Re: [Fed-Talk] some observations on Lion Server and whole-disk encryption
Re: [Fed-Talk] some observations on Lion Server and whole-disk encryption
- Subject: Re: [Fed-Talk] some observations on Lion Server and whole-disk encryption
- From: David Emery <email@hidden>
- Date: Wed, 04 Jan 2012 12:00:35 -0500
Given my situation, existing un-encrypted drives that I wanted to convert to encryption, I didn't see any way to do this besides copy-off/encrypt/copy-back. The only option to converting a drive (partition) to encrypted that I saw is 'destructive', i.e. it's an option on erasing the drive. And this makes sense to me, since the encryption approach adds a bunch of stuff to the partition (and that's why the usable data capacity is reduced when you encrypt the drive.)
One reason I wanted to share this was to allow someone to tell me how I should have done it :-), i.e. is there a better way to take an existing drive with data and convert it to encrypted?
Oh, and the other function that 'inside server' has is to run "Radio Free Davebert" - that's iTunes set for album shuffle/repeat all, where the speaker output is connected via an Airport Express & AirTunes to an FM transmitter centrally located to broadcast throughout the house. That takes up about 10% of the CPU on my Mini (relatively unchanged between SL Server and Lion Server.)
Underneath at least Carbon Copy Cloner and Super Flexible File Synchronizer is the Unix rsync application. Mr Bombich (CCC) has done a good job maintaining a Mac aware rsync application that, if you're willing to work with the command line, you can use at /applications/Carbon Copy Cloner.app/Contents/MacOS/CCC helper.app/Contents/MacOS/rsync (Hint: if you want to use this, set up a symbolic link in /usr/local/bin) I understand why Carbon Copy Cloner has the restrictions it does on TimeMachine data sets, although it's substantially reduced CCC's utility for me. Super Flexible File Synchronizer provides pretty much the full capability of rsync with a (kinda clunky at times) GUI, and that's what I use to do 2nd tier backups to get redundancy across my network. (My important data lives in at least 3 places on the network plus an offsite backup drive.)
dave
On Jan 4, 2012, at 11:46 AM, William Cerniuk wrote:
> I probably am not reading this right but it appeared that you might have been copying data off drive, encrypting drive and then copying data back? At least copying the entire thing post encryption?
>
> AFAIK encryption will encrypt the 0's as much as it will encrypt the 1's <grin> so it takes considerably less time to set the target drive up as you want it and then trigger the encryption. Otherwise you essentially encrypt the same amounting data twice.
>
> Using SuperDuper was a good move. CCC not as robust. Could also (i think) use Disk Copy to do a restore but binary under the bridge now.
>
> Doesn't TimeMachine offer to encrypt under Lion? Each disk image as an encrypted disk image on a TimeCapsule. Not sure about OSXS and such an option but now I have to check ;-)
>
> I will confess, rather enamored with my MiniMac server (not dual HD but latest mini). It is proving to be a more "iTunes" quality product although I do miss some of the features from SL (like wikis in virtual domains and oh, I don't know compatibility with old govt versions of IE maybe?!!??)
>
> Best,
> Wm.
>
>
> On Jan 4, 2012, at 11:32, David Emery <email@hidden> wrote:
>
>> I moved my 'inside server*' to Lion Server before Christmas, and over the holidays started applying whole-disk encryption (which is my must-have Lion feature). This is running on a 2ghz Core 2 Duo Mini (conventional Mini, not Mini Server.) The primary role for this machine is file and backup server (it also provides LDAP) and the disk drives are interfaced via FW800.
>>
>> Converting my disks to encrypted was surprisingly painful.
>>
>> My TimeMachine drive (I started with that one) is a 2TB drive that was about 80% full. I used Carbon Copy Cloner and its block level copy to dupe that disk to an external 2TB "working copy" drive, and that step tool the better part of 18 hours. Then I formatted the TimeMachine drive to the new whole-disk encryption format. But when I tried to use CCC to restore the drive, I hit some real problems. (a) The TimeMachine drive capacity is now slightly smaller than before, so CCC won't d a block-level copy from a larger to smaller drive. And CCC will not copy TimeMachine backups any other way. So I switched to SuperDuper, which will do a file-based copy of a TimeMachine dataset. That step took another 12 hours. When I re-enabled TimeMachine, it announced that I had switched backup drives and did I really want to use that drive. That caused TimeMachine to basically crunch through the full backup set. And when TimeMachine was done, the Metadata Service (MDS) application had to rebuild the TimeMachine drive indexes.
>>
>> Next I wanted to encrypt the drive (partition on a OWC Qx2 4 drive RAID enclosure) that holds my server's client home directories. I disabled file sharing, and used SuperDuper to copy that 1TB drive to my 2TB working copy drive, about 8 hours. I enabled encryption, and copied back from the 2TB to 1TB drive using SuperDuper. Once again, when that was done, TimeMachine and Metadata Service needed to spend a lot of time re-establishing backups and indexes.
>>
>> Then I ran Disk Utility Repair and DiskWarrior on both the TimeMachine and home directories drives. That went OK, but -yet again- TimeMachine and MDS decided they needed to reindex the drives. I don't recall seeing this with Snow Leopard/Snow Leopard Server.
>>
>> And I've noticed the load average, particularly the system/kernel (vs application) load average has substantially increased. On this machine, with MDS or TimeMachine running, system time is running 30% (and 45% when both are running, as is happening as I write this note...) It's not a surprise that the kernel does a lot of the work for encrypting/decrypting, but I didn't expect that to run 30% or more. Before, under SL Server, the overall load average was less than 5%.
>>
>> I'm still hoping for a Thunderbolt to eSATA adapter, so I can move the external drives from FW800. When that happens, I'll probably replace the Core 2 Duo Mini with a Thunderbolt equipped Mini (but since my 'real disks' are external RAID enclosures, paying the extra $ for the Apple dual-drive Mini server doesn't make sense.)
>>
>> dave
>>
>> * I have 2 Minis running server. The other Mini is still on Snow Leopard Server and sits as a DMZ machine, running a couple of websites, etc. I am not running email.
>> -----
>> David Emery, 703 298 3473 (c) 703 272 7496 (fax)
>> Supporting PdM Software Integration
>>
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
-----
David Emery, 703 298 3473 (c) 703 272 7496 (fax)
Supporting PdM Software Integration
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden