How To Use TrueCrypt for Raw Device Virtual Pass-Thru (using VMWare Fusion) on Mac OSX

Before reading below, please read this post-mortem summary.

I tested several configurations. One of which was the procedure below, using TrueCrypt on the host OS, to encrypt raw block device before handing the block device to the guest OS. I also used Disk Utility to encrypt a filesystem on the second hard drive, and let the guest OS reside inside that encrypted filesystem. I also did a non-encrypted block device, pass-thru to the guest OS. And here is what I have to say about it all: It’s absolutely confirmed, that if the guest OS resides inside a Mac filesystem, then the host OS uses memory caching it. For most situations, that’s a bad thing (because the host is double-caching the same stuff that the guest is also caching), but if you constantly reboot your guest OS, then it’s a good thing (because the host is able to cache stuff while your guest OS has its caching systems offline or cold.) However… If passing the raw block device to the guest OS (with or without TrueCrypt), despite improved memory usage, the guest OS seems to simply become jittery. For best combination of performance and security, I’m recommending, use Disk Utility to encrypt the second hard drive, and then let the guest OS reside inside the encrypted Mac filesystem.

In the past, I’ve run Fusion or Parallels in the mac, and I let the guest hard drive sit as a local file within the Mac filesystem. You know. The way they expect you to use it. But I don’t like this for several reasons, the first of which is that the Mac uses its memory to cache & buffer the guest OS hard disk, which the guest OS is already doing itself, so it’s a big fat waste of memory. There is filesystem overhead, which logically must reduce performance. You have to exclude the guest from Time Machine, and Spotlight, etc. So the conclusion I’ve reached is that I would much rather use a raw second hard drive (or partition) passed directly to the guest OS. No Mac filesystem in between.

I am currently using Mac OSX 10.9 Mavericks, VMWare Fusion 6, to run a Windows VM using a raw partition of a second hard drive. My host OS uses FileVault, but without any Mac filesystem on the second hard drive, it’s naturally left unencrypted. So naturally I want to add encryption, and make it automatically mount. Below is a description of how to do what I do. The only thing about it that I don’t love is the prompt, every time you launch the guest OS, “VMware Fusion requires administrative privileges for accessing Boot Camp disks. Type your password to allow this.” I am not using a boot camp disk, but apparently that’s just how they identify it internally. I would prefer for the guest OS to simply work, without needing me to type in the password.

  1. Using Disk Utility, I partition my second hard drive (because I want to, but don’t have to; I could have just as well used the whole second hard drive.) Even though I will not be using a Mac Filesystem, I make all the partitions temporarily “Mac OS Extended (Journaled)” and I give at least one an easily identifiable name, so I can later easily identify the right device.
  2. Don’t Quit Disk Utility yet.
  3. Install TrueCrypt
  4. Launch TrueCrypt, and click Create Volume
  5. Create a volume within a partition/drive
  6. While selecting the device, it’s important to both identify the correct device, and dismount it from Disk Utility, before starting encryption. Also, make a note of which device it is (for example, rdisk0s3); you will need to know later. After dismounting the volume, close Disk Utility, and continue with TrueCrypt.
  7. The rest of TrueCrypt selections are self explanatory, except: When prompted about 4G files, it doesn’t matter what you choose. That’s just a convenience thing to guide people what filesystem to choose. It doesn’t matter for us, because we choose “none” for the filesystem. At this point, you’ll have to wait a while for TrueCrypt to do its work.
  8. After it’s done, launch a terminal, create a file such as /bin/MountTrueCryptVolumes.sh and make it owned by root.

    sudo chmod 700 /bin/MountTrueCryptVolume.sh
    sudo chown root:staff /bin/MountTrueCryptVolume.sh

  9. Fill that file with something like this: (I repeat, I only consider this safe because the host OS is using whole disk FileVault, and the file is locked down accessible only by root.)

    #!/bin/bash
    /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --filesystem=none --password=TrUeCrYpTvOlUmEpAsSwOrD /dev/rdisk0s3

  10. Edit the sudoers file (hopefully you know a little vi)
    sudo visudo

    Find this line:
    %admin ALL=(ALL) ALL

    And append to it, as follows:
    %admin ALL=(ALL) ALL, NOPASSWD: /bin/MountTrueCryptVolume.sh

  11. Wait till TrueCrypt is done, then ensure the volume is dismounted, and quit TrueCrypt.

  12. Simultaneously validate that your mount script works without password, and identify the name of the decrypted volume, as follows:

    echo "before" ; ls /dev/disk* ; sudo /bin/MountTrueCryptVolume.sh ; echo "after" ; ls /dev/disk*

    In my case, my new volume created by TrueCrypt is /dev/disk3

  13. Now to add this disk to VMWare:

    Open a command Terminal, and cd to where you want to create your new vmdk virtual disk.

    Notes about the following command: If you want help, you can run vmware-rawdiskCreator -h for help. Please notice above I used the raw disk “rdisk” and now I’m using the non-raw disk “disk” … There is no choice about this. VMWare refuses to work with rdisk3; I am required to specify disk3.

    Since there is no partition map inside the TrueCrypt volume, I specify “fullDevice” but if you wanted to, you could partition the encrypted drive in Disk Utility (the disk is called “volume.dmg” for some silly reason.) And then you would vmware-rawdiskCreator print /dev/disk3 to identify the correct partition number, and specify the partition number instead of “fullDevice.”

    In your present working directory, a small file will be created that describes the disk to VMware, and references the raw disk (or partition) as the backing store. You must give this file a name. The “.vmdk” extension will be added automatically. So I specified the name “TrueCrypt_disk3_wrapper” and this created the file “TrueCrypt_disk3_wrapper.vmdk”

    And finally, I looked all around to figure out, that in VMWare if you use the GUI to create a disk, your choices are IDE, SCSI, or SATA, but on the command line, your choices are “ide,” “buslogic,” or “lsilogic,” where lsilogic seems to be SCSI and preferred for most guest OSes. If you want to know which is preferred for your OS, just try adding a disk with the GUI, to see what it selects by default.

    sudo /Applications/VMware\ Fusion.app/Contents/Library/vmware-rawdiskCreator create /dev/disk3 fullDevice TrueCrypt_disk3_wrapper lsilogic

    You must chown that file to yourself.
    sudo chown eharvey TrueCrypt_disk3_wrapper.vmdk

    And annoyingly, you cannot add this vmdk to the guest machine with the GUI. You must hand-edit the .vmx file. (Shutdown guest OS, and quit from VMWare first.) Copy the existing lines, and modify, similar to these:

    scsi0:1.present = "TRUE"
    scsi0:1.fileName = "TrueCrypt_disk3_wrapper.vmdk"

  14. And finally, finally. If you want the TrueCrypt volume to mount automatically at boot: You can edit your crontab with the command crontab -e and insert a line like this:

    @reboot /usr/bin/sudo /bin/MountTrueCryptVolume.sh

Comments are closed.