Wednesday, September 26, 2012

Encrypted RAID Disk on OS X Mountain Lion and Mavericks

UPDATE: This works on Mavericks as well

The Disk Utility application does not allow you to create an encrypted filesystem on a RAID volume. However, it is possible from the command line. WARNING: this will erase everything on those disks - do a backup if you want any of that data. The basic method is to create an Apple RAID volume, create a coreStorage logical volume group on it, and then create an encrypted logical volume on the logical volume group.

These are the unformatted disks before RAID.



You can see them from the command line as disk1 and disk2.

$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:          Apple_CoreStorage                         120.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                                                   *2.0 TB     disk1
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                                                   *2.0 TB     disk2
/dev/disk3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           *120.2 GB   disk3

The coreStorage subsystem knows nothing about them yet, and only shows my Macintosh HD.

$ diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group B42959AC-207C-45CE-AC5B-A3B9E5289368
    =========================================================
    Name:         Macintosh HD
    Size:         120473067520 B (120.5 GB)
    Free Space:   0 B (0 B)
    |
    +-< Physical Volume 33B112ED-10BF-452E-BC96-1761AE2FFDC7
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk0s2
    |   Status:   Online
    |   Size:     120473067520 B (120.5 GB)
    |
    +-> Logical Volume Family BE76718E-765A-4797-B7FD-9B743B6E28E9
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume 46D952CD-311E-476E-8C19-CE2392FBABCE
            ---------------------------------------------------
            Disk:               disk3
            Status:             Online
            Size (Total):       120154296320 B (120.2 GB)
            Size (Converted):   -none-
            Revertible:         Yes (unlock and decryption required)
            LV Name:            Macintosh HD
            Volume Name:        Macintosh HD
            Content Hint:       Apple_HFS

Create a RAID volume from the disks by dragging them into the RAID set and giving it a name (StorageRAID).



Under Options, tell it to automatically rebuild RAID sets if you want to.



Click Create, and then Create again to confirm.



It will create the RAID volume and mount it.



Now back to the command line.

$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:          Apple_CoreStorage                         120.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk1
   1:                        EFI                         209.7 MB   disk1s1
   2:                 Apple_RAID                         2.0 TB     disk1s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk2
   1:                        EFI                         209.7 MB   disk2s1
   2:                 Apple_RAID                         2.0 TB     disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3
/dev/disk3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           *120.2 GB   disk3
/dev/disk4
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS StorageRAID           *2.0 TB     disk4

You can see that it created a disk4 as the RAID volume. Create a logical volume group named StorageLVG on disk4.

$ sudo diskutil cs createLVG StorageLVG disk4
Password:
Started CoreStorage operation
Unmounting AppleRAID set at disk4
Adding disk4 to Logical Volume Group
Creating Core Storage Logical Volume Group
Switching disk4 to Core Storage
Waiting for Logical Volume Group to appear
Discovered new Logical Volume Group "20D5D037-F88C-4F05-AD28-E569E9564FC0"
Core Storage LVG UUID: 20D5D037-F88C-4F05-AD28-E569E9564FC0
Finished CoreStorage operation

If you do a diskutil cs list now, you'll see the new LVG with the same UUID as above.

$ diskutil cs list
CoreStorage logical volume groups (2 found)
|
+-- Logical Volume Group B42959AC-207C-45CE-AC5B-A3B9E5289368
|   =========================================================
|   Name:         Macintosh HD
|   Size:         120473067520 B (120.5 GB)
|   Free Space:   0 B (0 B)
|   |
|   +-< Physical Volume 33B112ED-10BF-452E-BC96-1761AE2FFDC7
|   |   ----------------------------------------------------
|   |   Index:    0
|   |   Disk:     disk0s2
|   |   Status:   Online
|   |   Size:     120473067520 B (120.5 GB)
|   |
|   +-> Logical Volume Family BE76718E-765A-4797-B7FD-9B743B6E28E9
|       ----------------------------------------------------------
|       Encryption Status:       Unlocked
|       Encryption Type:         AES-XTS
|       Conversion Status:       Complete
|       Conversion Direction:    -none-
|       Has Encrypted Extents:   Yes
|       Fully Secure:            Yes
|       Passphrase Required:     Yes
|       |
|       +-> Logical Volume 46D952CD-311E-476E-8C19-CE2392FBABCE
|           ---------------------------------------------------
|           Disk:               disk3
|           Status:             Online
|           Size (Total):       120154296320 B (120.2 GB)
|           Size (Converted):   -none-
|           Revertible:         Yes (unlock and decryption required)
|           LV Name:            Macintosh HD
|           Volume Name:        Macintosh HD
|           Content Hint:       Apple_HFS
|
+-- Logical Volume Group 20D5D037-F88C-4F05-AD28-E569E9564FC0
    =========================================================
    Name:         StorageLVG
    Size:         2000054943744 B (2.0 TB)
    Free Space:   1999736168448 B (2.0 TB)
    |
    +-< Physical Volume AB193FA5-822F-479B-9D74-AAEC1BC22632
        ----------------------------------------------------
        Index:    0
        Disk:     disk4
        Status:   Online
        Size:     2000054943744 B (2.0 TB)

In diskutil list you can see that it changed the type of StorageRAID from Apple_HFS to Apple_CoreStorage.

$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:          Apple_CoreStorage                         120.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk1
   1:                        EFI                         209.7 MB   disk1s1
   2:                 Apple_RAID                         2.0 TB     disk1s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk2
   1:                        EFI                         209.7 MB   disk2s1
   2:                 Apple_RAID                         2.0 TB     disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3
/dev/disk3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           *120.2 GB   disk3
/dev/disk4
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:         Apple_CoreStorage StorageRAID            *2.0 TB     disk4

Create an encrypted logical volume on this new LVG.

$ sudo diskutil cs createLV 20D5D037-F88C-4F05-AD28-E569E9564FC0 jhfs+ Storage 100% -stdinpassphrase
Passphrase for new volume:
Started CoreStorage operation
Waiting for Logical Volume to appear
Formatting file system for Logical Volume
Initialized /dev/rdisk5 as a 2 TB HFS Plus volume with a 155648k journal
Mounting disk
Core Storage LV UUID: F490C159-4CAB-463A-BAB8-3A6468CF1FE5
Core Storage disk: disk5
Finished CoreStorage operation

If you look at diskutil cs list now, you'll see the new volume.

$ diskutil cs list
CoreStorage logical volume groups (2 found)
|
+-- Logical Volume Group B42959AC-207C-45CE-AC5B-A3B9E5289368
|   =========================================================
|   Name:         Macintosh HD
|   Size:         120473067520 B (120.5 GB)
|   Free Space:   0 B (0 B)
|   |
|   +-< Physical Volume 33B112ED-10BF-452E-BC96-1761AE2FFDC7
|   |   ----------------------------------------------------
|   |   Index:    0
|   |   Disk:     disk0s2
|   |   Status:   Online
|   |   Size:     120473067520 B (120.5 GB)
|   |
|   +-> Logical Volume Family BE76718E-765A-4797-B7FD-9B743B6E28E9
|       ----------------------------------------------------------
|       Encryption Status:       Unlocked
|       Encryption Type:         AES-XTS
|       Conversion Status:       Complete
|       Conversion Direction:    -none-
|       Has Encrypted Extents:   Yes
|       Fully Secure:            Yes
|       Passphrase Required:     Yes
|       |
|       +-> Logical Volume 46D952CD-311E-476E-8C19-CE2392FBABCE
|           ---------------------------------------------------
|           Disk:               disk3
|           Status:             Online
|           Size (Total):       120154296320 B (120.2 GB)
|           Size (Converted):   -none-
|           Revertible:         Yes (unlock and decryption required)
|           LV Name:            Macintosh HD
|           Volume Name:        Macintosh HD
|           Content Hint:       Apple_HFS
|
+-- Logical Volume Group 20D5D037-F88C-4F05-AD28-E569E9564FC0
    =========================================================
    Name:         StorageLVG
    Size:         2000054943744 B (2.0 TB)
    Free Space:   0 B (0 B)
    |
    +-< Physical Volume AB193FA5-822F-479B-9D74-AAEC1BC22632
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk4
    |   Status:   Online
    |   Size:     2000054943744 B (2.0 TB)
    |
    +-> Logical Volume Family AC7F549F-1D6F-4E22-B050-34791ABF53FB
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume F490C159-4CAB-463A-BAB8-3A6468CF1FE5
            ---------------------------------------------------
            Disk:               disk5
            Status:             Online
            Size (Total):       1999736168448 B (2.0 TB)
            Size (Converted):   -none-
            Revertible:         No
            LV Name:            Storage
            Volume Name:        Storage
            Content Hint:       Apple_HFS

And in diskutil list.

$ diskutil list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:          Apple_CoreStorage                         120.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk1
   1:                        EFI                         209.7 MB   disk1s1
   2:                 Apple_RAID                         2.0 TB     disk1s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk1s3
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *2.0 TB     disk2
   1:                        EFI                         209.7 MB   disk2s1
   2:                 Apple_RAID                         2.0 TB     disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3
/dev/disk3
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Macintosh HD           *120.2 GB   disk3
/dev/disk4
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:          Apple_CoreStorage StorageRAID            *2.0 TB     disk4
/dev/disk5
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS Storage                *2.0 TB     disk5

This is what it looks like in Disk Utility after everything is done.


21 comments:

Pirate Dave said...

Thanks for putting this info together. However, seeing that Apple decided not to permit encrypted RAIDs to be created via the UI, I am skeptical about the reliability. Thoughts?

Gary said...

I have been running it this way for almost half a year now, and haven't had any issues. Once you configure RAID, it looks like any other block device (disk) to the operating system.

josmabones said...

Have you tried running your system from an encrypted raid volume? or is this impossible because it's not through file vault?

Gary said...

I have tried booting from an encrypted RAID volume on another machine (Mac Pro) some time ago, and I couldn't get it to work.

josmabones said...

I thought so, thanks for letting me know

Jeffrey G. Gomberg said...

1. What are the performance issues of using encrypted raid?

2. Do I need to decrypt from the CLI or will the UI prompt for a password when I mount?

3. The OP was written for Mountain Lion. How about Mavericks? Anything change?

Thanks!

Gary said...

@Jeffrey G. Gomberg:

1. I haven't run any performance tests, I did this for redundancy, not performance.

2. UI will prompt you for the password when you mount.

3. I haven't tried this on Mavericks.

Gary said...

@Jeffrey G. Gomberg

This works without changes on Mavericks.

Sebastian said...

... and even on Yosemite.

Peterk said...
This comment has been removed by the author.
Peterk said...

@ Jeffrey G. Gomberg:

I did all the steps that you instructed, and it all looked good until I unplugged my drive and then plugged it back in. Then it said that the Storage Drive under StorageLVG is not mounted. So i unformatted the drive and tried it again, with the same result. Any advice?

Peterk said...

I realized that when I safely eject the drive from my desktop (as I would any other hard drive, before unplugging it) it unmounts Storage, but not StorageLVG. And then, when I unplug the drive and then plug it back in, my computer does not prompt for a passphrase, but instead leaves Storage unmounted. So I went back and remounted Storage in terminal, and unplugged the drive without ejecting it (cringe). Now when I plugged in the drive, it prompted for a passphrase. What I'm getting at, is that it seems to only prompt for a passphrase when I don't safely eject the drive, and instead simply unplug it. Did I do something wrong, or is this normal?

Gary said...

@Peterk ejecting the drive worked correctly for me, plugging it back in asked for the passphrase. Are you ejecting by dragging the drive to the trash/using the eject button in Finder, or are you ejecting it using the Eject button in Disk Utility? StorageLVG is never mounted, it doesn't have a filesystem - only Storage is mounted.

Peterk said...

I am ejecting it by dragging the drive to the trash.

Albert said...

thanks for the very nice post. what kind of performance do you get (MB/s)? i'm only getting 25 through a usb 3 hub, while each drive gets 120 or so individually

Gary said...

@Albert Unfortunately I don't have this setup any more, so I can't test, and I never tested its performance before. I had set it up for reliability rather than performance.

You say each of your disks gets 120 MB/s individually - is that through the same USB3 hub? Is it possible your hub is slowing the transfer rate down? How are you testing this?

Albert said...

wow, thanks for the quick response. my macbook has two usb ports. one port is to a (source) hard drive. the other is to a hub with the two (target) drives. before setting up the raid, i transferred 100 GB from the source to each encrypted target individually through the hub at 120 MB/s. then i set up the raid and it initially ran at 100 MB/s or so and within a couple minutes fell very quickly to 25 MB/s

Gary said...

@Albert are you transferring a single large file, or a bunch of small files? Performance will drop with lots of small files, since it has to write a directory entry for each one.

Albert said...

the bulk of it is in 100-300 GB files, compressed text. i'm debating whether i should try a thunderbolt dock.

xuser said...

Thanks for this! Also worked in Yosemite. Created 4 x 1.1TB SAN Volumes (Fiber over Thunderbolt). Worked like a charm!

jai said...

I've 2 SSDs I'm hoping to configure as encrypted RAID 0, then boot from in Yosemite. Can this process be used to accomplish this configuration as well? Has anyone found a way to boot from an encrypted RAID 0 volume? Thanks for posting!