Encrypting an user home directory using Legacy FileVault in OS X Lion

It seems that, once disabled, you cannot enable Legacy FileVault again in OS X Lion: you must use FileVault 2. rEFIt users may dislike it and if you rely only on System Preferences actually you can’t re-enable it.

After some searching and experiments I found a way to encrypt a new user’s home using FileVault 1 (aka Legacy FileVault). This procedure works also with existing accounts. Only requirement: FileVault Master Password must be already set, otherwise requested certificate may be not available.

Ultimate update:Released update 10.7.4 fixes the problem. But you have to clean secure.log files which may display password in clear.

Update:
With 10.7.3 release has come a bug that displays password in clear text of the Legacy Filevault account because of a DEBUG flag. Waiting for 10.7.4 that maybe will fix, this is a possible workaround. (fonte: ZDNet)

Some notes before start:

  • you will use mostly command line in Terminal and sudo command, available only to Mac users with administrative privileges
  • if it’s not deeply clear what you are doing, you can have data loss or make the whole system unusable. So make a full backup with Time Machine before start and get a bootable CD, DVD o USB key (i.e: OS X installation media) to restore your system if needed
  • I don’t know about any offical Apple documentation ensuring good results of these procedures; I can say that it worked on my MacBook Air with OS X Lion (an upgrade from Snow Leopard with FileVault 1 enabled)
  • this is an experiment and who tries it, will do it at his own risk

In summary: if something will happen to you, to your Mac or to your loved ones using informations provided in this post, don’t come crying to me because I will tell you: “I told you to leave it alone!” :)

Have you discouraged? Or just curious? Ok, let’s start.

Open System Preferences > Users and Groups. Make sure logon user is an administrator.

Users and Groups dialog

System Preferences > Users and Groups

Before operating with an existing user, make a try with a new user, creating it with + button. If button is disabled, unlock the padlock ;). A Standard user is enough, eg:

user:    fv1user
password:  fv1pwd

Now open Terminal: you will find in in bold every command you must give in it, surrounding text is commands’ output.

Enter superuser mode, using current user’s password (the one has administrative privileges):

mbair:~ fabio$ sudo su
Password:
sh-3.2#

Prompt will change: instead of $ will be # . Now some preliminary operation:

sh-3.2# umask 077
sh-3.2# export SBUSERNAME="fv1user"
sh-3.2# export SBUID=$(id -u $SBUSERNAME)
sh-3.2# export SBGID=$(id -g $SBUSERNAME)
sh-3.2# echo Username $SBUSERNAME - UserID $SBUID GroupID $SBGID
Username fv1user - UserID 504 GroupID 20

$SBUSERNAME, $SBUID e $SBGID variables must contain user name, his User ID and his Group ID. Your User ID may differ from above. Just make sure you write the right user name in the 2nd row above and the two IDs (drawn using OS X) are numeric.

You will launch all the next commands from the new user’s home dir, so type:

sh-3.2# cd /Users/"$SBUSERNAME"
sh-3.2# pwd
/Users/fv1user

Now you must create a sparsebundle disk image. Will be asked a password, use the new user’s one (fv1pwd):

sh-3.2# hdiutil create -size 300g \
   -encryption -agentpass \
   -certificate /Library/Keychains/FileVaultMaster.cer \
   -uid $SBUID -gid $SBGID \
   -mode 0700 -fs "HFS+J" -type SPARSEBUNDLE -layout SPUD \
   -volname "$SBUSERNAME" "$SBUSERNAME".sparsebundle
Inserisci una nuova password per proteggere "fv1user.sparsebundle":
Reinserisci la nuova password:
created: /Users/fv1user/fv1user.sparsebundle

Now set permissions required by FileVault:

sh-3.2# chown -R "$SBUSERNAME":staff "$SBUSERNAME".sparsebundle
sh-3.2#

Now mount the sparsebundle image using a local dir as mount point (sbdest) and again the same password (fv1pwd):

sh-3.2# mkdir sbdest
sh-3.2# hdiutil attach -owners on -mountpoint sbdest \
   -stdinpass "$SBUSERNAME".sparsebundle
Enter disk image passphrase:
/dev/disk1           Apple_partition_scheme             
/dev/disk1s1         Apple_partition_map                
/dev/disk1s2         Apple_HFS                 /Users/fv1user/sbdest

Copy the fv1user‘s home dir contens avoiding recursive copy via –exclude: ;)

sh-3.2# rsync -avxHE ./ sbdest/ \
   --exclude="$SBUSERNAME".sparsebundle/ --exclude="sbdest/"
building file list ... done
./
.CFUserTextEncoding
._.
Desktop/
._Desktop
Documents/
._Documents
Downloads/
._Downloads
Library/
._Library
Movies/
._Movies
Music/
._Music
Pictures/
._Pictures
Public/
._Public

(...)

sent 14196177 bytes  received 4142 bytes  28400638.00 bytes/sec
total size is 14170359  speedup is 1.00

File list may differ from Mac to Mac. Unmount the image and remove the local dir used as mount point:

sh-3.2# hdiutil detach sbdest
"disk1" unmounted.
"disk1" ejected.
sh-3.2# rmdir sbdest
sh-3.2#

Image is ready, you must tell OS X to use it as fv1user‘s home directory. Edit his plist, making a backup copy first:

sh-3.2# cd /private/var/db/dslocal/nodes/Default/users/
sh-3.2# cp fv1user.plist fv1user.plist.backup
sh-3.2# plutil -convert xml1 fv1user.plist
sh-3.2# nano fv1user.plist

Open nano and search for:

        <key>home</key>
        <array>
                <string>/Users/fv1user</string>
        </array>

add the bold text, editing it to reference your right sparsebundle path:

        <key>home</key>
        <array>
                <string>/Users/fv1user</string>
        </array>
        <key>home_loc</key>
        <array>
                <string>&lt;home_dir&gt;&lt;url&gt;
                file://localhost/Users/fv1user/fv1user.sparsebundle
                &lt;/url&gt;&lt;/home_dir&gt;</string>
        </array>

Write text between <string> e </string> in just one row. Convert plist file in binary format again:

sh-3.2# plutil -convert binary1 fv1user.plist
sh-3.2#

All is done: you can login with new user to check if FileVault 1 is active. Some way:

  • open System Preferences > Security and privacy and check the FiIeVault and Legacy FileVault buttons presence
  • open a terminal window and launch a mount command:
$ mount
(...)
/dev/disk1s2 on /Users/fv1user (hfs, local, nodev, nosuid, journaled,
  nobrowse)
  • create a file in home dir, logout and check with another user (via superuser) if the new file exists in /Users/fv1user/. If not found, it’s ok because it is in sparsebundle image. Not sure? Login again with new user and you’ll find the file! ;)

Once sure about changes made, you can remove any previous content from the home dir using another user via superuser, except fv1user.sparsebundle directory which owns the encrypted version.

P.S. using FileVault 1 you know that at logout OS X will compact the sparsebundle,displaying for few moments the compact dialog. If you are using battery power this doesn’t happen: you must logout while Mac is on ac power.

Thanking Jeff McCune for his original post

26 thoughts on “Encrypting an user home directory using Legacy FileVault in OS X Lion

  1. Pingback: How to Enable Legacy FileVault on Mac OSX 10.7 Lion | The Tabor Consulting Group

  2. Thank you for the accurate information. I went thru step by step and this worked great! Now, I know I can migrate my Legacy FileVault users over to a clean install of Lion, as Migration Assistant will not move FileVault 1 users! I prefer FileVault 1 for my users instead of FileVault 2 because I’m running Lion Server and my machine has to run headless and be able to reboot by itself without someone at the console to enter a password in EFI. The big problem with FileVault 2 is that it’s not appropriate for a server, at least as Apple has it working so far. Also, Legacy FileVault has better individual user security, both between users and between a user and an admin. With FileVault 1 you can have some limited user files outside the sparsebundle in the user’s directory to support remote ssh login, scripts, automated backups, etc. before the user’s sparsebundle is mounted.

  3. Pingback: Working on a Mac » Blog Archive » Encrypting an user home directory using Legacy FileVault in OS X Lion

  4. Yes, wonderful tutorial!!! Works like a charm. Side notes:

    Tried this with an original FV1 .sparseimage, but that didn’t work. Ran into problems copying files from the old image. Many I/O errors. I think due to access-restrictions. Ended up mounting old image in new account, then copying every file through Finder, which prompted me for root-access. Then everything went fine and all files are accessible again.

    Thanks a lot for your trouble to jot this all down into understandable bits and pieces for us!

    • I/O errors were of “Access denied” type? Maybe you can see some tracks of them using Console app. Anyway, I appreciated you found my tutorial useful :)

  5. This is a “fantastico” writeup, and still works in Mountain Lion, with a couple of caveats:

    – The hdiutil step, creating the .sparsebundle, may not work right off the bat, if the file “Library/Keychains/FileVaultMaster.cer” does not exist. To remedy this, follow the instructions in the “Create a master password” section of this Apple KB: http://support.apple.com/kb/HT5077

    – After completing all of the instructions, I still do not see a “Legacy FileVault” button in System Preferences, Security & Privacy, FileVault, but everything works correctly nonetheless.

    Thanks for posting this!

    PS: For anyone who’s wondering *why* someone would want to do this when FileVault 2 is available: I administer Macs that are used by multiple people, some of whom have admin privileges. As long as none of the users have access to the FileVault master password, this method is a way (and, as far as I know, the *only* way) to ensure that the data in each user’s home directory cannot be accessed by anyone else.

  6. Thank-you very much for posting this tutorial, as I prefer Legacy File Vault than the new “full disk” encryption. Using Mountain Lion, I was sure to follow Joebob’s recommendation on creating a file vault “master password” first, before proceeding with your tutorial. After finishing the steps, the “Legacy FileVault” pop up under system preferences showed, and it appears everything went successful. Thanks again!

  7. Successfully created in mtn lion 10.8.4. Ran into a couple of problems on logout –

    Restart machine, login to fvuser1:
    It asks me for login password, followed by sparsebundle password. Login successful.

    Logout. Try to log back in. Asks me for login password, hangs for a minute then boots me back into the login window. End up restarting machine.

    Post restart #2 – login to fvuser1:
    Asks me for login password, hangs for a sec then logs me into OSX?! It doesn’t ask me for sparsebundle password.

    It seems that the sparsebundle may not be detaching upon logout. Any ideas?

      • I have. I tried creating a fresh sparsebundle last night using a newly created account. Still no joy. I am seeing some weird instance in /Users where it’s creating additional accounts of the users that fail to unmount their sparsebundle.

  8. I actually did verify that the sparsebundle stays mounted after logout. If I log out of fvuser1 and log into another account I can see the /dev/disk*s* of fvuser1 still mounted using the mount command in terminal. Another way to tell is checking /Users for a .fvuser1 account. (/Users/.fvuser1 will show up if the bundle is still mounted)

  9. Is it possible to use this procedure in conjunction with FileVault2 to have ‘double encryption’?
    My main interest is with the Master Password – does the FV1 master password serve as a master for FileVault2 and vice versa or would FV1 and FV2 each use independent master/recovery passwords?

    • I don’t know if it is possible or not, but I think it is not advisable. You may use any other crypto software if you want to try to get your target (e.g. TrueCrypt)

  10. Pingback: [GUIDE] Encrypt a user home folder, by using "Legacy FileVault" - tonymacx86.com

  11. Nice guide, but using the Directory Service Command Line Utility to change the home_loc key is simplier:

    dscl . -create /Users/fv1user HomeDirectory “file://localhost/Users/fv1user/fv1user.sparsebundle”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>