Mac Encrypt External Drives With RAID 1 Mirroring

This is taken fromĀ

So, let's assume you have your Apple Raid volume, which you have created somehow, either through Disk Utility or through the command line.

Note: This process will format your RAID and encrypt it. Backup any data you want to keep (at least twice) before proceeding.

The first thing we need is to know the low-level OS identifier for the Apple Raid volume of interest, so type:

diskutil list
which will give you a list of the various hard drives, partitions and logical hard drives (eg Apple RAID volumes) on your system. Look at the list and figure out, based on name, size, whatever, which is the Apple RAID volume we wish to encrypt. Make sure you get the RIGHT identifier, otherwise you'll destroy some other volume. It's wise, when doing this, to disconnect (manually --- pull out the cables!) all hard drives not relevant to the problem, including, most obviously, your backup drives!

So the list tells us the device of interest is, say, disk7

Next we want to create a Core Storage LVG (Logical Volume Group) wrapper around the device. I'm not going to claim I understand Core Storage terminology, and why they use a different word for everything compared to Apple RAID, but far as I can tell, the LVG is essentially Core Storage's version of a logical hard drive. So type:

diskutil cs createLVG BackupImacLVG disk7

BackupImacLVG is the name we are giving to the logical hard drive we're creating. This command will take a few seconds, then spit out a long string which is is the "name" (the UUID) of the LVG we have created. We use it in the next step.

We're not done. We now need to create the equivalent of a partition (which Core Storage calls a Logical Volume) on this logical hard drive. Here is the next command:

diskutil cs createLV 8C5AED3-0CCF-4155-8E3D-DF7D9E68EE7B JHFS+ BackupImac 100% -stdinpassphrase

In the command above: 8C5AED3-0CCF-4155-8E3D-DF7D9E68EE7B is the LVG UUID we were just told (make sure you use your own), and JHFS+ is the file system we want to create in the partition. BackupImac will be the name of the volume created in this partition. 100% says how much space we want to give to this partition. (There are a few different ways to specify sizes, but most people will probably use 100%). -stdinpassphrase says that we want to use encryption.

The command line will then put up a prompt of:

Passphrase for new volume:

You enter the password, and you're done. (Note none of the helpful Apple FileVault UI here! No offering to save your password for you with Apple, no second request for the password to make sure you typed it correctly!)

The end result of all this is exactly what you would hope for and expect. An encrypted volume with all the performance of the previous AppleRAID volume. (And if you look at the diskutil man page, you will see that they explicitly list Apple RAID volumes as supported targets for diskutil cs createLVG, so this isn't some strange edge case that isn't officially supported.)

Disk doesn't update its UI (it's really bad in this respect --- has been an ongoing problem in OSX) so quit it and restart it. You'll now see, along with your RAID slices, a new "hard drive" called BackupImacLVG (or whatever you called it) along with a partition called BackupImac (or whatever you called it), with a format of "Encrypted Logical Partition".

One thing to be aware of. The disk is mounted during the creation process without asking for a password (you gave the password in the command line).

Right after you are done, you may want to unmount the volume, power down the hard drives of the AppleRAID volume, power them on again, and see what happens. If you have done everything correctly, once all the slices of the Apple RAID have spun up and been detected by the OS, a window should appear on the screen asking you for the password so that the disk can be mounted.

Replacing a bad drive

First, get a list of your drives and note the IDENTIFIER of the new drive, ie. disk7:

diskutil list

Then, get the Unique ID of the AppleRAID set, ie. 51424AE9-C99E-4A6B-AA7C-6A6EEF5974E5:

diskutil appleraid list

Next, add the disk as a member of the AppleRAID set:

diskutil appleraid add member disk7 51424AE9-C99E-4A6B-AA7C-6A6EEF5974E5

The rebuild process can take a very long time, most likely hours and it could be closer to a day or more if you have a large capacity drive, so leave your computer plugged in with the energy savings set so that the computer never sleeps (don't forget to change it back after a day or so.) To check the status, run the diskutil appleraid list command again.

To remove the failed drive from the AppleRAID set using diskutil appleraid remove (UUID of the failed drive) (AppleRAID set Device Node), ie.:

diskutil appleraid remove D213E914-515A-49B6-BB52-B60DB07D7E0B disk5

External References

Article Type