6

I would like to do the following:

I. After logging into my account I would like OSX to automatically mount 2 of my volumes (located on same external HDD connected via FW800) using a password or keyfile. I don't what to see any promots for admin passwords or volumes passwords as I already have my account password in place.

Question 1: How can I achieve this? Are there any scripts I can download or copy?

Question 2: Do I have to use keyfiles or can I use a password for OSX to automatically mount the volumes?

Bonus question: What would be the pro's and con's of using password vs keyfiles in this scenario?

For reference:

Currently I'm on OSX 10.8.3 and my OSX will be encrypted via FileVault2.

I'm not too worried that any keyfiles or password are stored on my OSX as it will be ecrypted. I'll be using a two-factor authentication when logging into my account using a password I remember and having a Yubikey do the rest of the password. So it will be a VERY secure password. emphasized text

I'm not a techie so I would need easy to understand instructions and more or less copy&paste scripts :)

Thanks!

Improve this question
2
  • It's not someone breaking into your account that you need to worry about, it's you letting someone in. If you don't have to type in a password, then neither does a virus/malware.
    – Darth Android
    Commented May 3, 2013 at 19:39
  • Maybe I need to clarify a bit: Only the encrypted ext. HDD should NOT prompt me for a password. The account password should remain in place.
    – VforVendetta
    Commented May 3, 2013 at 20:41

1 Answer 1

Reset to default
4

First make the volume use a keyfile and an empty password in Volume Tools > Change Volume Password. Then save a property list like this as ~/Library/LaunchAgents/truecrypt.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>truecrypt</string>
    <key>ProgramArguments</key>
    <array>        
        <string>bash</string>
        <string>-c</string>
        <string>diskutil list | grep -Fq ' *1.1 GB ' &amp;&amp; exit # an asterisk indicates that the volume is mounted
disk=$(diskutil list | awk '/ 1.1 GB /{print $NF}')
[[ $disk ]] || exit
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --mount /dev/$disk -k ~/path/to/keyfile -p ''</string>
    </array>
    <key>StartOnMount</key>
    <true/>
</dict>
</plist>

Change 1.1 GB to the size of the volume shown by diskutil list. There might be some better way to identify the volume, but for example diskutil info /dev/disk1s4 didn't show a UUID for the volume I tested with.

Then enable the agent by running launchctl load ~/Library/LaunchAgents/truecrypt.plist or by logging out and back in. You have to unload and load the plist to apply changes to it.

Caveats:

  • When the truecrypt command is run for the first time after you log in, it asks for the password of an administrator account, even if it is run as root. That could get annoying after a while if you log out or restart frequently.
  • The launchd job gets triggered when any volume is mounted, so if you unmount the TrueCrypt volume (but keep the external drive connected) and mount some other volume, the TrueCrypt volume gets mounted again.

Or could you just encrypt the volume with FileVault? If you check "Remember this password in my keychain", the volume is mounted automatically as long as the login keychain is unlocked.

That also means that if the login keychain is unlocked, other people who have access to your computer can see the password with for example security find-generic-password -l "My FileVault volume" -w.

Edit: there was no special reason why I used a keyfile and an empty password in the example above. To use a password and no keyfile, replace TrueCrypt --mount /dev/$disk -k ~/path/to/keyfile -p '' with for example TrueCrypt --mount /dev/$disk -p pa55word. Or replace pa55word with "$(security find-generic-password -l "My TrueCrypt volume" -w)" and use Keychain Access to add a keychain item for the password:

Improve this answer
6
  • Lauri, thanks for the excellent answer! Just was I was looking for. Can you clarify this for me: "The truecrypt command asks for the password of an administrator account the first time it is run after logging in (even if it is run as root)." Does that mean that I have to key in my admin password everytime I start up my machine and TC is run? Or just the first time the script or app is run? If the former is the case then I would have to key in 2 password everytime I start up the Mac.
    – VforVendetta
    Commented May 4, 2013 at 15:40
  • Every time after you restart. It doesn't seem to be required after logging out and back in or waking up from sleep though.
    – Lri
    Commented May 4, 2013 at 15:51
  • FileVault2 does seem tempting. Do you see any pro&cons using FV vs TC or any security risks assuming that I always log out of my computer and let nobody access it? The TC app script would still have mounted if I log out.
    – VforVendetta
    Commented May 4, 2013 at 16:13
  • 2
    This is a great start, but what if I want to secure my encrypted volume with a passphrase only? Is there a way to store the passphrase in my OS X login Keychain, and configure truecrypt to use that? You can do this, for instance, if instead of true crypt you use encrypted .dmg volumes, since hdiutil attach command is keychain aware. But then the problem with encrypted .dmg files is they cannot be opened on Linux, I believe.
    – algal
    Commented Sep 6, 2013 at 5:02
  • 2
    @algal I edited the answer.
    – Lri
    Commented Sep 6, 2013 at 12:12

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .