How to prevent an encrypted APFS volume from automatically mounting

apfsdisk-volumehigh sierramount

I tried adding the following line to /etc/fstab, but it doesn't work:

UUID=FF9DBDC4-F77F-3F72-A6C2-26676F39B7CE none apfs rw,noauto

I confirmed that it does work with unencrypted APFS volumes.

For encrypted HFS+ volumes you have to add the password to the keychain, but this workaround doesn't seem to work with encrypted APFS.

Best Answer

Indeed that is the case, even in Mojave (Beta 2).

I have a solution which is quite a hack, but it works. It consists in creating a login script that unmounts the disk using diskutil after a delay.

Create login script

Putting it in home folder for simplicity

nano ~/unmountDisk.sh

put the following in it (replace Macintosh\ HD with the disk name you want to unmount, if needed)

#!/bin/bash
sleep 20  # don't do it immediately, wait until it is mounted
diskutil unmount Macintosh\ HD

save (ctrl-x then y, enter). Then make executable

chmod a+x ~/unmountDisk.sh

Create launchd agent

nano ~/Library/LaunchAgents/my.username.unmountDisk.plist

put the following in it (note: replace username with your username, especially after /Users/)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>my.username.unmountDisk</string>
    <key>ProgramArguments</key>
    <array><string>/Users/username/unmountDisk.sh</string></array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Finally, enable it

launchctl load ~/Library/LaunchAgents/my.username.unmountDisk.plist

This should get the disk auto-unmounted shortly after login. If it doesn't work, maybe increase the delay (it was 20 seconds in the example). You can check if it works by opening Finder immediately after logging in; you should see the disk unmounting itself after a few seconds.

Make disk-read only

I also noticed that fstab can make the disk read only (could be done as well, for safety).

sudo vifs

then press G o and paste

LABEL=Macintosh\040HD none apfs ro

Related Solutions

Prevent BootCamp partition from automatically mounting

I found this forum post which has a couple options:

The straightforward way is to create a login applescript, replacing /Volumes/Windows with your path:

tell application "Finder"
    if (exists the disk "Windows XP") then
        do shell script ("hdiutil unmount /Volumes/Windows\\ XP -force")
    end if
end tell

Another way is to modify /private/etc/rc.local to add:

disktool -u disk0s3

If you have more than one disk, or have formatted it into more than just a MacOS and Windows volume, you will have to use Disk Utility or something to determine the Disk Number (in this case 0) and Partition Number (in this case 3) of your Windows volume.

How to write fstab rules for an NTFS volume if the volume has no LABEL or UUID

On my "MY Passport" Western Digital I needed to use \040 at the space LABEL=My\040Passport none ntfs rw,auto,nobrowse