Encrypted volume automounting in Mac OS X
I've had a need to create an encrypted volume on my mac for the company source code. The requirements are not terribly stringent: If someone can log into the machine as me, they win, but otherwise, they should lose. With that set of requirements, you can make it so that the disk is automatically mounted at login.
Answer
Follow these steps:
- Open the Disk Utility and click the 'new image' button. You want to make a new GUID partition map based, case insensitive, journaled HFS sparse image with 128 bit AES encryption. Tell it you want a 10 GB image (should be plenty). Give it a name and save it in your home directory. Give it whatever password you want and tell it to store that password in the keychain.
- Open up the system preferences, accounts, then select login items and add an entry to open the disk image at login: just drag the disk image to the login items list. Since you saved the disk image's password in the keychain, it won't ask you before it mounts it. That is by design.
No one else can open the keychain without your login credentials (by default the login keychain has the same password as your account). No one else can mount the volume without breaking either your account, keychain or the password on the volume.
If someone steals your machine and changes the password using a Mac OS X install DVD you are still protected since the keychain password will not be changed and the disk will no longer auto-mount.
This technique doesn't make your account any more secure, but protects the contents of the encrypted volume from techniques that bypass account credentials to get at the disk - such as removing the disk (or booting in target mode) and mounting it as an external drive on some other machine, or booting single-user, or what not.