How to automatically mount a TrueCrypt volume on OSX after login with password/keyfile

6

5

I would like to do the following:

I. After logging into my account I would like OSX to automatically mount 2 of my volumes (located on same external HDD connected via FW800) using a password or keyfile. I don't what to see any promots for admin passwords or volumes passwords as I already have my account password in place.

Question 1: How can I achieve this? Are there any scripts I can download or copy?

Question 2: Do I have to use keyfiles or can I use a password for OSX to automatically mount the volumes?

Bonus question: What would be the pro's and con's of using password vs keyfiles in this scenario?

For reference:

Currently I'm on OSX 10.8.3 and my OSX will be encrypted via FileVault2.

I'm not too worried that any keyfiles or password are stored on my OSX as it will be ecrypted. I'll be using a two-factor authentication when logging into my account using a password I remember and having a Yubikey do the rest of the password. So it will be a VERY secure password. emphasized text

I'm not a techie so I would need easy to understand instructions and more or less copy&paste scripts :)

Thanks!

VforVendetta

Posted 2013-05-03T17:52:32.153

Reputation: 81

It's not someone breaking into your account that you need to worry about, it's you letting someone in. If you don't have to type in a password, then neither does a virus/malware. – Darth Android – 2013-05-03T19:39:53.617

Maybe I need to clarify a bit: Only the encrypted ext. HDD should NOT prompt me for a password. The account password should remain in place. – VforVendetta – 2013-05-03T20:41:23.880

Answers

4

First make the volume use a keyfile and an empty password in Volume Tools > Change Volume Password. Then save a property list like this as ~/Library/LaunchAgents/truecrypt.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC -//Apple Computer//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd>
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>truecrypt</string>
    <key>ProgramArguments</key>
    <array>        
        <string>bash</string>
        <string>-c</string>
        <string>diskutil list | grep -Fq ' *1.1 GB ' &amp;&amp; exit # an asterisk indicates that the volume is mounted
disk=$(diskutil list | awk '/ 1.1 GB /{print $NF}')
[[ $disk ]] || exit
/Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt --mount /dev/$disk -k ~/path/to/keyfile -p ''</string>
    </array>
    <key>StartOnMount</key>
    <true/>
</dict>
</plist>

Change 1.1 GB to the size of the volume shown by diskutil list. There might be some better way to identify the volume, but for example diskutil info /dev/disk1s4 didn't show a UUID for the volume I tested with.

Then enable the agent by running launchctl load ~/Library/LaunchAgents/truecrypt.plist or by logging out and back in. You have to unload and load the plist to apply changes to it.

Caveats:

  • When the truecrypt command is run for the first time after you log in, it asks for the password of an administrator account, even if it is run as root. That could get annoying after a while if you log out or restart frequently.
  • The launchd job gets triggered when any volume is mounted, so if you unmount the TrueCrypt volume (but keep the external drive connected) and mount some other volume, the TrueCrypt volume gets mounted again.

Or could you just encrypt the volume with FileVault? If you check "Remember this password in my keychain", the volume is mounted automatically as long as the login keychain is unlocked.

That also means that if the login keychain is unlocked, other people who have access to your computer can see the password with for example security find-generic-password -l "My FileVault volume" -w.

Edit: there was no special reason why I used a keyfile and an empty password in the example above. To use a password and no keyfile, replace TrueCrypt --mount /dev/$disk -k ~/path/to/keyfile -p '' with for example TrueCrypt --mount /dev/$disk -p pa55word. Or replace pa55word with "$(security find-generic-password -l "My TrueCrypt volume" -w)" and use Keychain Access to add a keychain item for the password:

Lri

Posted 2013-05-03T17:52:32.153

Reputation: 34 501

Lauri, thanks for the excellent answer! Just was I was looking for. Can you clarify this for me:

"The truecrypt command asks for the password of an administrator account the first time it is run after logging in (even if it is run as root)."

Does that mean that I have to key in my admin password everytime I start up my machine and TC is run? Or just the first time the script or app is run? If the former is the case then I would have to key in 2 password everytime I start up the Mac. – VforVendetta – 2013-05-04T15:40:48.133

Every time after you restart. It doesn't seem to be required after logging out and back in or waking up from sleep though. – Lri – 2013-05-04T15:51:14.803

FileVault2 does seem tempting. Do you see any pro&cons using FV vs TC or any security risks assuming that I always log out of my computer and let nobody access it? The TC app script would still have mounted if I log out. – VforVendetta – 2013-05-04T16:13:07.790

You could also add a logout hook for /Applications/TrueCrypt.app/Contents/MacOS/TrueCrypt -d. FileVault can also be used with Time Machine volumes and I think it has a lower performance impact, but you could ask another question about the pros and cons. – Lri – 2013-05-05T08:22:44.877

1This is a great start, but what if I want to secure my encrypted volume with a passphrase only? Is there a way to store the passphrase in my OS X login Keychain, and configure truecrypt to use that?

You can do this, for instance, if instead of true crypt you use encrypted .dmg volumes, since hdiutil attach command is keychain aware.

But then the problem with encrypted .dmg files is they cannot be opened on Linux, I believe. – algal – 2013-09-06T05:02:27.497

2@algal I edited the answer. – Lri – 2013-09-06T12:12:30.447

Asked: 2013-05-03T17:52:32.153

Viewed: 3 251 times

Active: 2013-09-06T12:11:44.943