
Sep 07, '11 07:30:00AM • Contributed by: rakmod
This hint describes how to place a user home directory on a FileVault2 encrypted partition on a second hard drive and have that partition load automatically on boot.
The primary issue is that when the user home directory is on a secondary encrypted drive it will not automatically unlock when the user logs on, thus resulting in a logon error for that user. Once unlocked the partition with the user home directory will automatically mount.
Note: Once these operations have been performed, Disk Utility cannot be used to modify the second disk. Terminal and diskutil need to be used instead.
Prerequisites
- An OS X Lion installation with a FileVault2 encrypted system disk (System Preferences » Security & Privacy » FileVault).
- A second hard drive using a GUID Partition Table and a Mac OS Extended partition. We will assume in the examples that the partition is named 'Data HD.'
- An admin user in the /Users folder on the system drive.
- A standard user with their home directory in the /Volumes/Data HD/Users directory and advanced user properties specifying that location as their home folder. There are hints about how to do that; search if you need to find them.
- Logoff all users.
- Login as the admin user.
- Start Terminal.
- Use diskutil to determine the IDENTIFIER of the Data HD partition:
diskutil list - Using diskutil and the following command convert Data HD to be an encrypted volume. Ensure you keep a copy of the passphrase in a safe place. If you lose it you will not be able to get your data from the partition.
diskutil coreStorage convert [IDENTIFIER] -passphrase [passphrase] - Reboot.
- Try to Logon as the normal user. You should see an error that you cannot logon. Note: I only tested after the disk fully encrypted, so the behaviour on a partially encrypted drive is not tested. I am assuming it has the same behaviour as an encrypted drive.
- Logon as the admin user.
- When asked for the password to unlock Data HD enter your password and save it to your Keychain.
- Open the admin user's Keychain using /Applications/Utilities/Keychain Access.
- Unlock the System Keychain
- Copy the Keychain password from the admin user Keychain to the System Keychain.
- Create a plist to automatically unlock Data HD (see below).
- Using diskutil note the UUID of the encrypted partition.
diskutil coreStorage list - Create the file /Library/LaunchDaemons/filevault2.unlock.plist using the contents below. Replace [UUID] and [passphrase] with your values. Saving the [passphrase] in the plist is the reason the system disk must also be encrypted. If it were not, a malicious user could simply read your passphrase from the system disk.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>filevault2.unlock</string> <key>ProgramArguments</key> <array> <string>diskutil</string> <string>cs</string> <string>unlockVolume</string> <string>[UUID]</string> <string>-passphrase</string> <string>[passphrase]</string> </array> <key>QueueDirectories</key> <array/> <key>RunAtLoad</key> <true/> <key>WatchPaths</key> <array/> </dict> </plist>
- 16. Reboot and logon as the normal user. Logon should now work.
[crarko adds: I haven't tested this one. I'd suggest trying this one with a test system and user to get comfortable with the process before trying it on a production machine. At minimum, have a known good backup of everything.]