On a Mac running OS X Lion 10.7.5 I have attempted to encrypt an external drive using Disk Utility.
Since this is 10.7, there is no option of right-clicking to encrypt in Finder. Also, there's no option to create an encrypted partition when formatting. So, here's what I did:
-
I reformatted the drive like this:
/dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_HFS Heap 1.7 TB disk1s2 3: Apple_HFS Time Machine 300.0 GB disk1s3 4: Microsoft Basic Data EXCHANGE 49.5 GB disk1s4
-
Then I wanted to encrypt all
Apple_HFS
partitions, starting withHeap
. The only way to accomplish this using the GUI seems to be the following:- Select the volume you want to encrypt in the sidebar on the left side.
- Select the tab "erase" on the right side.
- Choose an option of your liking in "Format:"
- Click "Erase…" to reformat the partition as an encrypted volume. You have to create a password to continue.
-
If this were Mountain Lion, this would be it. All I'd have to do is waiting for the encryption to finish. So, I checked the status in the terminal using:
diskutil cs list
And to my surprise there's no conversion happening:
Sequence: 2 Encryption Status: Unlocked Encryption Type: AES-XTS Encryption Context: Present Conversion Status: NoConversion // OH NOES!!! WHY THIS? WHY ME? :( Has Encrypted Extents: Yes Conversion Direction: -none-
But I did expect something like this:
Encryption Status: Unlocked Encryption Type: AES-XTS Conversion Status: Converting // This is what I expected. Conversion Direction: forward Has Encrypted Extents: Yes Fully Secure: No Passphrase Required: Yes
Question
What is going on here? Am I just interpreting the diskutil
output the wrong way?
Best Answer
I believe you need a Recovery HD on that volume to let FileVault 2 do it's business. Here's the article on how to FileVault 2.
I believe the section where it says FileVault 2 requires OS X Lion or Mountain Lion and Recovery HD installed on your startup drive is not technically correct, since the keys to decrypt an external drive would only be stored on the internal drive of the Mac doing the encryption.
I know this isn't true since I've had encrypted external drives that I've taken to several Mac and had all of them read it. You could start by letting Time Machine encrypt the external drive since that's the canonical GUI manner to get FileVault 2 on an external drive.
You can do everything in terminal though. Here is your recipe - bookmark this guy's web site - Rich is an asset to the community for documenting how to wrangle encryption and many other things.
Here is what a functioning external without FileVault 2 looks like to me (warning - this is all on Mountain Lion).
So, you can convert things thusly:
After a short delay, the progress will end and you will get this notice:
Setting aside whether Lion has the same output (since it likely will not end the command until the encryption is done) - here is the end result of what the
diskutil list
command shows once the external has been encrypted:It appears that disk2s6 gets shaved off the 10.0 GB disk2s2 and serves to hold the keys for [en|de]crypting HEAP.