MacOS – Whole disk encryption. How to the kernel be encrypted

John Siracusa's detailed Lion review covers the new FileVault disk encryption feature in great detail:

http://arstechnica.com/apple/reviews/2011/07/mac-os-x-10-7.ars/13#lion-file-system

To summarise, the new system is "volume" based. This means that not all volumes can be or are encrypted. The Lion recovery partition for example is not encrypted. Non Mac volumes are also not encrypted (FAT, NTFS, ExFAT, etc).

From John's description it does appear you can have multiple encrypted volumes. Whether or not they can use different passwords is unknown to me. Some use of the diskutil command may be necessary to achieve this if possible.

After a bit of messing about, it turns out that there is a better compromise which doesn't seem to be clearly documented anywhere obvious, so I thought I'd share it here. I don't believe this is a duplicate but I'm happy to see this question closed if I've missed something.

The cost of the solution (which may be unacceptable to some) is that you need to sacrifice about 14G of your drive to a honeypot partition. The steps I took are:

1. Use Disk Utility to resize your boot partition to create at least 14.3G of free space at the end of the drive. If you've already enabled FileVault, I believe this means you're going to have to turn it off and wait for it to finish decrypting first.

2. Create an empty, Mac OS Extended, Journalled partition at the end of your drive filling the free space.

3. To make things look a bit more convincing, give your new partition a name that's more plausible than Macintosh HD (2) - I name mine after my host name.

4. Restart your computer and launch into recovery mode by holding down Cmd-R as the system boots.

5. Select reinstall OS from the recovery menu, and follow through with the install. Somewhere along the line you will get the option to select where to install the OS. You want to put it on the new partition, obviously. It should be just big enough to let you install Lion. If it isn't you're going to have to drop back out to the main recovery menu, fire up Disk Utility and resize the partitions again. This is a bit of crapshoot because you don't end up with as much free space as the specified size of the partition but you'll get there in the end.

6. Complete the installation of your new copy of Lion. You want to set this up as a honeypot, so:

   • Enable automatic login that logs into a non-administrative account with the same username as you use on your main partition (for added plausibility)
   • Make sure your admin account has a decent password to make it hard for the thief to mess with your tracking software if he finds it
   • Don't hook anything up to iCloud - I'm assuming you're going to be using an alternative service like Undercover, Prey or LoJack to aid recovery, so it's just more potential exposure and best avoided.
7. Install your tracking software of choice on the honeypot partition. I went with Undercover in the end because it's a one-off cost and Prey is written in bash <shudder>.

8. Prevent corestoraged from trying to mount encrypted partitions on startup, thus blowing your cover:

   sudo mkdir -p /System/Library/LaunchDaemons.Disabled
   sudo mv /System/Library/LaunchDaemons/com.apple.corestorage.corestoraged.plist /System/Library/LaunchDaemons.Disabled/com.apple.corestorage.corestoraged.plist
   

   (A bit of a hack, but it's only a honeypot. Hat tip to the contributors here )

9. Reboot your system. You'll need to hold down alt/opt as the system boots to bring up the boot menu. Select your original main partition to boot into your main system.
10. (Re)Enable FileVault for this partition and allow it to complete.
11. Install your tracking software on this partition as well (this works fine for Undercover, which identifies machines by serial number of MAC address, so it doesn't care which partition you boot into)
12. Set a firmware password. If you're on a pre-2011 mac this is only a token gesture, but I suppose every little helps. If you have a newer mac, this is a serious security measure, as the only options for circumventing it AFAIK are taking it to Apple or physically replacing a chip on the motherboard.

So now, if you power off your mac and boot it from cold, it will boot into the honeypot partition without even asking for a password. To an unsophisticated thief, it will look like they've got access to your machine just by rebooting it. There's a fighting chance that your tracking software will have a chance to file a report before the thief realises that something isn't quite right.

When you reboot your machine, you will have to remember to hold down the alt/option key to get into your proper system, at which point you will be prompted for a password to decrypt it. Assuming that you have the appropriate locking settings enabled for sensible security, your machine is tolerably secure against someone getting hold of sensitive private data.

If you have a recent mac with proper firmware protection, the thief will have an exceptionally difficult time using anything other than the honeypot partition, and will struggle to do anything particularly useful even with that, since he has no administrative rights. With any luck, by the time he's finished getting frustrated with it the police will already be knocking at his door :-)