Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Filevaulting question for external drive

Loa

Loa

macrumors 68000
Original poster
May 5, 2003
1,732
79
Québec
Hello,

I have one drive I wanted to encrypt using Filevault 2, so I formatted it with the encrypted option and it works just fine.

My problem is this: this drive is mounted in a 4 bay external case that is always powered up, as I mount/unmount the drives it contains as needed. Trouble is: once I enter the password for the encrypted drive, the system remembers it until I power the external case down.

A simple unmount doesn't work, because anyone can re-mount it without having to enter the password.

Can I force the OS to ask the password every time the drive is mounted?

Thanks

Loa
 
I've never used Filevault before but I know that Truecrypt will do what you're looking to do: http://www.truecrypt.org/

You can mount it only when you need it and it will ask you for the password every time.
 
Loa said:
My problem is this: this drive is mounted in a 4 bay external case that is always powered up, as I mount/unmount the drives it contains as needed. Trouble is: once I enter the password for the encrypted drive, the system remembers it until I power the external case down.
Click to expand...

Filevault2 is gear to protect your data if you loose access to your system (e.g., laptop stolen). If you logout (and accounts are password protected ) then no one without a password can get to the data. In short, Filevault doesn't try to protect the data from you (the logged in user). In fact, it is the opposite. It tries to make the encryption completely transparent.

I think the "power down" simulates enough of the "reboot" characteristics to trigger the normal system power up login.

A simple unmount doesn't work, because anyone can re-mount it without having to enter the password.
Click to expand...

A Unix 'umount' or a Finder 'eject' ? If 'eject' isn't an available option then that's probably part of the problem. After an 'eject' that should be enough to flush metadata about the disk from the OS since it is 'gone' .
 
Hello,

I'll look into Truecrypt, but since Lion has equivalent encryption, I wanted to avoid the cost.

The drive I'm encrypting isn't a boot volume, and the password is independent (different) from my login password.

I'm ejecting the disk from the Finder, or from DU, and the results are the same. Is there a "stronger" eject?

Thanks

Loa
 
Loa said:
I'll look into Truecrypt, but since Lion has equivalent encryption, I wanted to avoid the cost.
Click to expand...

Truecrypt is free. It will just cost you time; not money (at least directly).

Similarly a sparse bundle disk image with a large upper limit on that disk effectively does the same thing. You'd have to double click on the image to invoke the mount process. But there are advantages to doing the whole drive since an extremely large file tends to invite metadata problems as the disk approaches being 90% full. (or someone putting something else on the disk that isn't encrypted. )

The drive I'm encrypting isn't a boot volume, and the password is independent (different) from my login password.
Click to expand...

Filevault2 doesn't encrypt with login passwords but the logins are associated with the encryption.

"... Users not enabled for FileVault unlock will only be able to log in to that Mac after an unlock-enabled user has started or unlocked the drive. Once unlocked, the drive remains unlocked and available to all users, until the computer is shut down. ... "
http://support.apple.com/kb/HT4790

You are mimicking the computer shutdown with the external drive being shutdown.

I'm ejecting the disk from the Finder, or from DU, and the results are the same. Is there a "stronger" eject?
Click to expand...

No. But there is a 'weaker' unmount .

However, this tutorial on how to use the somewhat unsupported external drive encryption notes that:

"... An important security note when using a partitioned drive: Once you've entered the password for a partition to mount it, that password is cached as long as any partition on the drive remains mounted. This means anyone could access an unmounted partition without needing to enter its password. You must unmount all partitions—eject the entire disk, as it were—to ensure that OS X requires a password again for each partition. ... "
http://www.macworld.com/article/162999-2/2011/10/complete_guide_to_filevault_2_in_lion.html

I'm not sure, but seems like a good chance that OS X may be treating all of the drives in enclosure as a cluster similar to how all the partitions of a single drive. You may have to eject them all to get the OS to flush the cache on the drives password. Otherwise, it just holds onto it.
 
Hello,

I installed Truecrypt and gave it a try. Seems to work fine, and I'll test it for a few weeks.

Thanks for the info; I'm just sad that the integrated solution (filevault) isn't really helpful for multi-drive bays...

Loa
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back