So you want another partition…

Background

With the advent of Mac OS X 1.7 Lion, Apple has made some wonderful upgrades to how FileVault works, and I for one am quite happy. However, it does complicate some things… For example, our linux friends have been storing their data on multiple partitions for forever. Their installer supports and encourages it, and it makes some sense – separating your data so you can mount different portions of it independently, so the partitions (or disks if you have more than 1) can fail independently and not wreck all of your data, stuff like that.

So what about Mac? It’s unix right, how hard could it be? With Filevault 2, if you want your partitions to be encrypted, it’s not easy, and there are several pitfalls along the way that can leave you locked out of your system if you aren’t careful and don’t happen to know someone familiar with OS X internals (thanks Drew!). So, assuming you want, say, your /Users/ directory in a separate encrypted partition, how do you do that? Well…

Setting Up The Partitions

First, you probably need to repartition your disk(s) to create your new Users partition. Note that if you need to do this, you shouldn’t be running Filevault, since Disk Utility can’t resize encrypted partitions.

To do this, you’ll probably need to reboot to the recovery console (Command-R on reboot). Now, open up disk utility, and shrink the “Macintosh HD” partition down to a size you’re comfortable with. It’s going to be hard to move later, so shrink cautiously (for reference, my Macintosh HD partition is 50gb, 22.18Gb currently used. I have /Users and /Applications on a separate partition). All done? Great!

Encrypting The Disk

Don’t bother trying to encrypt the “Macintosh HD” here. You’ll need to do that from System Preferences later. What we need to do here is encrypt your new partition. So, quit disk utility and open up a terminal. Type diskutil list. You should get a list that looks kind of like this:

/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.1 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:          Apple_CoreStorage                         49.5 GB    disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
   4:          Apple_CoreStorage                         449.6 GB   disk0s4
   5:                 Apple_Boot Boot OS X               134.2 MB   disk0s5
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                 Apple_HFSX Macintosh HD           *49.2 GB    disk1
/dev/disk2
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                 Apple_HFSX Users                  *449.3 GB   disk2

Find the partition you just created under the NAME column ("Users" in my case), and look on the far right for the IDENTIFIER ("disk2" in my case). Now type diskutil cs convert /dev/IDENTIFIER -passphrase where IDENTIFIER is the one you just looked up. Now type and confirm the password you want to use for this partition. Great, now the partition is encrypted!

Moving Your Data

Pay attention here, because this is where it starts to become possible to lose data. You named your new partition (Not Macintosh HD!) something. Let's call that NAME. if you run ls /Volumes/, you should see "Macintosh HD" and NAME[1]. Now, create directory "Users" on your new partition by running mkdir /Volumes/NAME/Users. Now you can move your data over: cp -Rp /Volumes/Macintosh\ HD/Users/* /Volumes/NAME/Users/. -p preserves the permission and other metadata of all your files, making your life easier later. All done? Great, let's just make sure it worked... type ls -a /Volumes/Macintosh\ HD/Users/ and compare that list to ls -a /Volumes/NAME/Users/. Make sure all the files got copied over, because we're about to delete the old ones...

Once you're satisfied that the copy worked, type the following command EXACTLY:

rm -Rf /Volumes/Macintosh\ HD/Users

This WILL delete ALL of your old user data. I warned you!

Now, run ln -s /Volumes/NAME/Users /Volumes/Macintosh\ HD/Users. This lets the system pretend that you've never moved your Users directory anywhere. And now, if you reboot, everything should work, and you should be able to log in!

Fixing Quirks

Well... you can indeed log in, but something's not quite right, is it? First, unlock your NAME partition when prompted. Now, log out and log back in again. That should feel a little better. Although, finder won't remember any of your preferences. How annoying... Let's fix that!

First, create a new user. No seriously - not a guest account (those don't work Filevault), a new user. Doesn't need to be an admin, just needs to show up in the login screen. Check to make sure you can log in as this user. All done? Great! Now, open System Preferences, go to Users & Groups, right click your user and select "Advanced Options...". In here, change your "Home directory" setting from "/Users/YOUR_USER_NAME" to "/Volumes/NAME/Users/YOUR_USER_NAME". You will now be prompted to restart.

When you do restart, you'll probably notice some error about not being able to log in. Of course! Your home directory is on an encrypted partition that we haven't unlocked. So, log into your alternate user (you created them, right? No? Fortunately, I made the same mistake, so look at this footnote[2]), and unlock your partition when prompted. Now log out, and log back in as yourself. Behold! Finder remembers your preferences :)

Wrapping Up

Now you can use System Preferences FileVault settings to encrypt Macintosh HD, leaving you with a properly segmented fully encrypted system. You can also move other directories onto different partitions through a very similar process. The Users directory is just specially tricky because we need it to login.

Note that while Time Machine backups work just fine, I have no idea what would happen if you tried to restore from Time Machine. My suspicion is that you'd be reverted to a single partition layout, but let me know if that behavior is different!



[1] If you don't see NAME, maybe you need to mount it. Open a new tab in terminal (Command-t), and type /Applications/Utilities/Disk\ Utility.app/Contents/MacOS/Disk\ Utility. When Disk Utility comes up, find your new partition (NAME) in the list, right click on it, and unlock it. This will unlock and mount the disk for you.
[2] You'll need to create another user the hard way. Restart into single user mode (hold down Command-S), and then follow the instructions here. Note that while you can create this new user in /Local/Users (and I in fact did), /Users should work just as well (although your alternate user will, of course, inherit the Finder doesn't remember your settings quirk). And no, the recovery partition is not good enough, because it doesn't have dscl. Yes, in theory you could chroot, but... just use single user mode.

About Bion

I'm a software developer at Modo Payments, a mobile payment provider. When I'm not hacking away the office, you I'm usually at home hacking on something else. Or practicing Aikido. Anyway, I just post things here that Google couldn't help me with, so maybe it'll help you in the future. Since you're reading this, I guess it worked :)
This entry was posted in Technology and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *