Where is my Recovery Drive?

[doubledee]

Okay, we are making some progress!!

In order:
1) CoreStorage Logical Volume Group, its purpose is to contain various logical partitions but it isn't the drive itself.

Not to get "off in the weeds" too much, BUT, if I had several *physical* drives that I wanted to chain together to form ONE *logical* drive, then that is what #1 is all about, right?

For instance, if I had a Desktop - instead of my MBP - and had a RAID array in it, then #1 might describe several HDD's making one Logical Partition, right?

2) The encrypted root logical partition where all your data is stored, it should be in the previous CoreStorage Logical Volume Group (1).

Yes, in Disk Utility, all of the entries beneath the (CoreStorage) Logical Volume Group were indented, presumably showing that they all belong to it.

3) EFI partition that is normally hidden, necessary but not really used for much but is created with any GUID OSX drive. Could be used for some software that works with the EFI and for software firmware.

So it sounds like I should concern myself with that drive, right?

BTW, is it protected by encryption?

4) Core Storage Physical Volume, this should represent the physical drive that is a member of the CoreStorage Logical Volume Group (1).

Okay.

5) Recovery HD, this is what you are normally booting from, this is where that grey screen with your accounts comes from and is what is used to unlock your encrypted root partition (2).

If FileVault2 was OFF, then would my Mac still boot from the "Recover HD (Partition)"??

Or, instead, would it boot from the "2.) Encrypted Logical Partition"??

You can also use Command+R to boot into the recovery software located on this partition instead of the normal login screen.

Here is an area where I am still thoroughly confused...

What is the purpose of the "Recovery HD (Partition)"????

What exactly is stored on it??

And if I "Command+R" Boot, then what comes after I select a Language Option?? (It looks like when you first turn on a new mac...)

Personally I would have used the "diskutil list" command, or for more information on the CoreStorage setup of your machine "distil cs list".

The way you've listed it makes it harder to understand.

Maybe.

Sincerely,


Debbie

 

[Dark Dragoon]

Not to get "off in the weeds" too much, BUT, if I had several *physical* drives that I wanted to chain together to form ONE *logical* drive, then that is what #1 is all about, right?

For instance, if I had a Desktop - instead of my MBP - and had a RAID array in it, then #1 might describe several HDD's making one Logical Partition, right?

Yes you can combine multiple physical drives to create a single logical volume.
For example here is the (slightly modified) output from "diskutil cs list" on my MacBook Pro which has two drives combined using CoreStorage to form a Fusion drive with FileVault2 encryption enabled. You can see the two Physical Volumes (511GB and 999GB) listed along with the Logical Volume (1.5TB).

CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group
    =========================================================
    Name:         Macintosh HD
    Status:       Online
    Size:         1511111344128 B (1.5 TB)
    Free Space:   0 B (0 B)
    |
    +-< Physical Volume
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk0s2
    |   Status:   Online
    |   Size:     511766216704 B (511.8 GB)
    |
    +-< Physical Volume
    |   ----------------------------------------------------
    |   Index:    1
    |   Disk:     disk1s2
    |   Status:   Online
    |   Size:     999345127424 B (999.3 GB)
    |
    +-> Logical Volume Family
        ----------------------------------------------------------
        Encryption Status:       Unlocked
        Encryption Type:         AES-XTS
        Conversion Status:       Complete
        Conversion Direction:    -none-
        Has Encrypted Extents:   Yes
        Fully Secure:            Yes
        Passphrase Required:     Yes
        |
        +-> Logical Volume
            ---------------------------------------------------
            Disk:               disk2
            Status:             Online
            Size (Total):       1505453932544 B (1.5 TB)
            Size (Converted):   -none-
            Revertible:         No
            LV Name:            Macintosh HD
            Volume Name:        Macintosh HD
            Content Hint:       Apple_HFS

So it sounds like I should concern myself with that drive, right?

BTW, is it protected by encryption?

It is not encrypted, it is a part of the GUID partition scheme.
With OSX it will be empty unless you perform a firmware update of the system. Where in this case the firmware to be written is placed there temporarily.
You could potentially delete this partition but it is not advisable.

If FileVault2 was OFF, then would my Mac still boot from the "Recover HD (Partition)"??

Or, instead, would it boot from the "2.) Encrypted Logical Partition"??

If FileVault2 was not used then the Mac boots from the main partition that contains all your data. By default this is a simple partition and logical partitions are not used.
In the case where you are using CoreStorage but not FileVault2 I'm not certain which would be used.

Here is an area where I am still thoroughly confused...

What is the purpose of the "Recovery HD (Partition)"????

What exactly is stored on it??

And if I "Command+R" Boot, then what comes after I select a Language Option?? (It looks like when you first turn on a new mac...)

It contains a cut down copy of OSX with some diagnostic tools.
It has several purposes, the main ones are:
- Load system recovery tools if you have some problem with your OSX installation.
- Boot the computer when FileVault2 is used.

 

[doubledee]

disk0s1

Mount Point: Not Mounted
Partition Type: EFI
Capacity: 209.7 MB

It is not encrypted, it is a part of the GUID partition scheme.
With OSX it will be empty unless you perform a firmware update of the system. Where in this case the firmware to be written is placed there temporarily.

You could potentially delete this partition but it is not advisable.

Being unencrypted, does this "EFI Partition" pose any security risks to my "Encrypted (Main) Logical Partition"??

If FileVault2 was not used then the Mac boots from the main partition that contains all your data.

What controls this logic?

And where is it stored?

Is there some "brain" on your motherboard that makes this decision of where to boot from??

By default this is a simple partition and logical partitions are not used.

Not sure what you meant here?

Here is an area where I am still thoroughly confused...

What is the purpose of the "Recovery HD (Partition)"????

It contains a cut down copy of OSX with some diagnostic tools.

It has several purposes, the main ones are:
- Load system recovery tools if you have some problem with your OSX installation.

- Boot the computer when FileVault2 is used.

The "Recovery Partition" is probably where I am the most confused, so diving a little deeper...

If I use CCC make a "Bootable USB Drive" which contains:

a.) Clone of my "Main Partition"

b.) Clone of the "Recovery HDD (Partition)"


Then do I in essence have a *physical* copy of Mountain Lion on my "Bootable USB Drive"????


Remember, the whole reason I bought CCC, was because I *thought* by making a "clone" of the "Recovery Partition", I was in essence creating a copy of Mountain Lion that I could install on a BLANK HDD and it be like I was back to my out-of-the-box MacBook Pro.

Follow me??


***********
Whether others agree or not, I do NOT want to have to buy a copy of Mountain Lion, NOR do I want to have to download a copy of Mountain Lion should I ever need it!!!!!!!

IF it is possible, then I want to get a copy and store it on external media (e.g. USB Drive).

My problem with downloading things is based on both "access" as well as *security*. (And since this topic was debated ad-nauseum back in like February, I'd just ask others to respect my stance... )
***********


Anyways, that is why I *flipped out* when my "Recovery Partitions" on my MBP and USB Drive went *poof* after I turned on FileVault2!!!


I am just trying to get 110% reassurance, that BEFORE I start putting data onto my new MBP, that I have a way to *completely* restore Mountain Lion, my Apps, and anything else needed to build a new MBP from scratch (read blank HD) if catastrophe ever struck!!!

I *thought* I had accomplished that by using CCC to make a "Bootable USB Drive" which included...

- Clone of my "Main Partition"

- Clone of the "Recovery HDD (Partition)"

I am wondering if I should make another "Bootable USB Drive" that is UN-encrypted, and JUST has the "Recovery Partition" on it?? Or is that overkill??

Sincerely,


Debbie

 

[Dark Dragoon]

Being unencrypted, does this "EFI Partition" pose any security risks to my "Encrypted (Main) Logical Partition"??

No

What controls this logic?

And where is it stored?

Is there some "brain" on your motherboard that makes this decision of where to boot from??

Not sure what you meant here?

By default an installation of OSX is just made to a partition, no CoreStorage volumes are used.
So it will boot from the partition that OSX is installed on.

The boot choice is stored in the NVRAM, if you have multiple startup disks you can set this from System Preferences > Startup Disk.

My understanding is that when FileVault2 is enabled the partition OSX is installed on is no longer bootable, so this is not an option to boot from. The Recovery partition is modified so that it is aware that FileVault2 is enabled as well as the details of the users who can decrypt/login, and its behaviour is modified to let you login rather than boot into the recovery tools

I just mean that no CoreStorage volumes are used by default.

The "Recovery Partition" is probably where I am the most confused, so diving a little deeper...

If I use CCC make a "Bootable USB Drive" which contains:

a.) Clone of my "Main Partition"

b.) Clone of the "Recovery HDD (Partition)"


Then do I in essence have a *physical* copy of Mountain Lion on my "Bootable USB Drive"????


Remember, the whole reason I bought CCC, was because I *thought* by making a "clone" of the "Recovery Partition", I was in essence creating a copy of Mountain Lion that I could install on a BLANK HDD and it be like I was back to my out-of-the-box MacBook Pro.

That should be fine, note that the recovery partition does not contain a full installation of OSX (nor the files needed to reinstall OS X), hence why normally to perform recovery (reinstallation of OS X) and certain diagnostics it needs to connect to the internet to download these files.

Only the "Main Partition" in this case contains a full installation of Mountain Lion (but not the installation files). Any changes you have made to the Main Partition before you used CCC and indeed if you boot from it in the future will be saved, so it wouldn't get you back to being a completely fresh install. Just back to the state it was in when you made the clone/last booted from it.

 

[doubledee]

Being unencrypted, does this "EFI Partition" pose any security risks to my "Encrypted (Main) Logical Partition"??

No

Okay, good.

By default an installation of OSX is just made to a partition, no CoreStorage volumes are used.

So it will boot from the partition that OSX is installed on.

The boot choice is stored in the NVRAM, if you have multiple startup disks you can set this from System Preferences > Startup Disk.

That would be pretty hard to hack unless someone had *physical* access to your computer, right?

My understanding is that when FileVault2 is enabled the partition OSX is installed on is no longer bootable, so this is not an option to boot from. The Recovery partition is modified so that it is aware that FileVault2 is enabled as well as the details of the users who can decrypt/login, and its behaviour is modified to let you login rather than boot into the recovery tools

Some more questions...

1.) So there is a *full copy* of Mountain Lion on my "Encrypted Main Partition"??

2.) Is there a *minimal yet bootable copy* of Mountain Lion on the "Recovery Partition"?

3.) Or with FileVault2 turned on, does the "Recovery Partition" just look to see that I have the ability to unlock FileVault2, take my login credentials, unlock FileVault2, and then pass things off to the Full-version of Mountain Lion on the "Encrypted Main Partition"??

That should be fine, note that the recovery partition does not contain a full installation of OSX (nor the files needed to reinstall OS X), hence why normally to perform recovery (reinstallation of OS X) and certain diagnostics it needs to connect to the internet to download these files.

If I used CCC to make *just* a "Recovery Partition" and saved it on a USB Drive, and then I installed a Blank HDD into my MBP, how would the "Recovery Partition" talk with Apple to get the files it needed?

FWIW, my strong resistance to having to download the "Mountain Lion Installer" was because I am away from home, and...

a.) Originally I would have had to use Free WiFi at McDonalds, which meant any hacker could do a "Man-in-the-Middle" attack on me while I downloaded the 4-6GB file. Major Issue!!

b.) I'm not sure there was the bandwidth I needed at places like Starbucks and McDonalds

c.) After breaking down and buying a Data Plan with AT&T, I estimated the download would cost me about $50!!

d.) Even though I broke down and got a VPN from WiTopia, I wouldn't be able to use that without an Op Sys, so that wouldn't protect me on McDonald's Free Wi-Fi while downloading whatever it is I had to downlaod?!


I guess I have always assumed that when I get OS-X Software Updates on my MacBook, that they happen over HTTPS, right?????


Would that be true if I booted from the "Recovery Partition" and OS-X needed to download updates??


Well, everything I read and heard didn't reassure me that I'd have the same control using the "OS-X Installer" on a blank HDD, because there wasn't an Operating System there.

And downloading a 4-6 GB file over Free Wi-Fi at McDonalds - with the Russian Mafia sitting outside - is not my idea of "secure computing"!!!

And even with my new VPN, I couldn't have used it for protection, since it requires software to be installed on my laptop!!


Following me and my concerns??

Only the "Main Partition" in this case contains a full installation of Mountain Lion (but not the installation files). Any changes you have made to the Main Partition before you used CCC and indeed if you boot from it in the future will be saved, so it wouldn't get you back to being a completely fresh install.

Just back to the state it was in when you made the clone/last booted from it.

Right.

But immediately after I set up "user1" and "user2" and did basic things like setting up WiTopia and FireFox and locking things down, I made a clone which I called "MBP Factory Clone 2013-07-01".

Yes, technically, it wasn't a clone of my "out-of-the-box" MBP, but it was close enough, and one that I could install on a blank HDD and be up in running in minutes...


And the reason for this thread, is that now I want to make a 2nd "Bootable USB Drive" which contains all of my Apps, Final Preferences & Settings in the Control Panel, FileVault2 and so on.

That way, I have the 1st USB Drive to get back to "factory", and this 2nd US Drive to get to a "perfected" MBP less any data!!


But before I do that, I needed to make sure I understood how the "Recovery Partition" and Filevault2 work, so if I ever needed to do a restore, I didn't have any surprises!!!


Obviously my 1st Bootable USB Drive should get me back to where I need to be, after all, I already used it once to rebuild my MBP with a blank HDD in it!

But I still feel like I'm not getting this whole new paradigm of "Mountain Lion Installers" and "Recovery Partitions" and so on...

Still a little foggy on these topics.

Hopefully your answers to my latest set of questions will help me undertand things better?!

Sincerely,


Debbie

 

[Dave Braine]

For what it's worth, I noticed the other day that my Recovery Partition has disappeared from the Startup Manager(not heard it called that before), although the Recovery Partition for my clone shows. I have Filevault turned OFF.

 

[Dark Dragoon]

That would be pretty hard to hack unless someone had *physical* access to your computer, right?

Yes not that it matters all that much with FileVault2 enabled.
Potentially it means that someone could steal your computer and boot from some other (external) drive. Wipe the internal drive, reinstall OSX (using internet recovery) and then sell/use your computer. You could of-course set a firmware password to stop/make this harder to do.

1.) So there is a *full copy* of Mountain Lion on my "Encrypted Main Partition"??

Yes, though as mentioned previously it can't boot on its own as the recovery partition is required for that.

2.) Is there a *minimal yet bootable copy* of Mountain Lion on the "Recovery Partition"?

Yes.

3.) Or with FileVault2 turned on, does the "Recovery Partition" just look to see that I have the ability to unlock FileVault2, take my login credentials, unlock FileVault2, and then pass things off to the Full-version of Mountain Lion on the "Encrypted Main Partition"??

Yes.

If I used CCC to make *just* a "Recovery Partition" and saved it on a USB Drive, and then I installed a Blank HDD into my MBP, how would the "Recovery Partition" talk with Apple to get the files it needed?

You actually don't need the recovery partition in that situation (though you can use it) as the computer comes with the ability to recover the OS built into the computers firmware (assuming your Mac is from around 2010 onwards). The operation is the same either way, it connects to the internet and downloads the necessary files needed to install OS X from Apples servers. This way a user can recover their system without needing any extra hardware or software.
You can also use Apples Recovery Disk Assistant to create a recovery partition on an external storage device if needed.


Restoration wise I don't know how well a file level cloning tool like CCC works with a FileVault CoreStorage setup. As far as I'm aware all it will do is copy the files from inside the encrypted partition over to the destination (not encrypted). I'm not sure how the system would cope with that, my guess is that it will probably run ok though I'm not sure whether you could re-enable FileVault2 on the destination successfully without some manual modifications afterwards or manually creating the CoreStorage volumes yourself beforehand. Of-course I could be completely wrong about this and it might all just work fine.

 

[doubledee]

Potentially it means that someone could steal your computer and boot from some other (external) drive. Wipe the internal drive, reinstall OSX (using internet recovery) and then sell/use your computer. You could of-course set a firmware password to stop/make this harder to do.

On my list of things to do!!

You actually don't need the recovery partition in that situation (though you can use it) as the computer comes with the ability to recover the OS built into the computers firmware (assuming your Mac is from around 2010 onwards). The operation is the same either way, it connects to the internet and downloads the necessary files needed to install OS X from Apples servers. This way a user can recover their system without needing any extra hardware or software.

You can also use Apples Recovery Disk Assistant to create a recovery partition on an external storage device if needed.

So what purpose does the "Recovery Partition" serve?

And at the end of the day, *what* do I need to do with CCC - or something else - so I am 100% covered should my HDD die??

I was under the impression that by cloning my "Encrypted Main Partition", and making a clone of the "Recovery Partition", that that was all I needed to do to do a 100% restore...


Thought that was done back in July, then this week when I "Option Booted", I didn't see the "Recovery Partition", and started freaking out.

And obviously I'm still not understanding how all of these Partitions work together, and what I need to do to be to get back to "out-of-the-box" status should I install a new HDD or have a total System failure.

Although, on a side note, I did install the "Main Partition" clone - before FileVault2 was turned on - onto my new Western Digital HDD and that made every like new.

Not sure how the restore process would go now that I turned FileVault2 on...


See the places where I am still confused?

Sincerely,


Debbie

 

[Dark Dragoon]

So what purpose does the "Recovery Partition" serve?

It allows you to run diagnostics, disk utility, set the firmware password without requiring you to download anything from the internet.
It allows you to reinstall the operating system, by downloading it from Apples servers.
On top of this it is required for booting the computer with FileVault2.

And at the end of the day, *what* do I need to do with CCC - or something else - so I am 100% covered should my HDD die??

I was under the impression that by cloning my "Encrypted Main Partition", and making a clone of the "Recovery Partition", that that was all I needed to do to do a 100% restore...

CCC wont work as well if you use FileVault2 encryption, it should be fine for cloning as long as the original is not encrypted and that FileVault2 is only enabled after cloning.

Thought that was done back in July, then this week when I "Option Booted", I didn't see the "Recovery Partition", and started freaking out.

Command+R will do the same as holding down Option and selecting the Recovery partition on a system where FileVault2 is not enabled.

And obviously I'm still not understanding how all of these Partitions work together, and what I need to do to be to get back to "out-of-the-box" status should I install a new HDD or have a total System failure.

Although, on a side note, I did install the "Main Partition" clone - before FileVault2 was turned on - onto my new Western Digital HDD and that made every like new.

Not sure how the restore process would go now that I turned FileVault2 on...

It may fail if you attempt to clone the system with FileVault2 already enabled.
From reading the CCC docs you would need to clone the system before enabling FileVault2 and then enable it separately on both the OS installed on your computer and the backup, you may then be able to continue updating the clone. However for recovery you may need to decrypt the clone first before restoring.

From my perspective you are making everything far more complex than it needs to be without increasing security.

 

[Weaselboy]

From my perspective you are making everything far more complex than it needs to be without increasing security.

I agree completely.

OP>> My suggestion. Forget CCC and use the tools Apple gives you. Attach a USB key/drive and turn on Time Machine to backup the main drive. When you get to the select disk box check the box to encrypt the backup. This will be a complete copy of the disk and has a copy of the recovery partition included. If you want to restore from this you just option key boot to the Time Machine backup disk and restore.

Very simple and encrypted and supported by Apple.

 

[doubledee]

It allows you to run diagnostics, disk utility, set the firmware password without requiring you to download anything from the internet.

It allows you to reinstall the operating system, by downloading it from Apples servers.

On top of this it is required for booting the computer with FileVault2.

You missed this earlier question...

So if I boot up from the "Recovery Partition", and my Mac needs to download the files to re-install Mountain Lion then over what type of connection is that happening??

I would *hope* that there an HTTPS tunnel between my Mac and Apple's Servers...

But does anyone know for sure?!

After all, maybe this is like so many other Fortune 500 companies that send data in PLAIN TEXT form over the Internet (e.g. GoDaddy's log-in page)???


This may sound like a funny question, but why bother using FDE - and all of these other security measures - if you can't be reassured that from the time you boot to the "Recovery Partition" until you have a new version of Mountain Lion installed, that there was ZERO CHANCE of a "Man-in-the-Middle" attack??

Sincerely,


Debbie

 

[benwiggy]

This may sound like a funny question, but why bother using FDE - and all of these other security measures - if you can't be reassured that from the time you boot to the "Recovery Partition" until you have a new version of Mountain Lion installed, that there was ZERO CHANCE of a "Man-in-the-Middle" attack??

You can't be reassured. Everything can be broken into, given enough time, money and effort. There is no such thing as 100% secure.

The only question is whether the effort is worth the reward.

 

[doubledee]

You can't be reassured. Everything can be broken into, given enough time, money and effort. There is no such thing as 100% secure.

The only question is whether the effort is worth the reward.

Right.

But in practical terms...

If my HDD died and I installed a new HDD, and I inserted my USB Drive and booted up to an unencrypted "Recovery Partition" and chose whatever option to download Mountain Lion from Apple's Servers...

Would you expect that the System Files were being downloaded over an end-to-end *encrypted* connection??


Furthermore, whenever the "Software Updater" pops up on my Mac, and I download updates, is that happening over an HTTPS connection??

Sincerely,


Debbie

 

[Dark Dragoon]

You missed this earlier question...

So if I boot up from the "Recovery Partition", and my Mac needs to download the files to re-install Mountain Lion then over what type of connection is that happening??

I would *hope* that there an HTTPS tunnel between my Mac and Apple's Servers...

But does anyone know for sure?!

After all, maybe this is like so many other Fortune 500 companies that send data in PLAIN TEXT form over the Internet (e.g. GoDaddy's log-in page)???


This may sound like a funny question, but why bother using FDE - and all of these other security measures - if you can't be reassured that from the time you boot to the "Recovery Partition" until you have a new version of Mountain Lion installed, that there was ZERO CHANCE of a "Man-in-the-Middle" attack??

You can't know, in the same way that you can't know whether OS X itself has backdoors or other vulnerabilities built in, whether the firmware installed on your machine at the factory hasn't been tampered with (or designed to have backdoors), or indeed whether the physical chips themselves haven't been modified/designed with backdoors.

As for sending the data it is likely sent using HTTP (I've not checked) as it is binary data that doesn't need to be encrypted as it doesn't contain any unique information. On the other hand login credentials for the Mac App Store if needed for the restore I would expect to be sent using HTTPS. Anyway a man in the middle attack can be performed even if you use HTTPS if the CA messes up or has their keys stolen/obtained by whoever wants to spy on people.

It doesn't really matter all that much if someone can sit in the middle and see that you are re-installing OSX. Sure I guess someone could very carefully craft a malicious version of OSX and send that to you, but to be able to do that the attacker would have to know that you are going to reinstall the OS then they would have to craft a malicious version which would take time, and then keep updating it as the version on Apples servers is updated at each point release. There are far easier ways than this to get someones data, that would take a lot less time, effort and money.

If I was really all that worried about this I would download a copy of the OS X installer app from the Mac App Store and then checksum it and compare it with other peoples. I guess everyone else's copy could also have also been maliciously modified, but you have to trust something/someone at some point.

 

[doubledee]

You can't know, in the same way that you can't know whether OS X itself has backdoors or other vulnerabilities built in, whether the firmware installed on your machine at the factory hasn't been tampered with (or designed to have backdoors), or indeed whether the physical chips themselves haven't been modified/designed with backdoors.

Scary stuff...

As for sending the data it is likely sent using HTTP (I've not checked) as it is binary data that doesn't need to be encrypted as it doesn't contain any unique information. On the other hand login credentials for the Mac App Store if needed for the restore I would expect to be sent using HTTPS. Anyway a man in the middle attack can be performed even if you use HTTPS if the CA messes up or has their keys stolen/obtained by whoever wants to spy on people.

If I was logged in to my AT&T Hotspot, I guess that would add some security.

They always say, "The first hop is the most dangerous on the Internet..."

It doesn't really matter all that much if someone can sit in the middle and see that you are re-installing OSX. Sure I guess someone could very carefully craft a malicious version of OSX and send that to you, but to be able to do that the attacker would have to know that you are going to reinstall the OS then they would have to craft a malicious version which would take time, and then keep updating it as the version on Apples servers is updated at each point release. There are far easier ways than this to get someones data, that would take a lot less time, effort and money.

But it is a legitimate question/concern...

If I was really all that worried about this I would download a copy of the OS X installer app from the Mac App Store and then checksum it and compare it with other peoples. I guess everyone else's copy could also have also been maliciously modified,

Except Apple won't let you do that... (I know because I called Apple.)

Your only choice is to let Apple install it for you...

but you have to trust something/someone at some point.

True. But it is also becoming exponentially harder to do this in today's world...

Sincerely,


Debbie

 

[doubledee]

Dark Dragoon,

I did some testing while we were talking on Saturday, and I'm not buying what you said...

CCC wont work as well if you use FileVault2 encryption, it should be fine for cloning as long as the original is not encrypted and that FileVault2 is only enabled after cloning.

It may fail if you attempt to clone the system with FileVault2 already enabled.

From reading the CCC docs you would need to clone the system before enabling FileVault2 and then enable it separately on both the OS installed on your computer and the backup, you may then be able to continue updating the clone. However for recovery you may need to decrypt the clone first before restoring.

It is now Monday, so let's see if I can remember what I did on Saturday...

I inserted my new USB Drive into my MBP and wiped it clean. I then created a new, single Partition. From there, I used CCC to clone my MBP - which has FileVault2 enabled. CCC created a "Main Partition" and a "Recovery Partition", both of which were unencrypted.

I was able to boot up to the "Main Partition" and it looked just like my MBP HDD.

I was able to boot up to the "Recovery Partition" and it appeared like it would do what I needed it to do in case of a System Failure.

I then turned on FileVault2 on the USB Drive. When it was done running, I no longer had a "Recovery Partition", but the encrypted "Main Partition" works as expected. I could "Command+R" boot and get the encrypted version of the "Recovery Partition".

Next I DE-crypted the USB Drive, and wha-la, I had a "Main Partition" and a normal "Recovery Partition" again!!

So, it does not appear that FileVault2 in any way hampers CCC's ability to clone my "Main Partition" and "Recovery Partition".

And it also does not appear that enabling and disabling FileVault2 in any way damages the "Recovery Partition"...


If I have time, I may screw around and see if I can wipe my USB Drive. Create 2 Partitions. Use CCC to put a (full) "Recovery Partition" on "Partition #1". And then use CCC to clone the "Main Partition" and "Recovery Partition" and place them on "Partition #2" and then use FileVault2 to encrypt "Partition #2" for security!

From my perspective you are making everything far more complex than it needs to be without increasing security.

Care to explain why that is...


Here is my take...

- If you own a new MBP and don't use FileVault2, then you are crazy.

- If you clone your entire MBP to a USB Drive and don't clone the USB Drive, that is equally crazy. (Even if the clone just has the Op Sys and Apps, why hand that over to someone that happens upon your lost USB Drive?!)

- I think it is prudent to make sure you have a working "Recovery Partition" with or without FileVault2. (I think everyone would agree on this.)

- It is better to TEST and confirm, than to ASSUME and be surprised!!

- In this day and age, you can almost never have "too much" Security or Security Knowledge!!!



********
As far as the whole ability to "recover" Mountain Lion, I'm still not sure if I'm gaining anything by having the working "Recovery Partition" versus downloading things from the Apple Apps Store.

It would save the downloading bandwidth, but it sounds like you are *FORCED* to download most of Mountain Lion should you ever need it.

I would *hope* that Apple is sending the Op Sys over an encrypted connection, BUT I also know that large corporations are often lazy and indifferent to security because it requires extra effort and $$$ to implement and maintain...

Probably the best thing going for me is that I never touched the Original HDD, so that is my best way to "Get back to square 1" and NOT have to be downloading Operating Systems over the insecure Internet.

(I just have these images of that entire process being about as secure as going to a Warez... )

Sincerely,


Debbie

 

[doubledee]

Apparently Dark Dragoon gave up on me...


Anyway, based on my research and testing, what I said above seems to hold true.

It is *not* true that you cannot use CCC to clone a system with FileVault2 enabled.

It is also not true that once you turn on FileVault2 that you cannot roll things back as far as the "Recovery Partition" goes.


In the end, I formatted my new USB drive to have a 1GB partition and then a 63GB partition.

On the first one, I used CCC to install a "Recovery Partition".

(Now I have a full "virgin" copy of the "Recovery Partition" handy on my USB Drive should I ever need it.)


And on the second one, I used CCC to first create a "Recovery Partition", and then clone my "Main Partition". I then used System Preferences from OS-X to turn on FileVault2 and encrypt everything on Partition #2 on my USB Drive.


After that was done, I did lots of testing!!


I was able to boot from the "Recovery Partition" on Partition #1.

I was able to boot from the "Encrypted Partition" on Partition #2.

I was able to decrypt the "Encrypted Partition" on Partition #2, and then after re-booting I again saw the "Recovery Partition" and "Main Partition" on Partition #2.

I was able to re-encrypt Partition #2 and boot from it.


In the end, I was able to accomplish everything I set out to do - and roll things back - very easily. (It's just all of the research and testing that took me forever!!)

Just figured I'd share for anyone who wants to know how these things work!!

Sincerely,


Debbie