Full Disk Encryption = Hack?
5 post(s),
2 voice(s)
Jens
5 post(s)
|
Hi, I am experiencing problems trying to apply encryption to a (full) external firewire disk. How is the full disk encryption implemented in Knox, can I achieve the same with diskutil or hdutil on the command line? Is this an official feature that’s just not exposed to the Disk Utility GUI? I would like to find out what is wrong with my Firewire harddisk. Thanks! Jens |
Marko Karppinen
Administrator
66 post(s)
|
We’ll have to investigate your crashers more before commenting on their cause, but they are definitely weird and not something we’re seeing from others. It is possible that it’s something specific to your system. Can you try this: Does this still fail? If it does, that could indicate a problem with the disk or the system that trips up both Disk Utility and Knox. Knox full disk encryption uses normal encrypted disk images—just like the regular Knox vaults. The difference is that in normal operation, Knox hides the host volume so that only the encrypted vault appears. This is all done using public, documented Apple APIs and as such, we do not consider it a “hack”. |
|
Jens
5 post(s)
|
Hi, thanks! the problem is that I cannot even format the disk with Disk Utility any more. But before, it contained a valid, booting, functional OS X 10.3 setup … and now it doesn’t even allow reformatting. Here’s what I did … I connected the disk to a Linux computer, reformatted and partitiond the disk there, and then reconnected it to the Mac. Now it seem to sowk. I now have Knox working, but it takes ages to encrypt an 80G firewire disk (it’s now at roughly 10% of “Createing a vault” and it’s been at it for 20 minutes). Is this normal? I wanted to use a 400G disk for Knox, but I don’t want to wait several dasys .. Jens |
|
Marko Karppinen
Administrator
66 post(s)
|
Did you try the Disk Utility formatting with Knox running or not? It does not work with Knox running, but should work fine if you quit Knox first. During the whole-disk vault creation process, Knox repartitions the underlying disk with diskutil. That’s the only thing done to the drive. Creating a whole-disk vault takes a long time if you choose the “fixed-size” option, because this implies writing the disk full of data. As you have found, writing a modern disk full takes a very long time as write speeds have not kept up with the increases in disk capacity. We recommend the default “stretchable” option for most situations. I’m now going to write a FAQ entry about this. |
|
Jens
5 post(s)
|
Hi, thanks for the explanation! I really appreciate your support. I have a working Knox volume now – I tried repartitioning with Knox running, apparently this does not work. Now for the next problem. : Possible solution: Integrate a function in Knox that umounts vaults on external disks before the Mac goes to sleep, and possibly warns the user if the vault cannot be unmounted (with a possible “Do not warn again” checkbox). In any case, “umount before sleep” and “try to remount on wake-up” (if passwords are in the Keychain) would be a very welcome feature for me, because it would mean that I can turn off my external disk when my Mac sleeps with a “master-slave” electrical outlet. Another question: Is it possible to convert a “normal” .sparseimage file into a full-disk Knox volume without having to reformat/repartition the drive? I have a 400G disk of which about 300G are encrypted inside a .sparseimage file. I would like to convert the disk into a Knox vault. Would it be enough to empty the non-encrypted parts of the disk, and create a ”.knox-vault” directory like on my other disk, or would I potentially damage my extisting encrypted image? Thank you! Jens |