Auto-mount encrypted drive for multiple user accounts

I’m using macOS 15.2 on a M4 Pro Mac mini with an external SSD formatted as APFS (Case-sensitive, Encrypted). When I encrypted it, I stored the encryption password on the Keychain for the user account (“originalUser”) that I was using at the time. When I log in as originalUser, the external SSD is automatically mounted.

I can see the Keychain item where the encryption password is stored by using Keychain Access (‘/System/Library/CoreServices/Applications/Keychain Access.app’) while logged in as originalUser: It is in the ‘login’ Keychain; the ‘Name’ field is the name of the external SSD and the ‘Kind’ field is ‘encrypted volume password’:

How can I automatically mount this external SSD when anotherUser logs in? In other words, how do I copy (or reenter) this Keychain item into the Keychain for anotherUser?

Thank you.

I haven’t tried this…but copy it to the System keychain maybe? Will need an admin password to unlock the latter but either copy/paste or recreate it there seems like it should work.

Yes, I have the password to originalUser, which is an administrator account.

It seems like the Keychain app interface has changed in macOS 15 and I can’t figure out how to either (a) copy all the fields of a Keychain Item or (b) create a new Item with all the fields/metadata.

Does anyone have experience with a CLI/Terminal interface to macOS Keychains?

I opened up Keychain Access and it let me copy an entry and then paste it into the System keychain. I didn’t save System afterwards but it appeared to have worked as expected.

1 Like

I wouldn’t try copying the keychain entry. You should be able to plug the drive in when logged in as the other user. MacOS will pop up a dialogue asking you to enter the password for the drive with a tickbox to save the password. Tick that box and MacOS will sort out the keychain entry and should automatically mount the drive in the future.

2 Likes

After several failed attempts, I finally figured out how to use Keychain Access’ Edit → copy/paste while logged into originalUser:



Here is the encryption password for the external SSD, Sidecar, in originalUser’s login Keychain:



I copied it from there and pasted it into the System Keychain as you can see here:



After quitting Keychain Access, I launched it again while logged into originalUser and verified that these Sidecar items were still there in both Keychains. Moreover, I used Keychain Access’ File → Get Info to retrieve the password in each item and these passwords were both the same and correct.

I logged out of both originalUser and newUser and rebooted the computer.

Unfortunately, I still wasn’t able to log into newUser (before logging into originalUser, which mounts Sidecar). The newUser login hangs, endlessly spinning the circular progress symbol (and does not time out and revert to a fresh, empty login prompt).

This hang occurs despite the fact that while logged into newUser, I launched Keychain Access and verified that the item for the encryption password for Sidecar is visible in the System Keychain, as you can see here:



I should have pointed out earlier why I think that newUser needs to mount Sidecar before it can log in: newUser’s account is on the internal drive but its Home is on Sidecar (whereas both originalUser’s account and Home are on the internal drive).

Just to make sure that the copy/paste had worked correctly, while logged into newUser I used Get Info to look at the actual value of the encryption password from its view and verified that all 36 randomly generated characters of the password were still there.

Since originalUser was mounting the external drive from its login Keychain, I decided to copy the Sidecar item to newUser’s login Keychain, as you can see here in Keychain Access while logged into newUser:



(No, I did not remove Sidecar from the System Keychain.)

As before, I logged out of both originalUser as well as newUser and shut down the computer and then started it.

Unfortunately, again I wasn’t able to log into newUser before logging into originalUser, which mount Sidecar. But this time, after having for less than a minute, the login terminates with this message:



At this point, the only thing I can think of is deleting the Sidecar item in the System Keychain so that’s what I do using right-click on the Sidecar item and selecting Delete “Sidecar”:


And after entering newUser’s password to confirm the deletion, the Sidecar item is gone.

Once again, log out of both originalUser and newUser, shut down, and start.

Again, when logging in first with newUser, the login times out within a minute and displays the same error message as before.

What’s left to try @neil1 ?

Maybe the login process does not support logging in before the drive containing the user’s Home is mounted? :man_shrugging:t2:

1 Like

Yes.

I should have disclosed earlier that I can’t be already logged into the external drive because the newUser’s Home is on this external drive (so the external drive must be mounted at the time of login).

1 Like

This post discusses the same problem and has a workaround, which looks rather clunky.


Thank you very much for referring me to this MacRumors Forums post, which describes the work around:

A work around is to have another account on the Mac mini, log into that which would mount the external SSD and then fast user switch into the account with the Home folder on the external drive.


Yes, this is exactly what I’m doing and I was hoping to eliminate this extra login. But this extra login is not that big of a deal because I generally leave my computer on and logged in 24/7 (running BOINC projects when I’m not using it).


Also from this article:

For external SSDs, the encryption keys are held in the user account not at the OS level. So the user account has to load then the drive will mount.

I was hoping that putting the encryption password into the System Keychain would make it possible to mount the external drive before any references to Home files being made. But apparently, this isn’t how the login process works.

That’s always been problematic with macOS if the home is moved so I’ve never actually tried to move it. Dunno what else to recommend.

1 Like

Is it necessary to put the user’s home directory on the drive? Can you put the home directory on the internal drive and then create a folder on the external drive owned by that user, which can hold all of its documents and databases?

Moving a home directory is never recommended, because there are too many possibilities for apps to store paths to files that are not relative to the $HOME environment variable.

But if you create a new account with a home directory on external storage, you wouldn’t run afoul of this. But you would, of course, still encounter @nello’s issue with the drive needing to be mounted before a login will work.

Unfortunately, it appears that you can’t get the advanced user options (see below) when creating a new user. You can only get that screen when modifying an existing user. You could create a new user and immediately change its home directory (and then move it to the new location), but I’m still not comfortable with that.

It would appear that you can create users with custom advanced properties from the command line.

  • sysadminctl --addUser includes a --home option to specify the home directory for the account.
    • Type sysadminctl without any options for what appears to be its only documentation. It doesn’t have a man page.
  • createhomedir (there is a man page) to create a home directory with all the normal default contents.
  • dseditgroup to add the new user to various groups, as required. All accounts that users log-on to should belong to the staff group and administrative accounts should also belong to the admin group.
  • Various calls to dscl (it has a man page for documentation) to create the necessary entries in the system’s directory services.

Needless to say, if any of the above makes you uncomfortable, then don’t do it. Mistakes with these tools can make a mess of your system. Maybe practice using a copy of macOS installed in a VM, so you can just throw away the VM when your done and not break your real system while you’re learning.

h/t to Stack Exchange:

1 Like

Responding to the issue of external Home directories:

After a catastrophic macOS update completely destroyed my external Home directory, recovery was painful to say the least. My macOS beta testing had been using an internal Home directory. So it was a complete shock (like iBooks migration which destroyed years of carefully curated metadata) when my production system update broke the system in myriad ways, including the assumption that ~/ expansion should ignore the $HOME definition set in System Preferences.

My practical solution was to revert to an internal Home directory but continue offload Movies, Music, and Pictures to soft-linked directories on external volumes. In addition, I am slowly migrating away from Books which insists on storing in ~/Library folders. Tools include iMazing.app to manage IPhone content and Task Groups in Carbon Copy Cloner to manage pushbutton backups of -DATA, Media, and VM volumes to multi-volume backup drives.

Fortuitously, the MMP soft link solution had been in place for years before the Home catastrophe. So my external Media volume was untouched through all the perturbations.

The bottom line: Removing the bulk of mostly static content to external volumes has allowed an internal 2 TB drive to suffice without putting my local data on iCloud,

1 Like

Yes, putting Home on the internal is fine as long as the navigating to the data is transparent, i.e., clicking on the folders within Home automatically map to the data on the external drive.

Ideally, I’d like to change all these standard folders at the root of Home into symlinks to a corresponding folder on the external drive:

  1. Desktop
  2. Documents
  3. Library
  4. Movies
  5. Music
  6. Pictures
  7. Public

(The part of ~/Library that concerns me ~/Library/CloudStorage )

Is this possible?

  1. Does macOS require them to to be UNIX directories?
  2. Are symlinks limited to the same drive?

Last questions first:

I don’t think macOS (at least not most parts of it) require these to be actual directories.

Symlinks are not limited to the same drive. They point to a path. Which means, however, that if you rename the external drive so that it will mount with a different name, all those symlinks will break.

As for specific folders you mentioned:…

  1. Desktop
    I would worry about moving this. For most applications, it is just a folder like any other, but the Finder (obviously) treats it as special. I’d want to run some tests with a throw-away account to make sure it works as expected.

    I’d also be concerned that you may encounter failures (or at least weird Finder behavior) if you try to log-on when the external volume isn’t mounted.

  2. Documents
    I don’t see why this shouldn’t work. I don’t think there’s anything special about this, aside from it being the default location for lots of apps to save files.

  3. Library
    I wouldn’t want to move this one. The system does a lot of interesting things with the folders in Library and I would very nervous about moving it.

    And like Desktop, I’d be concerned about something going very wrong if you try to log on to the account when the volume isn’t mounted.

  4. Movies
    Go for it. There shouldn’t be anything special in here. It is the default location for certain apps (like iMovie) to save their libraries, but you should be able to move those libraries or tell the apps to create new libraries in another location.

  5. Music
    Likewise. There’s nothing special here. Some apps like Music store their libraries here by default, but there’s no reason why you can’t move those libraries or tell the apps to create new libraries elsewhere.

  6. Pictures
    Again, shouldn’t be a problem. Photos and Photo Booth (and maybe a few other apps) put their libraries here by default, but moving the libraries shouldn’t be a problem.

    One thing to consider, however. If you have an old iPhoto library that was later migrated to Photos, the two libraries share the same images via hard-links between the libraries. If you move them to another volume, those links will be broken, causing all the linked files to be duplicated (so each library will have its own unique copy). This may cause the space consumed to balloon up.

    On the other hand, it’s unlikely that you’re using both apps. So perhaps it would be best to back-up and delete the iPhoto library if this might be a concern for you.

  7. Public
    Again, not a problem. This is an ordinary folder, but with special permissions on it. If you move the Public folder and replace it with a symlink, I would expect it to work, because the permissions should survive the move.

    Of course, if the external volume isn’t mounted, other users won’t be able to access it. This may or may not be a problem for you.

3 Likes

This is a little digression from the original topic, several others have variant questions about external drives as all or part of the Home directory tree.

After an Apple update shredded my external Home directory – many applications ignored the configured Home directory – I concluded the following would be safe from untrained Apple programmers.

drwx------+ 108 xz4gb8  staff     3456 Jan  1 15:57 Library
lrwxr-xr-x    1 root    staff       35 Mar 28  2023 Movies -> /Volumes/MaxiJimMedia/xz4gb8/Movies
lrwxr-xr-x    1 root    staff       34 Mar 28  2023 Music -> /Volumes/MaxiJimMedia/xz4gb8/Music
lrwxr-xr-x    1 root    staff       37 Mar 28  2023 Pictures -> /Volumes/MaxiJimMedia/xz4gb8/Pictures

CCC Task lists include -DATA and all external volumes of interest.

This has survived macOS updates for many years. I can not personally recommend messing with other Apple Special directories. Differing with Shamino, I would avoid both the Desktop and Document Folders to limit effects of gratuitous optimization change (Off->On) during OS updates.
I minimize my ~/Library size by not using Books for my large audiobook library which is stored on the external Media drive. Virtual Machine files are directly accessed on an external Volume I minimize Dropbox disk usage by forcing online only and use Maestral to sync an external Volume included in the CCC Task lists. Between Time Machine and CCC all my personal data stays in my own domain.

This is the defensive posture I have assumed in light of some apparently capricious behaviors including migration to iBooks without warning. My iTunes data had been on an external volume for years before it was broken.

4 Likes

Thank you for your extraordinarily complete reply and consideration of infrequent cases.

Let me follow up on a few of your comments.


I’ll just leave it on the internal drive; it’s not that big.


I’m mostly concerned with files downloaded from cloud services eating up space on the internal drive. And yes, I want to force downloads so that I can back them up locally and restore them as needed.

As I understand from this TidBITS article, Apple is “encouraging” cloud storage providers to put downloaded files in ~/Library/CloudStorage:


What if made only ~/Library/CloudStorage a symlink that points to the external drive?

Does this seem reasonable?


I converted all my iPhoto Libraries to Photos Libraries and deleted the iPhotos Libraries so this is not concern. Nevertheless, thank you for being so complete as to consider this possibility.

Normally, I wouldn’t concern myself with it, because all cloud storage services have a system for offloading local copies of remote files. So there’s no danger of filling the volume. But you explicitly said that you want local copies of everything for a backup, so that’s not going to help.

I would be nervous about moving cloud storage in this fashion, because I don’t know what Apple (and other storage providers) do behind the covers.

Ordinarily, I’d suggest trying it out using a sacrificial login, but I’d still be concerned about corrupting the cloud copies of the files. So see if you can create a throwaway cloud account for testing (Maybe a free trial? Or maybe your provider lets you have multiple logins on one account that won’t interfere with each other?). Or failing that, start by making a full backup - perhaps by doing a manual drag/drop to another device. So if content gets corrupted, you can put it all back again.

Another comment. Depending on the backup software you’re using, you might not need to take any special actions for cloud files.

CCC, for example, has a feature for backing up cloud storage volumes. When activated, it will download each non-local cloud file, back it up, and then “evict” the file again.

They recommend making a separate backup task to back up cloud volumes to a separate destination (that is, not as a part of a whole system backup), but this might still satisfy your requirements. Then you can leave your CloudStorage folder in place and use a tool like this to make a backup of those files.

See also CCC: Backing up the content of cloud-storage volumes.

1 Like

I deleted the old users other than a single admin user. Then I created a regular user, ‘nello’.

As you can see, all the standard user directories other than Movies have either a plus sign (+) or at sign (@) at the end of their permissions, meaning that these directories have have ACLs or extended attributes, respectively.

nello@miniMe ~ % ls -l /Users/nello  
total 0
drwx------@  3 nello  staff    96 Jan 11 14:24 Desktop
drwx------@  3 nello  staff    96 Jan 11 14:24 Documents
drwx------+  3 nello  staff    96 Jan 11 14:24 Downloads
drwx------+ 84 nello  staff  2688 Jan 11 15:29 Library
drwx------   4 nello  staff   128 Jan 11 15:00 Movies
drwx------+  3 nello  staff    96 Jan 11 14:24 Music
drwx------+  5 nello  staff   160 Jan 11 15:29 Pictures
drwxr-xr-x+  4 nello  staff   128 Jan 11 14:24 Public
nello@miniMe ~ %

I have no idea how to create a symlink to take the place of such directories, e.g., Documents, and preserve the effect of ACLs or extended attributes that are currently on the existing directory.

Thank you for your help.

Is there a way to do so or do I have to abandon the idea of replacing directories with symlinks?

If you move the folder, the ACLs/EAs should move with it.

You can view the extended attributes with the ls -@ option. You can use the -e option to view the ACLs. For example, an excerpt of my home directory:

$ ls -l@e
total 136
drwxr-xr-x@  11 username  staff    352 Jan 10 15:44 Desktop/
	com.apple.macl	  288 
drwxr-xr-x@  63 username  staff   2016 Oct 14 19:01 Documents/
	com.apple.FinderInfo	   32 
	com.apple.macl	   72 
	com.apple.metadata:_kMDItemUserTags	   53 
drwx------@   5 username  staff    160 Dec 31 01:25 Downloads/
	com.apple.macl	   72 
drwxr-xr-x  128 username  staff   4096 Mar 19  2024 Library/
drwx------   20 username  staff    640 Apr 10  2024 Movies/
drwxr-xr-x   19 username  staff    608 Feb 10  2023 Music/
drwx------   35 username  staff   1120 Apr 26  2024 Pictures/
drwxr-xr-x    5 username  staff    160 Jan  2  2024 Public/

You can do some web searching for the particular ACLs/attributes you’re using. In my case, I have no ACLs. The EAs I have are:

  • com.apple.macl is related to the security model on modern versions of macOS. It is what allows (for example) sandboxed apps to open files they create even if they don’t have permission to access the directory containing that file. It is SIP-protected and therefore can’t be modified or deleted except by certain system services. I would ignore it.
  • com.apple.FinderInfo contains data that MFS, HFS and HFS+ used to store as “Finder Info”. Including things like the old file type and creator strings.
  • com.apple.metadata:_kMDItemUserTags contains the Finder tags you’ve assigned to a file.

See also:

1 Like