use the following procedure:

1. Open Disk Utility.

2. Select your locked hard drive.

3. Under the File menu, select Turn Off Encryption…

Screen Shot 2012-01-06 at 9.42.35 AM

4. When prompted for a password, enter the password you had set when encrypting.

Screen Shot 2012-01-06 at 9.42.45 AM

You may need to unplug the drive and replug it in before it begins decryption. When it’s replugged in, the drive should mount normally without requiring your encryption password. At this time, Disk Utility will not show you the decryption progress, so to check on its progress, you’ll need to open Terminal and run the following command:

diskutil corestorage list

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 151 other followers

%d bloggers like this: