First make the volume use a keyfile and an empty password in Volume Tools > Change Volume Password. Then save a property list like this as ~/Library/LaunchAgents/truecrypt.plist
:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version="1.0">
<dict>
<key>Label</key>
<string>truecrypt</string>
<key>ProgramArguments</key>
<array>
<string>bash</string>
<string>-c</string>
<string>diskutil list | grep -Fq ' *1.1 GB ' && exit # an asterisk indicates that the volume is mounted
disk=$(diskutil list | awk '/ 1.1 GB /{print $NF}')
[[ $disk ]] || exit
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --mount /dev/$disk -k ~/path/to/keyfile -p ''</string>
</array>
<key>StartOnMount</key>
<true/>
</dict>
</plist>
Change 1.1 GB
to the size of the volume shown by diskutil list
. There might be some better way to identify the volume, but for example diskutil info /dev/disk1s4
didn't show a UUID for the volume I tested with.
Then enable the agent by running launchctl load ~/Library/LaunchAgents/truecrypt.plist
or by logging out and back in. You have to unload and load the plist to apply changes to it.
Caveats:
- When the
truecrypt
command is run for the first time after you log in, it asks for the password of an administrator account, even if it is run as root. That could get annoying after a while if you log out or restart frequently.
- The launchd job gets triggered when any volume is mounted, so if you unmount the TrueCrypt volume (but keep the external drive connected) and mount some other volume, the TrueCrypt volume gets mounted again.
Or could you just encrypt the volume with FileVault? If you check "Remember this password in my keychain", the volume is mounted automatically as long as the login keychain is unlocked.
That also means that if the login keychain is unlocked, other people who have access to your computer can see the password with for example security find-generic-password -l "My FileVault volume" -w
.
Edit: there was no special reason why I used a keyfile and an empty password in the example above. To use a password and no keyfile, replace TrueCrypt --mount /dev/$disk -k ~/path/to/keyfile -p ''
with for example TrueCrypt --mount /dev/$disk -p pa55word
. Or replace pa55word
with "$(security find-generic-password -l "My TrueCrypt volume" -w)"
and use Keychain Access to add a keychain item for the password: