Encrypting a bootable clone
I am about to test out WDE for the first time. I want to make a bootable clone on an external firewire drive using Carbon Copy Cloner, that will be bootable and encrypted. I am reading everything here about the process and still find myself a little confused.
This thread touches on the subject, but still leaves me with questions
So far I know that I must NOT copy the PGPWDE01 and PGPWDE02 when cloning. And I should clone to the FW drive BEFORE encrypting the drive. So, after I do that, since I have PGP installed on the source machine, PGP is also on the clone, but the drive isn't encrypted, right? So, to encrypt the cloned drive, should I boot into the clone and encrypt from there? Or can I encrypt the clone while booted on the source machine and encrypt the FW drive like I am encrypting any external drive? After the clone drive is encrypted, I must use incremental backup only, right? Since I don't copy the PGPWDE01 and PGPWDE02 files when cloning, does PGP just create these files either the first time I boot the drive or when I encrypt it?
I have also read that PGP needs to be installed on the machine that is going to boot the clone. So I won't be able to boot my bootable clone on a system that doesn't have PGP installed? For an emergency backup solution (assuming I would be on a new computer or another person's computer), I would basically just need to keep a disc with a copy of PGP and install that on the machine before attempting to boot with my drive? That creates an issue for me. One license is only good for one computer, right? So if I want to boot my clone of my work computer on my home computer, am I going to have to buy another license for my home computer? Or can I just install PGP without a license to boot the clone?
Per Duane in post 33 in the thread you referenced, you should clone *after* you encrypt the external drive:
"I think the more appropriate way to do this would be to WDE the backup disk first, then CCC the disk over, skipping the PGPWDE01 and 02 files."
This procedure was confirmed by forum super contributor lhotka:
"Duane - per your last, I can confirm that WDEing the external first and then cloning without /PGPWDE01,02 works just fine. I can successfully boot the external, and it's only after OSX starts that I'm prompted for the internal password. Using a FW800 external 500GB disk (same size as internal), CCC 3, incremental mode, preserve root items on target."
PGPWDE01/02 are bound to the encrypted disk and created when you encrypt, as you surmised.
Any encrypted disk requires PGP to read it, and WDE is licensed per machine. Thus, to be legal, you need a license for each machine you will use with the disk. Note that you will not have to install it again if it is on the disk that you cloned (the clone should contain everything from the original machine, which would include the PGP software).