I have an encrypted APFS volume that I do not wish to be unlocked automatically, however, every time a user logs in on my system they are prompted to enter a passphrase for the volume, every single time.
What I want to know is, is there a way to prevent macOS from trying to unlock specific APFS volumes when a user logs in, or even better, to only do-so if a password is found in that user's keychain (so I can have it auto-mount for some users but be ignored for others)?
I've already tried adding the volume to /etc/fstab
with the noauto
option, but while all other settings are respected when the volume is mounted, this one is ignored, presumably because unlocking of APFS volumes occurs before the volume is mounted.
Best Answer
It's possible prevent the unlock prompt by changing the role of the encrypted volume!
Get the device identifier (and the UUID which is required later) of the encrypted volume:
Change the volume role:
APFS can use flags to determine a special role of a volume: S=System volume/B=Preboot etc. A simple encrypted volume (no boot/system volume group) usually has no specific role. For unknown reason the D (=Data) role prevents the unlock prompt and the volume won't be mounted automatically.
To mount and unlock the volume for a user (here: the user currently logged in) create a launch agent:
Create a launch agent:
and add the following content:
Example with the UUID 4E253DC9-5B87-49CB-96F3-DE4737C16464 and the password test:
Save the file in nano
Load the launch agent:
This won't unload and lock the encrypted volume if you log out as user1 (unlock enabled) and log in as user2 (unlock disabled) without reboot!
Checking your other questions, I realized that you might have specific mount points for encrypted volumes (e.g. mounted to user folders/subfolders). The simple approach in the launch agent won't work then.