Auto-mount encrypted drive for multiple user accounts

So, what I hear you saying is that for each of the directories that I’m going put on the external drive, there are two steps:

  1. Move the directory from the internal drive to the external drive; and
  2. Create a symlink in exactly the same place on the internal drive with exactly the same name and permissions and point it to the moved directory on the external drive.


If this is correct, can I do step one with a Finder move or must it be done in Terminal?

Or perhaps I should make the fist step a copy instead of a move and then compare the two directories with a ls -l@e to make sure that they are exactly the same before deleting the directory from the internal drive. :thinking:

And I suppose that I should upgrade my User to have Administrative privileges before making any of these changes. (I noticed earlier tonight that I wasn’t able delete the Documents directory when my User was just a regular account.)

Thank you.



UPDATE Sunday, January 12, 2025 5:37 PM

This 2019 source says there is no way to to copy a directory that includes ACLs and Extended Attributes in Terminal and that you can see what’s different between the original and the copy with ls -leah@O; a complete copy can be done only with a Finder copy followed by a Finder paste while holding SHIFT+Option+Command, Paste Item Exactly:


Coincidentally, I’ve seen YouTube videos, i.e., those by Mac Sound Solutions, that show how to move an entire Home directory just a normal Finder copy/paste, including this one starting at 8:15:


At 4:03 he demonstrates using Terminal to faithfully duplicate a directory and its content with the command:

sudo sync -avh --progress ~/


By the way, during early 2022 Howard Oakley recommends Tinker Tool for showing and setting ACLs with a demonstration of using it in a Home directory. Unfortunately, toward the end of 2022 he concludes that repairing home folder permissions is a mystery.

Correct. Symbolic links don’t have any permissions (or more to the point, you shouldn’t care about the permissions of the link). The permissions of the file/directory to which the link refers will be what controls access to the content.

Step 1 can be in the Finder. I would actually recommend that.

Creating the symlink, however, must be done from a terminal, unless someone here knows of a GUI utility for doing it.

I would suggest experimenting with a temporary account that you can play with and discard when you’re done experimenting. I wouldn’t want to try it the first time using an account containing real data.

I can’t say about that. My system (which has directories originally created in 2002 and migrated through many different Macs and macOS releases over the years) doesn’t have any ACLs on these folders. But yours does.

I suspect one or more of the ACLs is what is preventing you from deleting the directory. An administrator login should work. Or you could consider reviewing the specific ACLs and see about removing them. Maybe re-creating them after the move, if you think they are important.

Again, these are things I’d want to experiment with using a throw-away account.

We’re talking about things I haven’t done before and I wouldn’t want to accidentally trash something important on your system.

Note that it’s a 2019 source and was tagged “high-sierra”. Apple has improved the capabilities of the various command-line tools since then. So it might not work exactly the same today.

But yes, I’d agree that using the Finder to make the copy is probably going to be the most reliable method of preserving all attributes.

2 Likes

I found this summary table of what can and cannot be moved to an external drive and whether a symbolic link (or other method is used to do so):

Specific instructions including Terminal commands and troubleshooting in this PDF:

Cheatsheet for YouTube video How to Safely Move Mac Folders to an External SSD.pdf (138.4 KB)

Source:
Dated November 11, 2024

3 Likes

I couldn’t figure out a way to use the Finder to copy/move the directories with their ACLs and Extended Attributes intact. A regular Finder Drag-and-Drop as well as a regular copy/paste creates the directory with the same name, ownership, and permissions but the ACLs and Extended Attributes are NOT included on the destination. Even Finder paste while holding Shift+Option+Command, Paste Item Exactly results in this error:


Furthermore, I also wasn’t able to find a flag for cp or mv that would keep ACLs and Extended Attributes intact at the destination.

Exasperated, I went back to this video and studied the three methods that he says can be used to move a Home directory to an external drive.

  1. Drag-and-Drop while logged into another Administrator’s account doesn’t work because it changes ownership;
  2. Syncing the Home directory to the external drive might have worked but I didn’t try it because (a) I wasn’t comfortable with the flags, and (b) he mentioned glitches that he ran into; and
  3. Draging-and-Dropng a Time Machine back up of the Home directory to the external drive worked perfectly:

Internal Drive

nello@miniMe ~ % pwd
/Users/nello
nello@miniMe ~ % ls -l@e
total 0
drwx------@  5 nello  staff   160 Jan 16 15:18 Desktop
	com.apple.macl	  72 
 0: group:everyone deny delete
drwx------@  3 nello  staff    96 Jan 16 14:15 Documents
	com.apple.macl	  72 
 0: group:everyone deny delete
drwx------+  3 nello  staff    96 Jan 16 14:15 Downloads
 0: group:everyone deny delete
drwx------+ 84 nello  staff  2688 Jan 16 14:35 Library
 0: group:everyone deny delete
drwx------   3 nello  staff    96 Jan 16 14:15 Movies
drwx------+  3 nello  staff    96 Jan 16 14:15 Music
 0: group:everyone deny delete
drwx------+  5 nello  staff   160 Jan 16 14:38 Pictures
 0: group:everyone deny delete
drwxr-xr-x+  4 nello  staff   128 Jan 16 14:15 Public
 0: group:everyone deny delete
nello@miniMe ~ %


External Drive

nello@miniMe nello % pwd
/Volumes/Sidecar/Users/nello
nello@miniMe nello % ls -l@e
total 0
drwx------@ 3 nello  staff   96 Jan 16 14:15 Documents
	com.apple.macl	 72 
 0: group:everyone deny delete
drwx------+ 3 nello  staff   96 Jan 16 14:15 Downloads
 0: group:everyone deny delete
drwx------  3 nello  staff   96 Jan 16 14:15 Movies
drwx------+ 3 nello  staff   96 Jan 16 14:15 Music
 0: group:everyone deny delete
drwx------+ 5 nello  staff  160 Jan 16 14:38 Pictures
 0: group:everyone deny delete
drwxr-xr-x+ 4 nello  staff  128 Jan 16 14:15 Public
 0: group:everyone deny delete
nello@miniMe nello %


The next step was to delete the following directories on the internal drive and replace each of them with a symlink that points to the corresponding directory on the external drive:

  1. ~/Documents
  2. ~/Downloads
  3. ~/Movies
  4. ~/Music
  5. ~/Pictures
  6. ~/Public


For each of these six directories, I:

  1. Removed the ACLs with chmod -RN, and
  2. Deleted the contents and the directory itself with rm -iR.


Unfortunately, macOS recreates these directories if they are missing so the only way that I could ultimately replace the directory with a symbolic link was with a stacked conditional command in the form:

rmdir directoryName && ln -s /Volumes/Sidecar/Users/nello/directoryName ~/directoryName

This worked for ~/Documents and ~/Downloads but resulted in the error, rmdir: directoryName: Operation not permitted for ~/Movies, ~/Music, and ~/Pictures, leaving me with:

nello@miniMe ~ % pwd 
/Users/nello
nello@miniMe ~ % ls -l@e
total 0
drwx------@  5 nello  staff   160 Jan 16 15:18 Desktop
	com.apple.macl	  72 
 0: group:everyone deny delete
lrwxr-xr-x   1 nello  staff    38 Jan 16 19:17 Documents -> /Volumes/Sidecar/Users/nello/Documents
lrwxr-xr-x   1 nello  staff    38 Jan 16 19:21 Downloads -> /Volumes/Sidecar/Users/nello/Downloads
drwx------+ 84 nello  staff  2688 Jan 16 14:35 Library
 0: group:everyone deny delete
drwx------   2 nello  staff    64 Jan 16 19:23 Movies
drwx------   2 nello  staff    64 Jan 16 19:24 Music
drwx------   2 nello  staff    64 Jan 16 19:32 Pictures
lrwxr-xr-x   1 nello  staff    35 Jan 16 19:26 Public -> /Volumes/Sidecar/Users/nello/Public



Interestingly, each of these directories corresponds to an application that controls placement of files.

  1. Movie
    In the application TV > Settings > Files, change /Internal/Users/nello/Movies/TV/Media to /Sidecar/Users/nello/Movies/TV/Media

  2. Music
    In the application Music > Settings > Files, change /Internal/Users/nello/Music/Music/Media to /Sidecar/Users/nello/Music/Music/Media

  3. Pictures
    In the application Photos create new library in /Sidecar/Users/nello/Pictures



What else can I try to make ~/Movies, ~/Music, and ~/Pictures into symbolic links?

Thank you for your help.

Interesting. I usually only see this if the media is formatted with something that doesn’t respect file ownership. If the destination is formatted as APFS and is not configured with the “Ignore ownership on this volume” option (see below), you shouldn’t see this.

Make sure this option isn’t checked. It may be the default for newly-formatted external media (since ownership can make it difficult to use the volume on other Macs, which may not have the same users/groups configured).

But if you’re using this volume to store per-user content (like home directory contents) then you absolutely do not want to be ignoring ownership, since it would allow every user to access everything on the volume, when you only want a user to be able to access his own content.

Also interesting. I wonder why Apple cares.

But you can still ignore that and just move the content elsewhere. Your libraries for the Music and Photos apps (and I assume TV and Books as well) can all be moved. If the app doesn’t auto-find it after the move, you can hold Option when launching and then select the library. Or you can double-click the library to launch the app. On the next launch, the app should auto-load the last-used library.

1 Like

Yes, the TV app > Settings > File puts a TV library in ~/Movies by default and allows you to change this location.

However, I can’t find way to change the location of the Books library, which apparently is (or used to be) in ~/Library/Containers/com.apple.BKAgentService/Data/Documents/iBook/Books

Perhaps @james.cutler knows the Books library default location and how to change it in macOS 15.2.

James, how did you manage to create symlinks for ~/Movies, ~/Music, and ~/Pictures?

Did you do it from macOS Recovery? Turn off System Integrity Protection (SIP)?



UPDATE January 17, 2025

I restarted in macOS Recovery—no need to turn off SIP—and was able to use Terminal to delete ~/Movies, ~/Music, and ~/Pictures.

Then I restarted and logged into my user and created the symbolic links successfully:

nello@miniMe ~ % pwd
/Users/nello
nello@miniMe ~ % ls -l@e
total 0
drwx------@  4 nello  staff   128 Jan 16 20:40 Desktop
	com.apple.macl	  72 
 0: group:everyone deny delete
lrwxr-xr-x   1 nello  staff    38 Jan 16 19:17 Documents -> /Volumes/Sidecar/Users/nello/Documents
lrwxr-xr-x   1 nello  staff    38 Jan 16 19:21 Downloads -> /Volumes/Sidecar/Users/nello/Downloads
drwx------+ 85 nello  staff  2720 Jan 16 21:30 Library
 0: group:everyone deny delete
lrwxr-xr-x   1 nello  staff    35 Jan 17 13:13 Movies -> /Volumes/Sidecar/Users/nello/Movies
lrwxr-xr-x   1 nello  staff    34 Jan 17 13:13 Music -> /Volumes/Sidecar/Users/nello/Music
lrwxr-xr-x   1 nello  staff    37 Jan 17 13:14 Pictures -> /Volumes/Sidecar/Users/nello/Pictures
lrwxr-xr-x   1 nello  staff    35 Jan 16 19:26 Public -> /Volumes/Sidecar/Users/nello/Public


And, yes, I can do a cold boot, log into my user (on the internal drive), and the encrypted external drive is automatically mounted. (Yes, the first time a dialog popped up asking for the external drive’s encryption key; I was able to log into my password manager, copy the key from there, and paste it into the dialog box and check the box to store it on my Keychain. Since then, external drive mounts without any interaction on my part, presumably using the encryption key from my Keychain. More precisely, there is a brief pause in the login progress bar and then it seems to start all over, perhaps after the external drive is mounted.)

Yippee! It all seems to work!

Books.app stores media in obfuscated files in ~/library. I can not depend on Apple to keep it in any particular place. I am migrating away from Books as fast as I can to limit the size of my Home directory, ~/.

As to how to create softlinks, you have done well. Yippee, indeed.

But, just for completeness. here is the latest version of my CreateMediaSoftLinksTemplate.command file. I did use Carbon Copy Cloner to copy the Source folders to the external drive. As usual, I was using the latest macOS release when I used this. I have not lost any links through macOS updates.

#!/bin/sh
# 2018-11-01	jrc CreateMediaSoftLinks.command
# 2019-10-17	jrc Updated with edits from Ric Ford
# 2019-10-17	jrc Updated to use variables for shell command customization
# 2019-10-17	jrc Updated to increase verbosity of comments

# CreateMediaSoftLinks for ThisUser on ThisMaC

#   "ThisMacMedia" is a placeholder for the external volume to hold the media files.
#   "ThisUser" is a placeholder for the short username of the file owner affected.
#    Replace these placeholders with the desired values when creating and copying in Finder.

#    Edit the next two shell commands to automatically replace these placeholders 
#		with the desired values for the shell script actions.

ThisMacMedia="Put your external media volume name here";
ThisUser="Put your short username here";

#   Knowledge of disk management is assumed, including erasing, partitioning, and setting ownership and access.

#==================================================================
# PREPARATION STEPS:
#
#   Make your backups -- failure to do so is on your head!
#
#   These steps use Finder so that you don’t have to even think about permissions. 
#.  Logged on as ThisUser, do the following Finder creates and copies:
#
#   Create folder /Volumes/ThisMacMedia/ThisUser
#   —  The use of ThisUser folder on ThisMacMedia isolates user permissions from volume permissions
#		and keeps the user account files separate from other volume contents. 
#   Create folder /Volumes/ThisMacMedia/ThisUser/Movies
#   Create folder /Volumes/ThisMacMedia/ThisUser/Music
#   Create folder /Volumes/ThisMacMedia/ThisUser/Pictures
#
#   Copy contents of /Users/ThisUser/Movies to /Volumes/ThisMacMedia/ThisUser/Movies
#   Copy contents of /Users/ThisUser/Music to /Volumes/$ThisMacMedia/ThisUser/Music
#   Copy contents of /Users/ThisUser/Pictures to /Volumes/$ThisMacMedia/ThisUser/Pictures
#
#   Make at least a cursory check of the copied files.
#
#==================================================================

# The following steps should be done from administrative account other than ThisUser
# and may require booting from another volume if Mojave security rules interfere with rm commands.

# Remove existing directories in  boot drive ThisUser account folder
sudo rm -rf /Users/$ThisUser/Movies;
sudo rm -rf /Users/$ThisUser/Music;
sudo rm -rf /Users/$ThisUser/Pictures;

# Create Soft Links
sudo ln -s  /Volumes/$ThisMacMedia/$ThisUser/Movies		/Users/$ThisUser/Movies;
sudo ln -s  /Volumes/$ThisMacMedia/$ThisUser/Music		/Users/$ThisUser/Music;
sudo ln -s  /Volumes/$ThisMacMedia/$ThisUser/Pictures	/Users/$ThisUser/Pictures;

exit;

2 Likes