Avani (avani) wrote,

File Vault

If any of you are using OS X's File Vault right now, my semi-professional recommendation has changed to "use it only if necessary" to "turn it off and never look back". When I administered Xserves at CENIC, I never even considered setting it up, since 10.3 had known, major problems with File Vault (the most relevent being the difficulty of backing such a volume up). On Leopard, a lot of those issues were ironed out, and I had a drive full of sensitive human-subject data that I needed to protect ASAP (this was around the UCLA ID theft scare), so I turned on File Vault and thought that would be that.

File Vault does have the benefit of being fast and erring on the side of more secure vs. more usable. However, it goes too far. The particular situation that pushed me over the edge is the behavior of File Vault when you fill up your primary hard disk.

I have 97.2G of space on my 10.4 system. By the time that Matlab noticed that it could no longer write temp files out, the sparse disk image from File Vault was eating 63G of this space. Normally, when I delete files, I can log off and File Vault will automatically put up a dialogue asking if I want to "reclaim extra disk space" from the sparse image. It turns out that this does not happen reliably. My working hypothesis is that the disk reclamation is triggered by fragmentation in the sparse image rather than number or size of the files deleted. The one time I actually got it to trigger later on in an afternoon of experimenting was after I took the computer down hard and then logged in and logged off, without doing anything else. So, I couldn't free up enough space to save my work. I couldn't free up enough space to start an ssh connection. I couldn't free up enough space to mount a CD to dump onto. All this time, what's left of my running programs are going haywire because there is no application virtual memory to be had anywhere. I'm starting to get a little angry. I finally find something willing to mount (a ghetto thumb drive), take down the machine in hopes of freeing space, and start looking at turning off File Vault.

To turn off File Vault, it first told me that I needed 1kb (more) of free disk space. I was suspicious, since even though I'd deleted all of my music and movies, I shouldn't have enough space to double my home directory. However, I spent a couple minutes deleting small files and playing the "how can I get it to give me my space back game". I won once, and got 3G back. 3G >> 1K, so ... I tried again. No go. Now, apparently I needed 2048G of free disk space. There is just no satisfying the damn program. It turns out that there is a known issue with File Vault not being able to estimate how much space it uses or needs. Also, it was not releasing the disk space from the movies or music, so I still only had 3G free. I would have needed 63+G of free space to hold the decrypted image if I tried to decrypt manually, which was clearly not an option, so the time came for drastic measures.

The only way to recover from a corrupt File Vault image, or a soon to be violated one, is to back up all of your data while you are logged in (if you are logged out, all you can back up is the image), delete the image, and re-construct your system. As I write this, my computer is in the process of the reconstruction. File Vault got one last stab at me last night, though. When I deleted the sparse image, it refused to let me log in to my account again (deleting the sparse image should just put you into a default new-user configuration). After a bit of on-line searching, I found a report about someone who "used Net Info to disable File Vault". Looking at the tree for my user in Net Info, P noticed that the HOME_LOC variable was set in my account but not in his (virgin acct). Deleting that variable, which pointed to a directory that had never existed afaik, made it so that I could log in and begin the file transfer that will hopefully get me back to normalcy soon.

There are all sorts of better ways to encrypt only the data you want encrypted (Such as creating a separate volume of secure data and encrypting it. Once my computer is restored, I intend to use GnuPG on only my thesis directory tree).
Tags: computer, encryption, rant

  • [Rant] Dirty Words

    Yesterday's Supreme Court decision supporting the FCC ban on ``fleeting expletives'' seems unreal to me. I have trouble believing that 5 mature,…

  • [RLP] "You're a helluva long way from the pituitary, man!"

    My adviser sent this to our group, and I wanted to share it with enough of you that it seemed easier to post it here. Adapted from the Caltech…

  • Talking about Biocomputing

    Dear LazyJ, I'm giving a 20 minute talk about computers and biology to a potentially large, very mixed audience in a week(!). I have not yet…

  • Post a new comment


    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment