I usually carry a USB flash drive with me attached to my keyring. I use it for things that I might need in an emergency, such as my SSH private keys and a backup of my password database and other potentially sensitive items. In such an emergency I need to be in a position to use the keychain with someone else's Mac or PC.
(That's not actually mine – I don't drive a teutonic richmobile! Google found the picture on Amazon.)
In the past I used FAT32 on the unpartitioned flash drive and a password protected ZIP file. I was never comfortable with the security of encrypted ZIP files but it was better than the thought of getting stuck away from base without my computer and needing to deal with a server failure.
By now, most Macs and PCs that I might want to borrow in an emergency can read an encrypted volume. Core Storage in OS X has offered encrypted volumes since 10.7 Lion and Windows 7 and 8 both support BitLocker Disk Encryption (BDE).
So the problem is: Partition a USB flash drive (or other removable storage device) in two and prepare it so that Windows will recognize and use the BDE volume in one partition and OS X will use the encrypted HFS+ volume in the other.
Windows is consistent that any removable storage device can have only one volume on it. If a device has a partition table, either MBR, GPT or a hybrid, it will recognize only the first. OS X has no such limitation. So the task is to use OS X to partition the removable storage device (USB thumb drive, SD card or USB-attached hard disk or SSD, etc.) so that Windows will recognize its first partition and OS X can use the other(s).
OS X Disk Utility will partition a removable device and format each partition with HSF+, FAT32 or exFAT, so the solution would seem simple: partition it in two with exFAT in the first partition (exFAT is better for flash devices than either FAT32 or NTFS) and HFS+ in the second, then encrypt each on its respective OS. But it's not that easy.
Core Storage requires a GUID partition table (GPT) so to be able to encrypt the HFS+ volume you need to choose that option in Disk Utility while partitioning. But then Disk Utility actually creates, as shown below, three partitions: the first is 200 MB "EFI System Partition" hidden in any normal OS X user interface, the second has the exFAT FS, and the third has the HFS+ FS. Windows sees only the 200 MB partition and asks to format it.
$ sudo gpt show -l /dev/disk8
gpt show: /dev/disk8: Suspicious MBR at sector 0
start size index contents
0 1 MBR
1 1 Pri GPT header
2 32 Pri GPT table
34 6
40 409600 1 GPT part - "EFI System Partition"
409640 2008
411648 4218880 2 GPT part - "exFAT-2G"
4630528 3020760 3 GPT part - "HSF+2G"
7651288 262151
7913439 32 Sec GPT table
7913471 1 Sec GPT header
(I think it's amusing that even the gpt utility considers this "suspicious"!)
Perhaps we can rectify this problem by deleting the EFI System Partition before attaching the device to Windows. Without getting into the details, there's a lot of ways to set about doing this that don't work. I tried many. But I found a procedure that seems to work reliably.
-
GPT fdisk. For me it was as simple as
brew install gptfdisk
. If you don't already use Homebrew, now might be a good time to start. -
OS X 10.9 or later. I expect you can get this to work back to 10.7 but haven't confirmed it and I expect there would be differences in the details.
-
Windows 7 or 8, which must be "Professional" or "Enterprise" edition in either case. The other SKUs, such as "Home" edition, or Windows RT or Windows Phone, have disabled the feature to turn on BDE. They can use BDE just fine, they just can't initiate the procedure to encrypt a volume.
Start in Disk Utility by partitioning the device in OS X as already described:
- Partition Layout: 2 Partitions
- 1st partition: exFAT
- 2nd partition: Mac OS Extended (Journaled), i.e. HFS+
- Options... GUID Partition Table
Still in Disk Utility, with the device selected, not one of the volumes in it, ⌘-I shows a list of information about the device. One item is its Disk Identifier, probably in the form "diskN" where "N" is a digit, e.g. in my case it is "disk8".
Still in Disk Utility:
- Select the HFS+ volume on the device in the column on the left and choose the "Erase" tab.
- Choose "Format: Mac OS Extended (Journaled, Encrypted)"
- Click "Erase..."
- Enter a password and confirm. (Use a long random password if you can, otherwise follow Bruce Schneier's password advice. The same will apply when you enter a BitLocker password for Windows.)
- Wait for Disk Utility to finish the tasks
Don't leave it open. Doing so appears to interfere with the next tasks as OS X detects events and fixes the device in ways we don't want.
Now you need the OS X Disk Identifier. In my case it is "disk8" so the storage block device is /dev/disk8
.
After encryption the partition table is even more weird:
$ sudo gpt show -l /dev/disk8
gpt show: /dev/disk8: Suspicious MBR at sector 0
start size index contents
0 1 MBR
1 1 Pri GPT header
2 32 Pri GPT table
34 6
40 409600 1 GPT part - "EFI System Partition"
409640 2008
411648 4218880 2 GPT part - "exFAT-2G"
4630528 3020760 3 GPT part - "HSF+2G"
7651288 262144 4 GPT part - "Booter"
7913432 7
7913439 32 Sec GPT table
7913471 1 Sec GPT header
The following procedure with gdisk straightens out all of this mess for me. Refer to the man pages of the relevant utilities.
First, unmount all volumes from the device:
$ sudo diskutil unmountDisk /dev/disk8
Unmount of all volumes on disk8 was successful
Second, start gdisk (noting the hybrid MBR, which is what gpt considers suspicious) and overwrite the hybrid MBR with a new protective MBR derived from the GPT (see Wikipedia and gdisk man pages) as follows:
$ sudo gdisk /dev/disk8
GPT fdisk (gdisk) version 0.8.10
Warning: Devices opened with shared lock will not have their
partition table automatically reloaded!
Partition table scan:
MBR: hybrid
BSD: not present
APM: not present
GPT: present
Found valid GPT with hybrid MBR; using GPT.
Command (? for help): x
Expert command (? for help): n
Expert command (? for help): w
In the above, the commands are:
x
opens the expert command menun
in the expert menu creates a new protective MBR from the GPTw
writes the edited partition table and exits gdisk.
Third, restart gdisk to confirm the device now has a real GPT, not a nasty hybrid MBR/GPT, and delete Partition 1:
$ sudo gdisk /dev/disk8
GPT fdisk (gdisk) version 0.8.10
Warning: Devices opened with shared lock will not have their
partition table automatically reloaded!
Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present
Found valid GPT with protective MBR; using GPT.
Command (? for help): p
Disk /dev/disk8: 7913472 sectors, 3.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 0FE0AD24-B8AF-4BDF-BA45-5A60BCDFBC37
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 7913438
Partitions will be aligned on 8-sector boundaries
Total free space is 2021 sectors (1010.5 KiB)
Number Start (sector) End (sector) Size Code Name
1 40 409639 200.0 MiB EF00 EFI System Partition
2 411648 4630527 2.0 GiB 0700 exFAT-2G
3 4630528 7651287 1.4 GiB AF05 HSF+2G
4 7651288 7913431 128.0 MiB AB00 Booter
Command (? for help): d
Partition number (1-4): 1
Command (? for help): w
In which:
p
displays the current partition tabled
deletes a partitionw
means write the edited partition table and exit.
Finally, confirm the partition table independently with the gpt utility:
$ sudo gpt show -l /dev/disk8
start size index contents
0 1 PMBR
1 1 Pri GPT header
2 32 Pri GPT table
34 411614
411648 4218880 2 GPT part - "exFAT-2G"
4630528 3020760 3 GPT part - "HSF+2G"
7651288 262144 4 GPT part - "Booter"
7913432 7
7913439 32 Sec GPT table
7913471 1 Sec GPT header
It no longer complains about the "Suspicious MBR at sector 0" and the 200 MB "EFI System Partition" is gone leaving the exFAT partition as the first partition. It seems irrelevant that it has index 2 rather than 1.
(I never bothered to find out exactly what Disk Utility put in the "EFI System Partition" and "Booter" partitions, if anything.)
Finally, remove the device from OS X and attach it to Windows 7 or 8 Pro or Enterprise. The command to turn on BitLocker Disk Encryption on the device is in the device's context menu in Windows Explorer.
My main workstation runs OS X so it's easy to update files on the encrypted HFS+ when I need to. But I generally want to make the same changes to the files on the BDE exFAT volume. And I want the process to be as convenient as I can make it. The problem is analogous if Windows is your main machine, as are the solution options, of which I tried:
- Copying the files unencrypted from OS X to Windows and within Windows to the BDE volume was kinda clunky.
- Running Samba on OS X and mounting a share on Windows certainly works, once it's all set up, but making Samba on OS X talk nice to Windows 8 and visa versa in the first place is a royal PITA. (Take care using SMB/CIFS with sensitive data, e.g. turn off the server when it's not in use.)
- For me the most convenient option was to run Windows in a VirtualBox VM and, from within the Windows guest, copy the files from OS X via Vbox's shared folders.