Lately I’ve needed Windows to work on some projects, but my usual method of running a Windows VM inside OS X wasn’t cutting it performance-wise. I could use Boot Camp but then I can’t encrypt the Windows partition. In today’s age and especially since this is related to work, I needed to have BitLocker enabled.
Since Macs don’t allow you to encrypt Windows and OS X at the same time natively, I had to come up with a solution. So without further ado, here is how to encrypt both Windows and OS X on the same MacBook Pro Retina.
In this tutorial I’m using the following hardware so instructions will be based off these devices/disk sizes/etc…
- MacBook Pro Retina 15” 2013 model with 512GB SSD
- 8GB flash drive for use as Windows install media
- External drive for backing up my current OS X install
- Carbon Copy Cloner for performing OS X backup/restore
- Windows 8.1 Professional ISO image from Microsoft
- OS X 10.10 Yosemite (Using the MacBook Pro’s built in Internet Recovery feature)
Step 1: Backing up your existing OS X installation:
This process will wipe OS X off your computer because Windows needs to be installed at the beginning of the disk for this to work.
- You can either use Carbon Copy Cloner (which is what I used) or the built in Time Machine function to backup your OS X install to an external drive.
Step 2: Creating the Windows install media
You will need an 8GB flash drive and a copy of Windows 8.1 (or the shiny new Windows 10) as an ISO file.
- Run Boot Camp Assistant.
- Uncheck the last checkbox. (we will partition manually in Step 3)
- Let Boot Camp Assistant create the Windows installer flash drive.
Step 3: Install Windows (THIS WILL ERASE YOUR COMPUTER)
We need Windows to be installed as the first OS on the disk for BitLocker to work. Here is how to do this properly:
- Restart your Mac with the installer flash drive connected and hold the Option key.
- Select the Orange drive that says “EFI Boot”1
- As soon as the first window appears press Shift+F10 to open the Command Prompt.
- Now we will repartition the disk to allow BitLocker to function. Enter the command diskpart
- Select the internal disk with the command select disk 0
- Erase the disk with the command clean
- Create a new GPT partition table with the command convert gpt
- Re-create the EFI partition2 with the command create partition efi size=200
- Format the EFI partition with the command format fs=fat32
- Create the Microsoft Reserved Partition3 with the command create partition msr size=128
- Create the 100GB partition Windows will be installed on with the command create partition primary size=102400
- Format the Windows partition with NTFS using the command format fs=ntfs quick label=Windows
- Close out of the Command Prompt.
- Install Windows to the Windows partition.
- Install the Boot Camp drivers from the flash drive.
Step 4: Encrypting Windows
We need to encrypt Windows before we reinstall OS X, otherwise the BitLocker process may overwrite OS X.
- First we need to enable BitLocker support without a TPM4. Press Windows Key+R to open Run and enter gpedit.msc and hit the Enter key.
- Browse to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
- Double click on Require additional authentication at startup
- Set the policy to Enabled and make sure the checkbox to allow use without a TPM is checked!
- Click the OK button.
- Now you can Enable BitLocker. I recommend using the password option.
- Make sure that the BitLocker window shows Shirnking drive C:! If you don’t see that then it used the free drive space we have saved for OS X.
- Reboot and test BitLocker.
Step 5: Installing OS X
Now it’s time to get OS X back on your Mac. After all, who wants a Mac without the Mac OS?
- In Windows open the Disk Management tool.
- Create an NTFS partition5 out of the free space on the disk.
- Now reboot your Mac and hold Command+R to get Internet Recovery started
- Open Disk Utility and Format that new NTFS partition as Mac OS Extended (Journaled)
- Exit Disk Utility and install OS X to that new partition.
- Use the Mac App Store to update to Yosemite if need be.
- After Yosemite is installed go back to the Mac App Store and download the Yosemite installer again but do not install it!
- We will use an Apple Script written by Christopher Silvertooth6 to recreate the OS X recovery partition7. You can download the script here!
- Follow that script’s instructions to recreate the OS X Recovery Partition.
- Enable FileVault.
- Test BitLocker again to make sure nothing broke it. Then test FileVault again to make sure it works as expected.
If you backed up your OS X install with Carbon Copy Cloner or Time Machine, now is the time to recover it using that function.
That’s it! You now have Windows 8.1 and OS X Yosemite side-by-side both with their native encryption turned on. I haven’t tested OS upgrades such as Windows 8.1 to Windows 10, or OS X Yosemite to OS X El Capitan but in theory those upgrades wouldn’t mess with the partition table. After all, that would kill normal Boot Camp.
Don’t select “Windows” or we won’t be able to install Windows as an EFI bootable OS. The Mac EFI system has trouble booting manually installed copies of Windows if we don’t install Windows with EFI support. EFI mode also allows us to use a GPT disk which we need for the amount of partitions we are creating. ↩
Macs rely on a 200MB EFI partition at the beginning of the drive in order to store firmware settings. This partition is also part of the GPT standard and is not Mac specific. ↩
Windows relies on a Microsoft Reserved Partition that is exactly 128MB in size. No meaningful data is stored in it yet as of this article’s publish date, but BitLocker doesn’t seem to enable correctly without it. ↩
BitLocker normally stores encryption keys in a built in TPM chip, but Macs don’t have that. We will use Group Policy to allow the use of an encryption password instead. ↩
Disk Utility seems to choke on creating new partitions from free space when Windows is installed at the beginning of the disk. It has no problem reformatting though, so we will do this as a work around. ↩
OS X uses its Recovery Partition to authenticate FileVault encrypted systems so this is a necessary step. Unlike the Windows BitLocker partition we are fortunate that Apple chose the end of the drive instead of the beginning, so Windows will remain untouched. ↩