OSX Automatic Unlock and Mount Encrypted User Account on Separate Partition

0

I am using a bootable flash drive with OSX Yosemite, a single admin account, and multiple user accounts (for testing purposes, will migrate to MacBook when I get this to work). I am trying to find a way to guarantee privacy/security for each individual account from each other and the outside. I have enabled filevault2 so there is a password to mount the drive.

As it turns out, anyone able to mount the drive (with the filevault unlock) is able to take the flash drive to another computer with admin access and disable permissions. Since it is not practical for me to only have a single account able to unlock the drive I needed to find a way to secure every account from each other. (including from the admin, non-root, account)

Reading over guides, I found a way to put each users home directory on a separate partition. I thought I could use this to create additional access control points using encrypted partitions.

For example: http://lnx2mac.blogspot.com/2010/09/moving-os-x-users-to-separate-partition.html

However, encrypting these partitions left me with some unwanted side effects. I set it up using the above guide to edit the /etc/fstab to set a users home directory on a separate encrypted partition on the flash drive. Unfortunately there is a minor problem when logging in to these accounts. Since the drive is not decrypted and mounted until prompted after the desktop GUI loads, the proper desktop is not loaded (/Applications folder contents appear) until after I unlock, mount, log out and log back in.

Is there a way to fix this so I do not have to hard code a password anywhere? I was reading about trying to use launchd to accomplish "similar" tasks but I am not sure how to use the login password with all of my accounts on separate partitions. I am pretty new to using launch daemons so if this is part of the solution please provide as much detail as possible. (I tried checking the "save password to keychain" option but it did not work, probably because the home is encrypted on the partition to be mounted.)

Caveats: I am trying to accomplish this without non-native tools or software if possible. All the encryption so far has been done with filevault and diskutil.

In short: Unlock and Mount an encrypted partition containing an individual users home directory, granting view of proper desktop without needing to log out and back in. Additionally, is it safe to use a keychain if you cannot assume an admin (non-root) account will not try to exploit it to gain access?

Dan

Posted 2015-07-08T15:39:44.373

Reputation: 111

I did some additional research and found that Launch Daemons may be the way to go. I'm still trying to figure out how to use them. I'll post up whatever I find in case anyone actually runs into this in the future. – Dan – 2015-07-10T14:36:12.037

Answers

0

You might be able to accomplish what you want with Legacy FileVault (aka FileVault 1). This was based on storing a user's home folder in an encrypted disk image (encrypted with the user's login password), and automatically mounting it at login. Each user set up in this mode gets their own encrypted container, with their own password.

But as the name suggests, it's not fully supported anymore; since FileVault 2 debuted in OS X v10.7, accounts encrypted with FV1 can still be used, but setting up new FV1 accounts is not supported. But you may be able to fake it. I found a set of instructions at lab.maiux.com describing how to manually fake up FV1 encryption for an account. They were written for OS X Lion (10.7), but from the comments they at least mostly work in later versions as well. I have not tested them, so I can't make any promises at all. I can give you a couple of warnings, though:

  • Back up anything important first! And keep backing up after setting up FV1 (and make sure you are actually backing up what you need). It's entirely possible this will work perfectly when you test it on your flash drive, then fail catastrophically when you try it for real. The encrypted disk images are also subject to corruption due to system crashes, etc; a corrupted image could make your entire home folder unrecoverable.

  • As I said, this is pretty unsupported at this point, and Apple might decide to stop even allowing login to FV1 accounts at some point. I haven't heard (or tested) whether it's still supported in the 10.11 betas.

Gordon Davisson

Posted 2015-07-08T15:39:44.373

Reputation: 28 538

This is in the right direction but not quite what I am looking for since FileVault 1 is no longer native to OSX. That is why I am trying to use encryption provided by Disk Utility. – Dan – 2015-07-10T14:34:57.807

Asked: 2015-07-08T15:39:44.373

Viewed: 1 220 times

Active: 2015-07-10T00:15:16.277