The Disk Utility application does not allow you to create an encrypted filesystem on a RAID volume. However, it is possible from the command line. WARNING: this will erase everything on those disks - do a backup if you want any of that data. The basic method is to create an Apple RAID volume, create a coreStorage logical volume group on it, and then create an encrypted logical volume on the logical volume group.
These are the unformatted disks before RAID.
You can see them from the command line as disk1 and disk2.
$ diskutil list /dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *121.3 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_CoreStorage 120.5 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: *2.0 TB disk1 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: *2.0 TB disk2 /dev/disk3 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS Macintosh HD *120.2 GB disk3
The coreStorage subsystem knows nothing about them yet, and only shows my Macintosh HD.
$ diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group B42959AC-207C-45CE-AC5B-A3B9E5289368
=========================================================
Name: Macintosh HD
Size: 120473067520 B (120.5 GB)
Free Space: 0 B (0 B)
|
+-< Physical Volume 33B112ED-10BF-452E-BC96-1761AE2FFDC7
| ----------------------------------------------------
| Index: 0
| Disk: disk0s2
| Status: Online
| Size: 120473067520 B (120.5 GB)
|
+-> Logical Volume Family BE76718E-765A-4797-B7FD-9B743B6E28E9
----------------------------------------------------------
Encryption Status: Unlocked
Encryption Type: AES-XTS
Conversion Status: Complete
Conversion Direction: -none-
Has Encrypted Extents: Yes
Fully Secure: Yes
Passphrase Required: Yes
|
+-> Logical Volume 46D952CD-311E-476E-8C19-CE2392FBABCE
---------------------------------------------------
Disk: disk3
Status: Online
Size (Total): 120154296320 B (120.2 GB)
Size (Converted): -none-
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
Volume Name: Macintosh HD
Content Hint: Apple_HFS
Create a RAID volume from the disks by dragging them into the RAID set and giving it a name (StorageRAID).
Under Options, tell it to automatically rebuild RAID sets if you want to.
Click Create, and then Create again to confirm.
It will create the RAID volume and mount it.
Now back to the command line.
$ diskutil list /dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *121.3 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_CoreStorage 120.5 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_RAID 2.0 TB disk1s2 3: Apple_Boot Boot OS X 134.2 MB disk1s3 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk2 1: EFI 209.7 MB disk2s1 2: Apple_RAID 2.0 TB disk2s2 3: Apple_Boot Boot OS X 134.2 MB disk2s3 /dev/disk3 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS Macintosh HD *120.2 GB disk3 /dev/disk4 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS StorageRAID *2.0 TB disk4
You can see that it created a disk4 as the RAID volume. Create a logical volume group named StorageLVG on disk4.
$ sudo diskutil cs createLVG StorageLVG disk4 Password: Started CoreStorage operation Unmounting AppleRAID set at disk4 Adding disk4 to Logical Volume Group Creating Core Storage Logical Volume Group Switching disk4 to Core Storage Waiting for Logical Volume Group to appear Discovered new Logical Volume Group "20D5D037-F88C-4F05-AD28-E569E9564FC0" Core Storage LVG UUID: 20D5D037-F88C-4F05-AD28-E569E9564FC0 Finished CoreStorage operation
If you do a
diskutil cs list now, you'll see the new LVG with the same UUID as above.$ diskutil cs list
CoreStorage logical volume groups (2 found)
|
+-- Logical Volume Group B42959AC-207C-45CE-AC5B-A3B9E5289368
| =========================================================
| Name: Macintosh HD
| Size: 120473067520 B (120.5 GB)
| Free Space: 0 B (0 B)
| |
| +-< Physical Volume 33B112ED-10BF-452E-BC96-1761AE2FFDC7
| | ----------------------------------------------------
| | Index: 0
| | Disk: disk0s2
| | Status: Online
| | Size: 120473067520 B (120.5 GB)
| |
| +-> Logical Volume Family BE76718E-765A-4797-B7FD-9B743B6E28E9
| ----------------------------------------------------------
| Encryption Status: Unlocked
| Encryption Type: AES-XTS
| Conversion Status: Complete
| Conversion Direction: -none-
| Has Encrypted Extents: Yes
| Fully Secure: Yes
| Passphrase Required: Yes
| |
| +-> Logical Volume 46D952CD-311E-476E-8C19-CE2392FBABCE
| ---------------------------------------------------
| Disk: disk3
| Status: Online
| Size (Total): 120154296320 B (120.2 GB)
| Size (Converted): -none-
| Revertible: Yes (unlock and decryption required)
| LV Name: Macintosh HD
| Volume Name: Macintosh HD
| Content Hint: Apple_HFS
|
+-- Logical Volume Group 20D5D037-F88C-4F05-AD28-E569E9564FC0
=========================================================
Name: StorageLVG
Size: 2000054943744 B (2.0 TB)
Free Space: 1999736168448 B (2.0 TB)
|
+-< Physical Volume AB193FA5-822F-479B-9D74-AAEC1BC22632
----------------------------------------------------
Index: 0
Disk: disk4
Status: Online
Size: 2000054943744 B (2.0 TB)
In
diskutil list you can see that it changed the type of StorageRAID from Apple_HFS to Apple_CoreStorage.$ diskutil list /dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *121.3 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_CoreStorage 120.5 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_RAID 2.0 TB disk1s2 3: Apple_Boot Boot OS X 134.2 MB disk1s3 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk2 1: EFI 209.7 MB disk2s1 2: Apple_RAID 2.0 TB disk2s2 3: Apple_Boot Boot OS X 134.2 MB disk2s3 /dev/disk3 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS Macintosh HD *120.2 GB disk3 /dev/disk4 #: TYPE NAME SIZE IDENTIFIER 0: Apple_CoreStorage StorageRAID *2.0 TB disk4
Create an encrypted logical volume on this new LVG.
$ sudo diskutil cs createLV 20D5D037-F88C-4F05-AD28-E569E9564FC0 jhfs+ Storage 100% -stdinpassphrase Passphrase for new volume: Started CoreStorage operation Waiting for Logical Volume to appear Formatting file system for Logical Volume Initialized /dev/rdisk5 as a 2 TB HFS Plus volume with a 155648k journal Mounting disk Core Storage LV UUID: F490C159-4CAB-463A-BAB8-3A6468CF1FE5 Core Storage disk: disk5 Finished CoreStorage operation
If you look at
diskutil cs list now, you'll see the new volume.$ diskutil cs list
CoreStorage logical volume groups (2 found)
|
+-- Logical Volume Group B42959AC-207C-45CE-AC5B-A3B9E5289368
| =========================================================
| Name: Macintosh HD
| Size: 120473067520 B (120.5 GB)
| Free Space: 0 B (0 B)
| |
| +-< Physical Volume 33B112ED-10BF-452E-BC96-1761AE2FFDC7
| | ----------------------------------------------------
| | Index: 0
| | Disk: disk0s2
| | Status: Online
| | Size: 120473067520 B (120.5 GB)
| |
| +-> Logical Volume Family BE76718E-765A-4797-B7FD-9B743B6E28E9
| ----------------------------------------------------------
| Encryption Status: Unlocked
| Encryption Type: AES-XTS
| Conversion Status: Complete
| Conversion Direction: -none-
| Has Encrypted Extents: Yes
| Fully Secure: Yes
| Passphrase Required: Yes
| |
| +-> Logical Volume 46D952CD-311E-476E-8C19-CE2392FBABCE
| ---------------------------------------------------
| Disk: disk3
| Status: Online
| Size (Total): 120154296320 B (120.2 GB)
| Size (Converted): -none-
| Revertible: Yes (unlock and decryption required)
| LV Name: Macintosh HD
| Volume Name: Macintosh HD
| Content Hint: Apple_HFS
|
+-- Logical Volume Group 20D5D037-F88C-4F05-AD28-E569E9564FC0
=========================================================
Name: StorageLVG
Size: 2000054943744 B (2.0 TB)
Free Space: 0 B (0 B)
|
+-< Physical Volume AB193FA5-822F-479B-9D74-AAEC1BC22632
| ----------------------------------------------------
| Index: 0
| Disk: disk4
| Status: Online
| Size: 2000054943744 B (2.0 TB)
|
+-> Logical Volume Family AC7F549F-1D6F-4E22-B050-34791ABF53FB
----------------------------------------------------------
Encryption Status: Unlocked
Encryption Type: AES-XTS
Conversion Status: Complete
Conversion Direction: -none-
Has Encrypted Extents: Yes
Fully Secure: Yes
Passphrase Required: Yes
|
+-> Logical Volume F490C159-4CAB-463A-BAB8-3A6468CF1FE5
---------------------------------------------------
Disk: disk5
Status: Online
Size (Total): 1999736168448 B (2.0 TB)
Size (Converted): -none-
Revertible: No
LV Name: Storage
Volume Name: Storage
Content Hint: Apple_HFS
And in
diskutil list.$ diskutil list /dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *121.3 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_CoreStorage 120.5 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_RAID 2.0 TB disk1s2 3: Apple_Boot Boot OS X 134.2 MB disk1s3 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk2 1: EFI 209.7 MB disk2s1 2: Apple_RAID 2.0 TB disk2s2 3: Apple_Boot Boot OS X 134.2 MB disk2s3 /dev/disk3 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS Macintosh HD *120.2 GB disk3 /dev/disk4 #: TYPE NAME SIZE IDENTIFIER 0: Apple_CoreStorage StorageRAID *2.0 TB disk4 /dev/disk5 #: TYPE NAME SIZE IDENTIFIER 0: Apple_HFS Storage *2.0 TB disk5
This is what it looks like in Disk Utility after everything is done.
21 comments:
Thanks for putting this info together. However, seeing that Apple decided not to permit encrypted RAIDs to be created via the UI, I am skeptical about the reliability. Thoughts?
I have been running it this way for almost half a year now, and haven't had any issues. Once you configure RAID, it looks like any other block device (disk) to the operating system.
Have you tried running your system from an encrypted raid volume? or is this impossible because it's not through file vault?
I have tried booting from an encrypted RAID volume on another machine (Mac Pro) some time ago, and I couldn't get it to work.
I thought so, thanks for letting me know
1. What are the performance issues of using encrypted raid?
2. Do I need to decrypt from the CLI or will the UI prompt for a password when I mount?
3. The OP was written for Mountain Lion. How about Mavericks? Anything change?
Thanks!
@Jeffrey G. Gomberg:
1. I haven't run any performance tests, I did this for redundancy, not performance.
2. UI will prompt you for the password when you mount.
3. I haven't tried this on Mavericks.
@Jeffrey G. Gomberg
This works without changes on Mavericks.
... and even on Yosemite.
@ Jeffrey G. Gomberg:
I did all the steps that you instructed, and it all looked good until I unplugged my drive and then plugged it back in. Then it said that the Storage Drive under StorageLVG is not mounted. So i unformatted the drive and tried it again, with the same result. Any advice?
I realized that when I safely eject the drive from my desktop (as I would any other hard drive, before unplugging it) it unmounts Storage, but not StorageLVG. And then, when I unplug the drive and then plug it back in, my computer does not prompt for a passphrase, but instead leaves Storage unmounted. So I went back and remounted Storage in terminal, and unplugged the drive without ejecting it (cringe). Now when I plugged in the drive, it prompted for a passphrase. What I'm getting at, is that it seems to only prompt for a passphrase when I don't safely eject the drive, and instead simply unplug it. Did I do something wrong, or is this normal?
@Peterk ejecting the drive worked correctly for me, plugging it back in asked for the passphrase. Are you ejecting by dragging the drive to the trash/using the eject button in Finder, or are you ejecting it using the Eject button in Disk Utility? StorageLVG is never mounted, it doesn't have a filesystem - only Storage is mounted.
I am ejecting it by dragging the drive to the trash.
thanks for the very nice post. what kind of performance do you get (MB/s)? i'm only getting 25 through a usb 3 hub, while each drive gets 120 or so individually
@Albert Unfortunately I don't have this setup any more, so I can't test, and I never tested its performance before. I had set it up for reliability rather than performance.
You say each of your disks gets 120 MB/s individually - is that through the same USB3 hub? Is it possible your hub is slowing the transfer rate down? How are you testing this?
wow, thanks for the quick response. my macbook has two usb ports. one port is to a (source) hard drive. the other is to a hub with the two (target) drives. before setting up the raid, i transferred 100 GB from the source to each encrypted target individually through the hub at 120 MB/s. then i set up the raid and it initially ran at 100 MB/s or so and within a couple minutes fell very quickly to 25 MB/s
@Albert are you transferring a single large file, or a bunch of small files? Performance will drop with lots of small files, since it has to write a directory entry for each one.
the bulk of it is in 100-300 GB files, compressed text. i'm debating whether i should try a thunderbolt dock.
Thanks for this! Also worked in Yosemite. Created 4 x 1.1TB SAN Volumes (Fiber over Thunderbolt). Worked like a charm!
I've 2 SSDs I'm hoping to configure as encrypted RAID 0, then boot from in Yosemite. Can this process be used to accomplish this configuration as well? Has anyone found a way to boot from an encrypted RAID 0 volume? Thanks for posting!
Post a Comment