Why doesn't FileVault work on a RAID volume?

filevault raid

Solution 1:

The previous answer I gave here was wrong (as is bmike's answer).

The previous answer I gave was that if you have this as a problem, a workaround is to create an encrypted disk image that covers the entire AppleRaid set. This works, in theory, but is so horribly slow (like more than 10x as slow as the raw disk access) that it is basically unusable, which led me to look at the diskutil command line utility in more detail. And what do you know --- you CAN do what is wanted, it just takes some work. You have to do it through the command line, and even there you can't do it with the simplest commands, but it can be done and it is 100% legitimate Apple supported, not some weird hack.

So, let's assume you have your Apple Raid volume, which you have created somehow, either through Disk Utility or through the command line.

Note: This process will format your RAID and encrypt it. Backup any data you want to keep (at least twice) before proceeding.

The first thing we need is to know the low-level OS identifier for the Apple Raid volume of interest, so type:

diskutil list

which will give you a list of the various hard drives, partitions and logical hard drives (eg Apple RAID volumes) on your system. Look at the list and figure out, based on name, size, whatever, which is the Apple RAID volume we wish to encrypt. Make sure you get the RIGHT identifier, otherwise you'll destroy some other volume. It's wise, when doing this, to disconnect (manually --- pull out the cables!) all hard drives not relevant to the problem, including, most obviously, your backup drives!

So the list tells us the device of interest is, say, disk7

Next we want to create a Core Storage LVG (Logical Volume Group) wrapper around the device. I'm not going to claim I understand Core Storage terminology, and why they use a different word for everything compared to Apple RAID, but far as I can tell, the LVG is essentially Core Storage's version of a logical hard drive. So type:

diskutil cs createLVG BackupImacLVG disk7

BackupImacLVG is the name we are giving to the logical hard drive we're creating. This command will take a few seconds, then spit out a long string which is is the "name" (the UUID) of the LVG we have created. We use it in the next step.

We're not done. We now need to create the equivalent of a partition (which Core Storage calls a Logical Volume) on this logical hard drive. Here is the next command:

diskutil cs createLV 8C5AED3-0CCF-4155-8E3D-DF7D9E68EE7B JHFS+ BackupImac 100% -stdinpassphrase

In the command above: 8C5AED3-0CCF-4155-8E3D-DF7D9E68EE7B is the LVG UUID we were just told (make sure you use your own), and JHFS+ is the file system we want to create in the partition. BackupImac will be the name of the volume created in this partition. 100% says how much space we want to give to this partition. (There are a few different ways to specify sizes, but most people will probably use 100%). -stdinpassphrase says that we want to use encryption.

The command line will then put up a prompt of:

Passphrase for new volume:

You enter the password, and you're done. (Note none of the helpful Apple FileVault UI here! No offering to save your password for you with Apple, no second request for the password to make sure you typed it correctly!)

The end result of all this is exactly what you would hope for and expect. An encrypted volume with all the performance of the previous AppleRAID volume. (And if you look at the diskutil man page, you will see that they explicitly list Apple RAID volumes as supported targets for diskutil cs createLVG, so this isn't some strange edge case that isn't officially supported.)

Disk Utility.app doesn't update its UI (it's really bad in this respect --- has been an ongoing problem in OSX) so quit it and restart it. You'll now see, along with your RAID slices, a new "hard drive" called BackupImacLVG (or whatever you called it) along with a partition called BackupImac (or whatever you called it), with a format of "Encrypted Logical Partition".

One thing to be aware of. The disk is mounted during the creation process without asking for a password (you gave the password in the command line).

Right after you are done, you may want to unmount the volume, power down the hard drives of the AppleRAID volume, power them on again, and see what happens. If you have done everything correctly, once all the slices of the Apple RAID have spun up and been detected by the OS, a window should appear on the screen asking you for the password so that the disk can be mounted.

Solution 2:

The answer from Maynard Handley above still holds true but with APFS there are now more easier ways to do this. CoreStorage also doesn't work on APFS since it's made for their fusion drives. APFS, on the other hand, is for SSD storage.

You can even do it over the Disk Utility GUI:

  1. Create the RAID set like you would usually do through Raid Assistant, but select APFS.
  2. Then right-click on the APFS Volume (not the RAID set), hit "Create APFS Volume".
  3. Select APFS (encrypted) from the menu and give it a password

Tada, you now have an encrypted APFS volume on top of your RAID set. If you want you can go ahead and remove the default non-encrypted one.

If you prefer the command line, diskutil apfs is used for interacting with apfs volumes. eg, diskutil apfs list:

+-- Container disk4 675DEF26-4DCB-428A-8B96-6232445EF9C9
    ====================================================
    APFS Container Reference:     disk4
    Size (Capacity Ceiling):      30877155328 B (30.9 GB)
    Capacity In Use By Volumes:   73904128 B (73.9 MB) (0.2% used)
    Capacity Not Allocated:       30803251200 B (30.8 GB) (99.8% free)
    |
    +-< Physical Store disk3 8FE0DEAB-F928-4808-A90A-228B389B2EA5
    |   ---------------------------------------------------------
    |   APFS Physical Store Disk:   disk3
    |   Size:                       30877155328 B (30.9 GB)
    |
    +-> Volume disk4s2 443DB768-782B-47DC-B3C4-71E42D045F3A
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk4s2 (No specific role)
        Name:                      TestVolume (Case-insensitive)
        Mount Point:               /Volumes/TestVolume
        Capacity Consumed:         974848 B (974.8 KB)
        FileVault:                 Yes (Unlocked)
  1. Create the Raid set
diskutil appleRAID create mirror RaidTest apfs disk2 disk5 (...etc)
  1. Add the encrypted volume
diskutil apfs addVolume disk4 APFS FooSecure2 -passphrase hello

--

With APFS volumes it can get a bit confusing but basically:

  • disk4: APFS container on top of disk3 (see diskutil apfs list under "physical store disk")
  • disk3: The virtual Apple RAID volume (see diskutil appleRAID list under "device node")
  • disk2 / disk5: The actual physical drives that are part of the RAID set (see diskutil appleRAID list and diskutil list, and notice "physical")

Related

How do I change the shortcut for lock screen?
Can iPhone battery apps actually prolong battery life?
Completely remove Google Backup and Sync from my Mac
How can I play music from my iPhone through my computer?
-d option for split is illegal on OS X 10.9
How to use SSH keys and disable password authentication
Can I hide the sync icon in the menu bar on Lion?
Is it possible to run VMware Fusion in the background to hide the windows and icons it produces?
Completion for git commands
Enable Quick Look for text files without the .txt extension [duplicate]
Pros and cons of wiping a new Mac?
Do you have a backup policy that covers the Worst Case Scenario?