Hey guys,
Anyone know of a way to transparently do this on Mountain Lion or (pushing it) Lion? I've gone through the fdesetup options in Mountain Lion and nothing stands out.
Question
Encrypting second partition with Filevault 2 and an institutional recovery key
+8
+10As far as I know, it can't be done.
You can create an encrypted CoreStorage volume on another disk/partition, but if you want full FileVault 2 functionality, it must be a bootable volume. You'd then boot into that volume and use the normal methods to enable FileVault on the startup disk.
-Greg
Greg's right, this isn't possible currently with a non-boot disk. You can set up the non-boot drive to be encrypted, but it can only be unlocked with a password.
I have a couple of posts on how to encrypt a non-boot drive available here:
http://derflounder.wordpress.com/2012/01/06/encrypting-10-7-non-boot-volumes-without-erasing-them/
http://derflounder.wordpress.com/2012/07/25/encrypting-non-boot-volumes-in-mountain-lion/
If you need non-boot drives to be encrypted and have alternate recovery methods, I recommend looking to hardware encryption. IronKey has solutions that may work for your environment:
+8No problem thanks for the responses - Just as I thought it can be done but not with the same institutional key. Doesn't help me unfortunately
That's a great question. The fdesetup command is the primary tool for managing FileVault 2, and as you've found, it doesn't have a built-in "transparent" or pre-boot bypass option by design—that would defeat the security purpose.
Your search for a seamless encryption layer is interesting because it mirrors a hardware-level concept in high-performance computing. What you're essentially looking for is a software abstraction that handles encryption without interrupting the user workflow.
This is directly analogous to the role of a Mezzanine Card with a Dual Channel interface in a server or storage array. In that context, the mezzanine card acts as a dedicated, transparent co-processor for specific tasks. A "Dual Channel" architecture ensures there are two independent data paths, which is crucial here: one path can be dedicated to the primary data flow (reading/writing files), while the other handles the computational overhead of a parallel task—like real-time encryption and decryption.
The mezzanine card performs its job (be it encryption, compression, or networking) completely transparently to the main CPU, offloading the work to preserve system performance. FileVault 2 aims for a similar user experience by using the Mac's built-in hardware (the T2 chip or Apple Silicon Secure Enclave) to perform the encryption/decryption on-the-fly with minimal impact, making it feel transparent after the initial unlock.
So, while a software tool like fdesetup might not offer a transparent bypass, the underlying system architecture is already using a "transparent acceleration" principle similar to a hardware mezzanine card to make the encryption itself as seamless as possible. You might be hitting the limit of what's possible in user-space for a security feature that fundamentally requires an authentication gate.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.