MacOS – Preventing Volume Unlock Prompt

apfscatalinaencryptionmacosunlock

I have an encrypted APFS volume that I do not wish to be unlocked automatically, however, every time a user logs in on my system they are prompted to enter a passphrase for the volume, every single time.

What I want to know is, is there a way to prevent macOS from trying to unlock specific APFS volumes when a user logs in, or even better, to only do-so if a password is found in that user's keychain (so I can have it auto-mount for some users but be ignored for others)?

I've already tried adding the volume to /etc/fstab with the noauto option, but while all other settings are respected when the volume is mounted, this one is ignored, presumably because unlocking of APFS volumes occurs before the volume is mounted.

Best Answer

It's possible prevent the unlock prompt by changing the role of the encrypted volume!

Get the device identifier (and the UUID which is required later) of the encrypted volume:
```
diskutil ap list
```
Change the volume role:
```
diskutil ap changeVolumeRole diskXsY D
```
APFS can use flags to determine a special role of a volume: S=System volume/B=Preboot etc. A simple encrypted volume (no boot/system volume group) usually has no specific role. For unknown reason the D (=Data) role prevents the unlock prompt and the volume won't be mounted automatically.

To mount and unlock the volume for a user (here: the user currently logged in) create a launch agent:

Create a launch agent:

nano ~/Library/LaunchAgents/usr.automount.plist

and add the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>usr.automount</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/diskutil</string>
        <string>ap</string>
        <string>unlock</string>
        <string><UUID_of_encrypted_APFS_volume></string>
        <string>-passphrase</string>
        <string><password></string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Example with the UUID 4E253DC9-5B87-49CB-96F3-DE4737C16464 and the password test:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>
    <false/>
    <key>Label</key>
    <string>usr.automount</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/sbin/diskutil</string>
        <string>ap</string>
        <string>unlock</string>
        <string>4E253DC9-5B87-49CB-96F3-DE4737C16464</string>
        <string>-passphrase</string>
        <string>test</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Save the file in nano

Load the launch agent:

launchctl load ~/Library/LaunchAgents/usr.automount.plist

This won't unload and lock the encrypted volume if you log out as user1 (unlock enabled) and log in as user2 (unlock disabled) without reboot!

Checking your other questions, I realized that you might have specific mount points for encrypted volumes (e.g. mounted to user folders/subfolders). The simple approach in the launch agent won't work then.

Best Answer

Related Solutions

Encrypted external drive usually prompts for password, despite being in keychain

Automatically Mount Encrypted Core Storage Volume (10.14.4+)

Related Question