Turning on FileVault on your Hackintosh

Hackintosh Feb 12, 2019

Enabling FileVault is a smart move, especially if your device is portable. It ensures that if your computer and/or hard drive ever gets in the wrong hands, your (work) files will, at least, remain safe.

When I set out to create my Hackintosh, I had opted not to start with FileVault enabled as I wasn't sure how far I would get with the hardware I have at hand, and how much more complicated things might get with FileVault enabled. In my first tests (with this Hackintosh, anyway), I started with a basic HFS+ partition as I experimented with which parts work, and which don't. For the "final" installation I switched to using APFS, which so far has been working perfectly other than that Steam and Adobe still to this day not supporting case-sensitive file systems. It's 2019, but here we are. Regardless, that has nothing to do with APFS.

The FileVault Preferences pane, showing FileVault is not yet enabled.

After recently updating to the latest-most version of macOS, I thought it was high time I try FileVault out. For those of you who missed my other article, I have a backup drive that would, in case this all fails, would allow me to restore a working, non-encrypted setup straight back to my main drive, so at worst I would only lose a few hours.

Preparing

To start, I made sure I had fully up-to-date bootable backup, so I ran SuperDuper! and let it do its thing. This took a while longer than usual as I forgot to purge my Final Cut Pro cache, which added ~150GB of content at least, among a few other things like a Downloads folder I hadn't cleaned in a while.

After the backup completed I used DaisyDisk to look around my main drive to see where the big chunks of data were, and was able to purge a lot. I wanted to do this before switching on FileVault as I suspected it would help reduce time for the initial encryption process, so it would probably be smart for you to do the same. You don't have to rely on an app like I did, just look for common suspects; Apps you no longer use, certain apps' preference to cache the entire internet (Spotify, Chrome with its cache of previous versions, iTunes if you back up your iPhone onto your Mac for some reason, etc.)

DaisyDisk showing how much data is stored and where.

Ensuring the right driver is installed

Now we must ensure we have the right keyboard and mouse driver installed, or you will not be able to type in your account's password at the FileVault login screen.

To do this, open Clover Configurator (or equivalent), mount your EFI partition, and then open EFI/Clover/config.plist. Then, head to the Install Drivers section and look through the list and find AptioInputFix-64 if you are using a Bluetooth keyboard/mouse or with one of those dongle thingamajigs.

In case you use a PS/2 keyboard you'll likely have to install AppleKeyAggregator-64 instead, so make sure you check and use the one that is right for your specific setup. It's best not to install what you don't really need, so try to only install the one you really need.

Tip for the extra cautious: If you are really unsure which you need or simply want to make absolutely certain you won't lose access to your Hack, you can create a bootable USB stick with an exact copy of your Clover setup (including the step mentioned below on un-hiding your Preboot volume!) but with the alternative keyboard/mouse driver, so that if your first choice ends up being wrong, you can boot off of your USB stick and after booting fix your main drive that way.
Clover Configurator showing the driver you should install.

Ensure the Preboot volume is not hidden

While we're in Clover Configurator, head on over to the Gui sidebar option and on the right-hand side check the Hide Volume list. If Preboot is listed there, select and delete it from the list (press the minus button). Once FileVault is enabled, you'll need to boot from the Preboot volume instead of the volume you used to use.

Clover Configurator showing that the Preboot volume is set to be hidden, which should be removed.

Once you've checked this, don't forget to save (cmd+s) your config file, then go ahead and quit Clover Configurator.

Enabling FileVault

You should now have done everything you need to prepare for FileVault support, so go ahead and head on over to System Preferences » Security » FileVault. Click the lock icon in the bottom-left to unlock the settings, and then proceed to click Turn On FileVault. You will be asked where you'd like to store your recovery key (either in your iCloud account, or by you providing it yourself), after which the encryption process will start.

If you are using APFS you will not actually have to reboot first, the encryption will start right away and even after finishing you don't have to reboot, which is pretty cool. For those of you still using HFS+, I believe you have to restart first, after which the encryption process starts.

I didn't stick around my computer so don't have an exact number, but I think the 2 hour estimate it gave me was roughly accurate. Your mileage may vary though, and it of course also depends on how many files you have, and the speed of your drive. Also note that the process may slow down your system (or drive, technically, but tha affects many things) quite a bit at times, so it might be best to leave your computer alone so it can work through this at its own pace.

FileVault encrypting my main SSD.

After this you should be all set and done. To ensure everything worked, I recommend you reboot now to ensure you can boot fine.

Reboot your Hack and at the Clover screen, make sure you select the FileVault Prebooter option of your main drive. Once you have selected this, a moment later you'll most likely be presented with a (usually low resolution) login prompt. If you have selected the right driver as mentioned earlier, your keyboard (and mouse) will work fine here, and you can enter your password and proceed to using your Hack as before, just more securely. Joy!

Updating your backup drive

The final step now would be to clone your now FileVault-protected drive over to your Backup drive, as it currently will still contain non-encrypted versions of your files. So you might want to go ahead and, after making sure everything works as it should of course, clone things over using your favorite drive cloning solution so that both drives are fully FileVault-protected

A small note on Time Machine

If you use Time Machine, after enabling FileVault you might find it wants to backup a whole lot of files. In my case it needed to back up 50GB worth of content. As far as I can tell this is normal and just an artifact of sorts of the encryption process, so just letting it do its thing will not cause any issues. I just felt like mentioning it here in case you were wondering what might be going on with your Time Machine.