FMP 11 Server on Mac mini Server (lion) and Filevault 2

[Woodnote]

I have a mac mini server (2011) that came pre-installed with Mac OS X 7 (Lion) Server. I want to run FMP 11 Server on it. I'm not running/serving any of the server options so they shouldn't be conflicting with the FMP 11 server install. I have Filevault 2 (FDE) enabled because I want the server to be safe even if someone stole it (powered down of course). I'm updated to the latest release of FMP 11 Server and I know that only local sharing works with Lion (and I've gotten it working fine with lion client).

Here's the thing... it appears to all work ok at first, but the admin console is unusablly sluggish even when working and inevitably freezes completely (with the spinning ball) within a few clicks and I'll have to force the admin console to quit.

Given that I've been able to get it working with the client version of lion (without filevault 2 enabled), It's either b/c I'm running Server or because of filevault 2.

I can't see how it could be filevault 2 since that should be completely transparent to the program and I'm running it on a new mac mini server w/ an intel i7 processor. The benchparks put the performance hit associated with it at barely perceptible, and all other aspects of the computer are super fast.

I think it's somehow the fact that I'm running it on the server version of Lion, but I'm not sure why that could be an issue...any thoughts would be greatly appreciated!

[Woodnote]

UPDATE: So i disabled filevault 2 and low-and-behold, everything started working fine. Somehow, Java/FMP 11 server admin console and filevault 2 in Lion do not play well together.

Does anyone have any thoughts about this? I find it very strange since according to apple, filevault 2 is completely transparent.

UPDATE: since I want the contents of the databases safe even if the mac mini itself gets stolen, I decided to encrypt the second internal HD with filevault 2 and then serve the actual database files from the encrypted drive. I also have the backups going to the encrypted drive. seems to be working pretty well so far. We'll see.

[Steven H. Blackwell]

Yes. FileMaker Server is not intended to be run with services such as File Vault or other disk type encryption programs. I hope you files were not damaged by this process.

Steven

[Woodnote]

No I haven't destroyed them yet

I've been experimenting with separate copies of my databases on a development machine. Do you think there are any problems with running the databases as I have it configured currently (with the server running from a non-encrypted disk but with the hosted databases themselves on an encrypted disk)?

thanks

[Steven H. Blackwell]

Yes, I do think that could cause problems.

Steven

[Woodnote]

Can you elaborate on that? (Or point towards some technical articles/ discussions that go into to it in depth?) If the filevault 2 (or any other full disk encryption) is "transparent" to the user, what would the problem be? I know the standard advice, but I'm curious as to why it's such an issue.

FileVault: FileVault is a feature that performs on the fly encryption and decryption of data in a user’s home directory. However, this added level of security requires additional processing power. Because of this, it is recommended that FileVault not be used in conjunction with FileMaker Server and your FileMaker databases.

This bit about FileVault 1 makes it seem like the only issue is one of processing power, but I know that the standard advice given is that using any kind of disk encryption will destroy your solution eventually when applied to served files. The fact that Filemaker Inc. doesn't appear to make any strong comments to the effect of "Don't even think about it" is strange to me.

What about physically based FDE drives like the ones currently offered by Seagate with Opal certification? Those drives are apparently truly transparent with no speed loss at all. Where (at what stage) does the breakdown/corruption of the database occur?

thanks, I'm sure you've forgotten more than I will ever know about this stuff :)

[Woodnote]

Does anyone have any thoughts?

Can anyone at least point me in the right direction?

thanks

[Vaughan]

FileVault is a feature that performs on the fly encryption and decryption of data in a user’s home directory.

So what happens if no users are logged-in?

[Woodnote]

Sorry I didn't make that clear, that quote applies only to "FIlevault 1" which is used in OSX 10.6, in OSX 10.7 (Lion) Filevault 2 (which I'm using here) is different (see below).

From an article by Topher Kessler on CNET:

With FileVault 2, Apple has done away with the standalone encrypted disk images in OS X, and replaced it with a full disk encryption option that uses XTS-AES 128-bit encryption on all files on the system. This means that all files on the disk (system files, user files, applications, and anything else) will be encrypted and unlocked at boot, so if your system is stolen then without your password, not even your applications or system configuration files can be accessed and used by a thief or unwanted third party.

The way FileVault 2 works is that the OS sets up a recovery partition that is used to store the encrypted keys used to unlock the encryption. The hidden recovery partition will hold the keys needed to unlock and decrypt FileVault-enabled systems. The recovery partition is created for all Lion installations and is used for maintenance of the system, but will be a requirement to have if you wish to enable full disk encryption on the boot drive.

When the system boots, it accesses the recovery drive and loads the login screen to present to you. When you then supply your password it unlocks the boot drive and continues to load the OS and your user account before dropping you to your desktop. As a result of this, the preboot login screen may show much quicker on systems with FileVault 2 enabled than on those that do not.

If you enable FileVault 2, the system will only allow authorized accounts to unlock and boot the system. Therefore, any existing accounts will need to be specifically authorized to handle disk encryption by going to the Security system preferences and choosing specific users after clicking the Turn on FileVault button.... If an account is not added to FileVault 2, then you will first need to unlock the system with an authorized account and then log out to allow unauthorized accounts to log in and use the system.

Because the entire disk is encrypted and unlocked when logged in, Time Machine backups will now work as you use the system, instead of requiring you to log out so the sparsebundle could be copied in its unmounted state. This is a major convenience to people who have encrypted their systems.

[Woodnote]

Just thought I'd give an update.

After installing the FileMaker Server 11.0v4 update and activating file vault 2 again, everything has been working fine for the past several weeks on my server with 3-5 local network users simultaneously accessing/creating/modifying/deleting dozens of records daily. My database currently has the following "stats" 71 distinct entities (tables), 1257 attributes (fields), 83 scripts, 41 functions, 1544 calculations, and displays data using 90 separate layouts (pages).

NOTE: just to be clear, given that running FMP server on an encrypted disk is generally considered to be a big no-no, I can't recommend this to anyone. I just thought I'd pass on the knowledge that I (maybe foolhardily) decided to take the risk and so far it's worked great. I'll post another update if it gets corrupted.