Cloning a FileVault2 encrypted boot disk under OS X Lion

It’s taken me a while to produce a working, encrypted, clone of my Macbook boot disk. There don’t seem to be any good instructions out there for this.

These instructions are for producing a bootable, FileVault2-encrypted clone of a Mac’s FileVault2-encrypted boot disk. In order for a FileVault2-encrypted disk to be bootable under Lion, it must contain a valid Recovery partition. These steps will walk you through creating one, and then producing a bootable clone.

The source medium is the existing boot disk in your Mac.  The destination is a USB disk – in my case a surplus SATA disk attached to a cheap USB-SATA converter. I assume these instructions would work equally well for SATA, Thunderbolt or Firewire disks, but haven’t tested this.

We’re running OS X Lion (10.7.4), and using the last free version of Carbon Copy Cloner (3.4.5).

      • First of all, we attach the USB disk. If the Mac complains about it being unreadable, allow it to “Initialize” the disk.
      • Run Disk Utility and find the newly-attached drive.
      • Partition it using the default GUID partition table type, into 2 partitions: one just larger than your source medium, the other free space. It’s OK to create just one partition filling the entire disk, if you’d prefer this, but don’t try to create two formatted partitions – if you do this, the subsequent step of cloning the Recovery partition will fail. You can go back later and format the free space once this process is completed.
      • The first partition’s type doesn’t matter at this point as we’ll re-format it later, except that it must not be encrypted..  If we encrypt the disk now, we’ll be unable to subsequently add the Recovery Partition, as Carbon Copy Cloner is unable to work with the CoreStorage-ified partition layout which adding encryption will create.
      • Give your destination disk’s first partition a meaningful name – it’s going to avoid a lot of confusion if you don’t try to give it the same name as your source disk.
      • Apply these changes and close Disk Utility.
      • Start Carbon Copy Cloner and open “Disk Center” (cmd-2).
      • Pick your target disk from the list on the left, and then pick the “Recovery HD” tab on the right. Press the big button to create a Recovery HD on your destination disk.
        The Recovery partition, once created, is not visible to desktop tools such as Finder – but can be seen in the output from diskutil list
      • Once the Recovery HD has copied, re-open Disk Utility and re-format the target partition with the same filesystem type as your source partition. So if your source/boot disk is “Journalled, case-sensitive, encrypted” then the first partition on your USB disk needs to be “Journalled, case-sensitive, encrypted”. It’s also theoretically possible to carry out this encryption step via the “encryption” tab in Carbon Copy Cloner – but I found this unreliable. Note that you won’t be offered the usual chance to save your keys with Apple, it won’t offer you a “recovery” key, and it won’t give you the opportunity to have the disk be unlockable by any valid user at boot time. I’m fine with this (I just don’t want the burglar who steals the disk to be able to read my data). You’ll need to use a strong password, and not lose it. This will not wipe out the Recovery HD that you have just created, and remains invisible throughout this process.
      • If you want to verify that the partition is indeed encrypted, look at the diskutil cs list output.
      • Quit Disk Utility, return to Carbon Copy Cloner.
      • Clone from your “source” to your “destination” – this will take a while. Chose your favoured combination of settings – but make sure you pick a combination that reports “the destination volume should be bootable”!

Once done, we need to test by booting from the clone:

  • nvram|grep boot-args and if not already set, sudo nvram boot-args="-v" so that if boot fails, we’ll be able to see what went wrong. 
  • Stop and think about whether you have anything on your Mac which will get broken if you boot from a slightly-out-of-date cloned copy of it (eg you’ve updated files in Dropbox, or your Mac is a server for your local network). Take appropriate steps if necessary (mount the cloned “destination” disk and disable apps?).
  • Shutdown your Mac and boot it with the option (alt) key held down. Select the USB disk as boot device. It should boot up as normal (although slow). It will prompt you for the password to decrypt the disk.
  • It might be the case that you’re offered at boot-time a choice between the “Recovery HD” on your internal disk and the “Recovery HD” on your USB disk; this seems to be a firmware bug. If this happens, select either Recovery HD, and run Startup Disk; select the partition on the USB disk and restart. This will prompt you for the disk password and then boot as normal
  • Once booted from your cloned disk, you might want to make sure that things work – particularly you might like to check that your files are present, and your keychain is intact (remembered logins in your browser work, your Mail client works, etc). Before you shutdown again, run Startup Disk and select the internal disk for the next boot.
Advertisements

2 Responses to Cloning a FileVault2 encrypted boot disk under OS X Lion

  1. Steven says:

    Thank you for this — saved me who knows how much time. Your step by step guide helped this Mac and CCC newbie get an encrypted, bootable backup working right away. And on a WD external, no less.

  2. mentalnirex says:

    Thank you for the comment. I’m glad these instructions helped someone.

    I have been using exactly the same steps successfully with Mountain Lion, since upgrading.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: