21 August 2011

First, before I go any further, just let me say that this issue is really not SuperDuper’s fault. It does exactly what it’s supposed to do. The problem is the way encryption works in Apples latest release of OSX.

Lion uses full disk encryption. This is good. It means that everything is encrypted, not just your home area. Log files and system related information are also now protected. Previously, whilst the data in your home directory was protected, there are lots of things that lay outside of that directory that aren’t protected. This can lead to potential loss of privacy and may give attackers the potential to figure out a lot about your laptop. Although in theory there shouldn’t be much of consequence on the rest of the disk, certainly not enough to allow an attacker to gain access to your encrypted data, you can never be totally sure or confident.

Full disk encryption protects against this by encrypting everything from start to finish. There is nothing left unencrypted. Now, because everything is encrypted, some sort of key or password must be given to unlock the disk before it can be used. But if the disk is fully encrypted, how can you access it to load the software needed to access it? You can’t so you get stuck in a loop.

The solution is pretty simple and elegant. All you need is an unencrypted boot partition. This stores enough data to allow the machine to get to the stage where it can ask for the necessary details. In fact, you don’t really need a whole partition for this, often you can fit a very basic version as part of the boot loader. This is how solutions such as TrueCrypt solve the problem.

Apple decided to go the disk partition route and for good reason - little of which I suspect had anything to do with full disk encryption. The vast majority of people will have bought Lion via the AppStore. Not only is it significantly cheaper but it’s much more convenient to download and install. The question is, what do you do if you want to reinstall your machine? You could install Snow Leopard first, and then upgrade to Lion, but that’s not really ideal. You can’t boot from the Lion DVD because, well, you don’t have one. You can however boot from the recovery partition that Lion creates during install and use that to kick-start the process. Great eh?

Well, not really no. As long as you have that partition you’re safe but what if your hard disk fails and is replaced? What if you upgrade to a new larger hard disk? What if (like me) you have a disk image backup of your machine and update it and rebuild your laptop on a regular basis? If you do any of these things, you’re effectively screwed.

The first time I knew about this was after I tried to re-image my macbook pro. Generally speaking, every couple of months I re-image my mac, fully update all my software, add whatever is missing and create a new image. This means that it keeps the cruft on my machine to a minimum and should my disk fail, I have a really up to date version of my system to put back on it. Within two - three hours, I can be almost back to the point where the disk failed. As I don’t keep any important data on the machine itself, this works really well for me.

I installed Lion, updated everything and took the new image. I then turned on disk encryption. FileVault is great because it means if you leave your laptop on the bus, tax or train, anyone who decides to take it as their own will immediately find that they can’t login to it. Now, unless they know the owner is likely to be storing corporate secrets or the plans for the death star, chances are they will simply wipe the machine and reinstall it. Encryption won’t stop someone stealing and selling your laptop but it will stop them from getting any of your data - a very important concern. After all, how many of us save our email and IM passwords? How many of use use the same passwords in different places? All in all, you really don’t want some random person getting their hands on that!

Being a good boy I followed the rules of the profession and tested the backup. It all restored okay. I hadn’t really expected it not to as SuperDuper had been awesome for Leopard and Snow Leopard but as Lion is a completely new OS, I just wanted to be sure. All was fine until I tried to enable disk encryption. I got an error message stating that I didn’t have a recovery partition and therefore my disk was not compatible with full disk encryption - please reinstall and try again.  Eh?!?!

Well it turns out that I hadn’t backed up the recovery partition. I didn’t even know there was one because it is hidden in Disk Utility. Very useful that! To cut a long story short, SuperDuper backed up my data and operating system but knew nothing of the recovery partition. When I restored it, I had the nice bootable partition all in place, just no recovery partition, hence the failure when I tried to turn encryption on.

The solution? Reinstall Lion over the top of itself. This recreates the missing partition and will allow you to use encryption again. However it also messes up some of your apps. It broke Mercurial, seemed to uninstall git and totaled my LaTeX install. I’m not entirely sure why as the initial upgrade from Snow Leopard (apart from Mercurial due to the Python changes) worked fine…

So, if you use a tool like SuperDuper, and want to use disk encryption, you’re going to need to find a way to backup the whole disk rather than just the content. I will be looking for solutions and it’s quite possible that SuperDuper will add the ability to make one of those partitions too. I’m not sure though because it’s kinda out of scope from SuperDuper is meant to do.

Again, SuperDuper works great and continues to work great - just this little gotcha (which exists with all similar tools) is going to kick quite a few people in the ass..



blog comments powered by Disqus