When Mac OS X 10.7 Lion introduced full disk encryption, called FileVault 2, it was a huge improvement over the original FileVault, which only encrypts a user's home folder. And because of the "creative" way FileVault was implemented, there were numerous incompatibilities, gotchas, and caveats to its use. FileVault 2 on the other hand, encrypts individual disk blocks so the encryption is invisible to the file system and really doesn't get in the way of normal use. Adding to this is another new feature in Lion: the recovery partition and the network recovery system introduced in last year's hardware.
In almost all cases, these new features will work together without trouble. Still, there are a few things you should know, especially if you use encrypted Time Machine backups and if you can't depend on fast Internet connectivity to be available should your boot drive fail.
My tale of woe
But first, let me tell you the sad story of how I repaired some disk errors on my MacBook Air's SSD. After reading the section called "What's wrong with HFS+" in John Siracusa's Lion review, I'm surprised that the Mac's file system actually works most of the time. But invariably, after several months of use, some errors manage to accumulate, and it's necessary to use Disk Utility to repair them. I reached that state a few days ago when emptying the trash would hang for no apparent reason.
Disk Utility told me to boot from another drive and run itself in repair mode. This is where the recovery partition came in handy—and it's not like I have a Lion DVD lying around—so I rebooted my Air while holding the option key in order to be presented with the list of possible boot drives. But the recovery option wasn't listed. There was a list of wireless networks, which I used to start my Lion Internet recovery in August. But selecting my WiFi network didn't give the option to recover over the network, either.
Fortunately, I had written a recovery partition to my Time Machine drive for just such an eventuality with the Lion Disk Recovery Assistant. This one did show up in the list of boot drives, so I started Disk Utility—only to find out that my Air's boot drive was grayed out so I couldn't repair it. To add insult to injury, it was also impossible to restore from my encrypted Time Machine backup!
I was able to resolve this situation by booting up my computer normally and then using the security settings in the System Preferences to decrypt my hard drive. (It's also possible to do this using the command line, of course.) After this, the recovery partition magically showed up as a boot option and I was able to repair the drive, which was just suffering from a minor case of miscounted free blocks. It could have been much, much worse.
Lessons learned
I later found out that I could have avoided all of these issues by just using command+R to get into the recovery system, as Apple tells us to. (In my defense, all these cryptic startup keyboard shortcuts are impossible to remember.) Despite the fact that it doesn't show up as a boot option when FileVault 2 is enabled, the recovery partition still works if you invoke it using command+R. Even more surprising, the Disk Utility that I started that way does know how to unlock FileVault 2 drives so you can repair an encrypted drive or restore from an encrypted Time Machine backup. (You simply type the password for one of the accounts that is allowed to boot the system.)
It seems the Internet recovery option is hidden if the recovery partition is present, but Ars reader @Sacrilicious told us via Twitter that command option+R will force the Internet recovery.
But what's the deal with the different behavior of the two recovery partitions? Although the GUI completely hides these partitions, you can mount them with the diskutil command and then peruse them using the command line. It turns out that my two partitions held different versions of the BaseSystem.dmg file. At some point—probably the 10.7.2 update—there must have been a change which made it possible for the recovery system to unlock encrypted drives. These modifications were of course written to the recovery partition on the internal drive, but not to a USB drive that is only connected once in a while.
The previously mentioned Lion Disk Recovery Assistant will happily write a new copy of the recovery partition to a drive that already has it—and without messing with other partitions on that drive. Which leads me to the next surprise. If you run the Lion Disk Recovery Assistant with FileVault 2 enabled, it creates recovery partitions that don't work. This makes some sense because FileVault 2 uses the recovery partition during its boot process. Once again, a decrypt > run the utility > re-encrypt cycle fixes the problem.
So where does this leave us?
If you're a FileVault 2 user, remember two things: use command+R when booting to go into recovery mode, and you can always decrypt your drive if FileVault 2 gets in the way of fixing a file system issue. Of course decryption won't do anything for physical drive problems, so always back up first and make sure you don't overwrite backups from before the disk trouble started.
If, like me, you are the owner of a post-Lion Mac, you probably won't have any reinstall media like an original Lion DVD. So, if your internal drive gets wiped or replaced, there are only two options to reinstall Lion: over the Internet or from a Time Machine backup. If you find yourself in a situation where downloading half a gigabyte for the recovery image or even four gigabytes for Lion could be problematic, then it all comes down to that Time Machine backup. And if that backup is encrypted—as it really should be—you really want to have a copy of the new version of the recovery partition on that Time Machine drive, or on a separate flash drive. So, for your own sanity, make sure you create this recovery partition on a system that doesn't have FileVault 2 enabled.
reader comments
43