Video Screencast Help

Encrypting a bootable clone

Created: 07 Feb 2011 | 7 comments
Tom Mc's picture



I am about to test out WDE for the first time.  I want to make a bootable clone on an external firewire drive using Carbon Copy Cloner, that will be bootable and encrypted.  I am reading everything here about the process and still find myself a little confused.  

This thread touches on the subject, but still leaves me with questions

So far I know that I must NOT copy the PGPWDE01 and PGPWDE02 when cloning.  And I should clone to the FW drive BEFORE encrypting the drive.   So, after I do that, since I have PGP installed on the source machine, PGP is also on the clone, but the drive isn't encrypted, right?  So, to encrypt the cloned drive, should I boot into the clone and encrypt from there?  Or can I encrypt the clone while booted on the source machine and encrypt the FW drive like I am encrypting any external drive?  After the clone drive is encrypted, I must use incremental backup only, right?  Since I don't copy the PGPWDE01 and PGPWDE02 files when cloning, does PGP just create these files either the first time I boot the drive or when I encrypt it?  

I have also read that PGP needs to be installed on the machine that is going to boot the clone.  So I won't be able to boot my bootable clone on a system that doesn't have PGP installed?  For an emergency backup solution (assuming I would be on a new computer or another person's computer), I would basically just need to keep a disc with a copy of PGP and install that on the machine before attempting to boot with my drive?  That creates an issue for me.  One license is only good for one computer, right?  So if I want to boot my clone of my work computer on my home computer, am I going to have to buy another license for my home computer?  Or can I just install PGP without a license to boot the clone?


Per Duane in post 33 in the thread you referenced, you should clone *after* you encrypt the external drive:
"I think the more appropriate way to do this would be to WDE the backup disk first, then CCC the disk over, skipping the PGPWDE01 and 02 files."

This procedure was confirmed by forum super contributor lhotka:
"Duane - per your last, I can confirm that WDEing the external first and then cloning without /PGPWDE01,02 works just fine.  I can successfully boot the external, and it's only after OSX starts that I'm prompted for the internal password.  Using a FW800 external 500GB disk (same size as internal), CCC 3, incremental mode, preserve root items on target."

PGPWDE01/02 are bound to the encrypted disk and created when you encrypt, as you surmised.

Any encrypted disk requires PGP to read it, and WDE is licensed per machine. Thus, to be legal, you need a license for each machine you will use with the disk. Note that you will not have to install it again if it is on the disk that you cloned (the clone should contain everything from the original machine, which would include the PGP software).

Comments 7 CommentsJump to latest comment

desertrat's picture

Hey Tom,

If the key purpose is to make a bootable clone like this, what are the recommendations as far as using a keypair or passphrase to encrypt the drive?  Is there any reason to use one over the other?

paulhen's picture

Because of limits of pre boot authentication, using a keypair requires an external device such as a smart card or usb drive. This then raises the possibility of losing the external device. (Drop it, run over it with the car, flush it down the commode...) and therefore losing all access to the encrypted data. We do have customers that go that route. (Using a key pair on a external device.) I personally prefet to select secure passphrases. Given equal quality passphrases, two factor authentication is more secure.

Which way you want to go is what I term a "vanilla or chocolate" question. I know what my preference is, but I can't tell you what yours is.

 Governments keep a lot of secrets from their people . . . Why aren't the people in return allowed to keep secrets from the government? --Philip Zimmerman, Der Spiegel

mallardduck's picture

I didn't think the Mac version supported two-factor authentication for bootable disks.

desertrat's picture

I didn't realize I could do both.  I encrypted a drive with a keypair and I couldn't boot from it.  So, I added a passphrase user to it.  Now I can mount it with my keypair on my computer and boot from it with the passphrase user.  So, it seems to work either way just fine with the same drive. 

desertrat's picture

Now, in regards to the same issue, how do we restore from said clone?  I tried searching the old forum for the subject, but had a hard time finding any results.  Would I just need to do a standard restore, omitting PGPWDE01 and PGPWDE02, then boot the system and perform the encryption?  It seems simple enough, but since it is recommended to do the exact opposite for encrypting an external bootable clone, I have to ask.

mallardduck's picture

If you want an unencrypted restore, repartition (not erase) the target before proceeding (you'll have to do that from a non-PGP installed system like the install DVD - PGP blocks disk utility on encrypted volumes).  If the target is already encrypted, you can just clone back without touching those two files (in Carbon Copy Cloner choose 'preserve root-level items' and do an incremental restore) and have an encrypted target.

desertrat's picture

Aaaaahhhhhh, thanks for reminding me about repartitioning instead of erasing.  I forgot about the boot partition!  That's exactly what I needed to know.  I feel confident that I know what I'm doing now.  Thanks!