MacOS – The encryption of an external drive in 10.7.5 does not seem to work. “Conversion Status: NoConversion”

core-storagedisk-utilityencryptionmacos

On a Mac running OS X Lion 10.7.5 I have attempted to encrypt an external drive using Disk Utility.

Since this is 10.7, there is no option of right-clicking to encrypt in Finder. Also, there's no option to create an encrypted partition when formatting. So, here's what I did:

  1. I reformatted the drive like this:

    /dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk1
   1:                        EFI                         209.7 MB   disk1s1
   2:                  Apple_HFS Heap                    1.7 TB     disk1s2
   3:                  Apple_HFS Time Machine            300.0 GB   disk1s3
   4:       Microsoft Basic Data EXCHANGE                49.5 GB    disk1s4

  2. Then I wanted to encrypt all Apple_HFS partitions, starting with Heap. The only way to accomplish this using the GUI seems to be the following:

    1. Select the volume you want to encrypt in the sidebar on the left side.
    2. Select the tab "erase" on the right side.
    3. Choose an option of your liking in "Format:"
      enter image description here
    4. Click "Erase…" to reformat the partition as an encrypted volume. You have to create a password to continue.

  3. If this were Mountain Lion, this would be it. All I'd have to do is waiting for the encryption to finish. So, I checked the status in the terminal using:

    diskutil cs list

    And to my surprise there's no conversion happening:

    Sequence:               2
Encryption Status:      Unlocked
Encryption Type:        AES-XTS
Encryption Context:     Present
Conversion Status:      NoConversion       // OH NOES!!! WHY THIS? WHY ME? :(
Has Encrypted Extents:  Yes
Conversion Direction:   -none-

    But I did expect something like this:

    Encryption Status:           Unlocked
    Encryption Type:         AES-XTS
    Conversion Status:       Converting    // This is what I expected.
    Conversion Direction:    forward
    Has Encrypted Extents:   Yes
    Fully Secure:            No
    Passphrase Required:     Yes

Question

What is going on here? Am I just interpreting the diskutil output the wrong way?

Best Answer

I believe you need a Recovery HD on that volume to let FileVault 2 do it's business. Here's the article on how to FileVault 2.

I believe the section where it says FileVault 2 requires OS X Lion or Mountain Lion and Recovery HD installed on your startup drive is not technically correct, since the keys to decrypt an external drive would only be stored on the internal drive of the Mac doing the encryption.

I know this isn't true since I've had encrypted external drives that I've taken to several Mac and had all of them read it. You could start by letting Time Machine encrypt the external drive since that's the canonical GUI manner to get FileVault 2 on an external drive.

You can do everything in terminal though. Here is your recipe - bookmark this guy's web site - Rich is an asset to the community for documenting how to wrangle encryption and many other things.

Here is what a functioning external without FileVault 2 looks like to me (warning - this is all on Mountain Lion).

/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.1 GB   disk2
   1:                        EFI                         209.7 MB   disk2s1
   2:                  Apple_HFS HEAP                    10.0 GB    disk2s2
   3:                  Apple_HFS Time Machine            300.0 GB   disk2s3
   4:       Microsoft Basic Data EXCHANGE                189.6 GB   disk2s4

So, you can convert things thusly:

Air:~ me$ diskutil cs convert /Volumes/HEAP -passphrase
New passphrase for converted volume:
Confirm new passphrase:
Started CoreStorage operation on disk2s2 HEAP
Resizing disk to fit Core Storage headers
[ | 0%..10%.............................................. ]

After a short delay, the progress will end and you will get this notice:

Air:~ me$ diskutil cs convert /Volumes/HEAP -passphrase
New passphrase for converted volume:
Confirm new passphrase:
Started CoreStorage operation on disk2s2 HEAP
Resizing disk to fit Core Storage headers
Creating Core Storage Logical Volume Group
Attempting to unmount disk2s2
Switching disk2s2 to Core Storage
Waiting for Logical Volume to appear
Mounting Logical Volume
Core Storage LVG UUID: 4FA72C96-80B5-4794-B6C9-D5E94B3194C8
Core Storage PV UUID: A60F4F77-18F7-4972-9A37-4873390BE326
Core Storage LV UUID: 02A09627-7955-4671-84F7-BD26FE1D9B93
Core Storage disk: disk3
Finished CoreStorage operation on disk2s2 HEAP
Encryption in progress; use `diskutil coreStorage list` for status

Setting aside whether Lion has the same output (since it likely will not end the command until the encryption is done) - here is the end result of what the diskutil list command shows once the external has been encrypted:

/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.1 GB   disk2
   1:                        EFI                         209.7 MB   disk2s1
   2:          Apple_CoreStorage HEAP                    10.0 GB    disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s6
   4:                  Apple_HFS Time Machine            300.0 GB   disk2s3
   5:       Microsoft Basic Data EXCHANGE                189.6 GB   disk2s4

It appears that disk2s6 gets shaved off the 10.0 GB disk2s2 and serves to hold the keys for [en|de]crypting HEAP.

Related Question