How to create an encrypted APFS volume from the command-line

apfsdiskutil

I'm trying to automate creating an encrypted APFS image with files in it. What I have so far:

>>> hdiutil create -megabytes 1 -layout GPTSPUD -fs apfs -volname encryption encryption.dmg
    created: .../encryption.dmg

>>> hdiutil attach -stdinpass encryption.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 /Volumes/encryption

>>> diskutil apfs deleteVolume disk3s1
    Started APFS operation
    Deleting APFS Volume from its APFS Container
    Unmounting disk3s1
    Deleting Volume
    Finished APFS operation

>>> diskutil apfs addVolume disk3 APFS encryption -nomount -stdinpassphrase
    Exporting new encrypted APFS Volume "encryption" from APFS Container Reference disk3
    Started APFS operation on disk3
    Preparing to add APFS Volume to APFS Container disk3
    Creating APFS Volume
    Created new APFS Volume disk3s1
    Disk from APFS operation: disk3s1
    Finished APFS operation on disk3

>>> hdiutil detach -quiet /dev/disk3


>>> hdiutil detach -quiet /dev/disk2


>>> hdiutil attach -stdinpass encryption.dmg

    hdiutil: attach failed - no mountable file systems

But the final attach command failed.

If I try to open the resulting DMG in Finder, it too tells me that there are no mountable file systems, so clearly I failed to add the volume, even though the addVolume command succeeded and said it successfully created the volume.

Maybe it didn't though, so does anyone know how to do this?

Best Answer

It seems that the volume was created correctly, but hdiutil attach just provides misleading output when you try to mount a disk with an encrypted volume on it. If you use -nomount and then proceed with diskutil commands instead, everything seems to work.

Here's the flow (there may be shortcuts but this is running from a script, so sometimes it detaches and reattaches because that's how the script is organised):

>>> hdiutil create -megabytes 1 -layout GPTSPUD -fs apfs -volname encrypted encrypted.dmg
    created: .../encrypted.dmg

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> diskutil mount disk3s1
    Volume encrypted on disk3s1 mounted

>>> diskutil apfs deleteVolume disk3s1
    Started APFS operation
    Deleting APFS Volume from its APFS Container
    Unmounting disk3s1
    Deleting Volume
    Finished APFS operation

>>> diskutil apfs addVolume disk3 APFS encrypted -nomount -stdinpassphrase
    Exporting new encrypted APFS Volume "encrypted" from APFS Container Reference disk3
    Started APFS operation on disk3
    Preparing to add APFS Volume to APFS Container disk3
    Creating APFS Volume
    Created new APFS Volume disk3s1
    Disk from APFS operation: disk3s1
    Finished APFS operation on disk3

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> diskutil apfs unlockVolume disk3s1 -stdinpassphrase
    Unlocking any cryptographic user on APFS Volume disk3s1
    Unlocked and mounted APFS Volume

>>> diskutil mount disk3s1
    Volume encrypted on disk3s1 mounted

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

>>> hdiutil attach -nomount encrypted.dmg
    /dev/disk2              GUID_partition_scheme           
    /dev/disk2s1            Apple_APFS                      
    /dev/disk3              EF57347C-0000-11AA-AA11-0030654 
    /dev/disk3s1            41504653-0000-11AA-AA11-0030654 

>>> dd if=/dev/disk3 of=encrypted.img

    1968+0 records in
    1968+0 records out
    1007616 bytes transferred in 0.049776 secs (20242977 bytes/sec)

>>> hdiutil detach /dev/disk3
    "disk3" unmounted.
    "disk3" ejected.

>>> hdiutil detach /dev/disk2
    "disk2" unmounted.
    "disk2" ejected.

Create login script

Putting it in home folder for simplicity

nano ~/unmountDisk.sh

put the following in it (replace Macintosh\ HD with the disk name you want to unmount, if needed)

#!/bin/bash
sleep 20  # don't do it immediately, wait until it is mounted
diskutil unmount Macintosh\ HD

save (ctrl-x then y, enter). Then make executable

chmod a+x ~/unmountDisk.sh

Create launchd agent

nano ~/Library/LaunchAgents/my.username.unmountDisk.plist

put the following in it (note: replace username with your username, especially after /Users/)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>my.username.unmountDisk</string>
    <key>ProgramArguments</key>
    <array><string>/Users/username/unmountDisk.sh</string></array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Finally, enable it

launchctl load ~/Library/LaunchAgents/my.username.unmountDisk.plist

This should get the disk auto-unmounted shortly after login. If it doesn't work, maybe increase the delay (it was 20 seconds in the example). You can check if it works by opening Finder immediately after logging in; you should see the disk unmounting itself after a few seconds.

Make disk-read only

I also noticed that fstab can make the disk read only (could be done as well, for safety).

sudo vifs

then press G o and paste

LABEL=Macintosh\040HD none apfs ro

APFS encrypted volume no longer accepts password

mount_apfs: mount: Input/output error

The enclosure, cable, or drive are (or are going) bad.

Best Answer

Related Solutions

How to prevent an encrypted APFS volume from automatically mounting

Create login script

Create launchd agent

Make disk-read only

APFS encrypted volume no longer accepts password

Related Question