It seems that, once disabled, you cannot enable Legacy FileVault again in OS X Lion: you must use FileVault 2. rEFIt users may dislike it and if you rely only on System Preferences actually you can’t re-enable it.
After some searching and experiments I found a way to encrypt a new user’s home using FileVault 1 (aka Legacy FileVault). This procedure works also with existing accounts. Only requirement: FileVault Master Password must be already set, otherwise requested certificate may be not available.
Ultimate update:Released update 10.7.4 fixes the problem. But you have to clean secure.log files which may display password in clear.
With 10.7.3 release has come a bug that displays password in clear text of the Legacy Filevault account because of a DEBUG flag. Waiting for 10.7.4 that maybe will fix, this is a possible workaround. (fonte: ZDNet)
Some notes before start:
- you will use mostly command line in Terminal and sudo command, available only to Mac users with administrative privileges
- if it’s not deeply clear what you are doing, you can have data loss or make the whole system unusable. So make a full backup with Time Machine before start and get a bootable CD, DVD o USB key (i.e: OS X installation media) to restore your system if needed
- I don’t know about any offical Apple documentation ensuring good results of these procedures; I can say that it worked on my MacBook Air with OS X Lion (an upgrade from Snow Leopard with FileVault 1 enabled)
- this is an experiment and who tries it, will do it at his own risk
In summary: if something will happen to you, to your Mac or to your loved ones using informations provided in this post, don’t come crying to me because I will tell you: “I told you to leave it alone!”
Have you discouraged? Or just curious? Ok, let’s start.
Open System Preferences > Users and Groups. Make sure logon user is an administrator.
Before operating with an existing user, make a try with a new user, creating it with + button. If button is disabled, unlock the padlock ;). A Standard user is enough, eg:
user: fv1user password: fv1pwd
Now open Terminal: you will find in in bold every command you must give in it, surrounding text is commands’ output.
Enter superuser mode, using current user’s password (the one has administrative privileges):
mbair:~ fabio$ sudo su Password: sh-3.2#
Prompt will change: instead of $ will be # . Now some preliminary operation:
sh-3.2# umask 077 sh-3.2# export SBUSERNAME="fv1user" sh-3.2# export SBUID=$(id -u $SBUSERNAME) sh-3.2# export SBGID=$(id -g $SBUSERNAME) sh-3.2# echo Username $SBUSERNAME - UserID $SBUID GroupID $SBGID Username fv1user - UserID 504 GroupID 20
$SBUSERNAME, $SBUID e $SBGID variables must contain user name, his User ID and his Group ID. Your User ID may differ from above. Just make sure you write the right user name in the 2nd row above and the two IDs (drawn using OS X) are numeric.
You will launch all the next commands from the new user’s home dir, so type:
sh-3.2# cd /Users/"$SBUSERNAME" sh-3.2# pwd /Users/fv1user
Now you must create a sparsebundle disk image. Will be asked a password, use the new user’s one (fv1pwd):
sh-3.2# hdiutil create -size 300g \ -encryption -agentpass \ -certificate /Library/Keychains/FileVaultMaster.cer \ -uid $SBUID -gid $SBGID \ -mode 0700 -fs "HFS+J" -type SPARSEBUNDLE -layout SPUD \ -volname "$SBUSERNAME" "$SBUSERNAME".sparsebundle Inserisci una nuova password per proteggere "fv1user.sparsebundle": Reinserisci la nuova password: created: /Users/fv1user/fv1user.sparsebundle
Now set permissions required by FileVault:
sh-3.2# chown -R "$SBUSERNAME":staff "$SBUSERNAME".sparsebundle sh-3.2#
Now mount the sparsebundle image using a local dir as mount point (sbdest) and again the same password (fv1pwd):
sh-3.2# mkdir sbdest sh-3.2# hdiutil attach -owners on -mountpoint sbdest \ -stdinpass "$SBUSERNAME".sparsebundle Enter disk image passphrase: /dev/disk1 Apple_partition_scheme /dev/disk1s1 Apple_partition_map /dev/disk1s2 Apple_HFS /Users/fv1user/sbdest
Copy the fv1user‘s home dir contens avoiding recursive copy via –exclude: 😉
sh-3.2# rsync -avxHE ./ sbdest/ \ --exclude="$SBUSERNAME".sparsebundle/ --exclude="sbdest/" building file list ... done ./ .CFUserTextEncoding ._. Desktop/ ._Desktop Documents/ ._Documents Downloads/ ._Downloads Library/ ._Library Movies/ ._Movies Music/ ._Music Pictures/ ._Pictures Public/ ._Public (...) sent 14196177 bytes received 4142 bytes 28400638.00 bytes/sec total size is 14170359 speedup is 1.00
File list may differ from Mac to Mac. Unmount the image and remove the local dir used as mount point:
sh-3.2# hdiutil detach sbdest "disk1" unmounted. "disk1" ejected. sh-3.2# rmdir sbdest sh-3.2#
Image is ready, you must tell OS X to use it as fv1user‘s home directory. Edit his plist, making a backup copy first:
sh-3.2# cd /private/var/db/dslocal/nodes/Default/users/ sh-3.2# cp fv1user.plist fv1user.plist.backup sh-3.2# plutil -convert xml1 fv1user.plist sh-3.2# nano fv1user.plist
Open nano and search for:
<key>home</key> <array> <string>/Users/fv1user</string> </array>
add the bold text, editing it to reference your right sparsebundle path:
<key>home</key> <array> <string>/Users/fv1user</string> </array> <key>home_loc</key> <array> <string><home_dir><url> file://localhost/Users/fv1user/fv1user.sparsebundle </url></home_dir></string> </array>
Write text between <string> e </string> in just one row. Convert plist file in binary format again:
sh-3.2# plutil -convert binary1 fv1user.plist sh-3.2#
All is done: you can login with new user to check if FileVault 1 is active. Some way:
- open System Preferences > Security and privacy and check the FiIeVault and Legacy FileVault buttons presence
- open a terminal window and launch a mount command:
$ mount (...) /dev/disk1s2 on /Users/fv1user (hfs, local, nodev, nosuid, journaled, nobrowse)
- create a file in home dir, logout and check with another user (via superuser) if the new file exists in /Users/fv1user/. If not found, it’s ok because it is in sparsebundle image. Not sure? Login again with new user and you’ll find the file! 😉
Once sure about changes made, you can remove any previous content from the home dir using another user via superuser, except fv1user.sparsebundle directory which owns the encrypted version.
P.S. using FileVault 1 you know that at logout OS X will compact the sparsebundle,displaying for few moments the compact dialog. If you are using battery power this doesn’t happen: you must logout while Mac is on ac power.
Thanking Jeff McCune for his original post