jridgewell / unlock Goto Github PK

I had to re-install OSX and now UNLOCK is not working properly in my view.

Previously I added disk encryption on an existing disk. What happened was that at boot time I was first asked for the Disk Password. Then I would unlock and show me a list of accounts. I think that at the same time, the boot process was continuing and unlocked my data drive. So by the time I entered the password for my user, its disk was unlocked.

But now I set up OSX into an encrypted volume. The behavior is different now. When I boot I immediately get a list of accounts. For me this means that the system is not booting yet, because the disk is still unlocked. This is the small boot program that is running and which is aware of the accounts on the system. When I now enter the password of my user with its home on an external disk, I think the system immediately start booting AND logging in my user.

The result is that the Data drive with the user folder is mounted read-only.

I also have a 2nd administrator with a home directory on the boot drive. When I log in with that user first, then log off and log in with the user with the home folder on the external drive, things run fine.

To me this kind of looks like a race condition that goes on? Do you know of this issue? Can it be resolved?

I also noticed that when installing UNLOCK, the data disk with the home folder of my user is the last of 4 drives for which the program is asking the passphrase. And in the console I can see it is the last one being unlocked. Is this a race condition and would it help if my Data drive was the first one to be unlocked?

It's quite strange to me - I've encrypted my 2nd Drive where my User-Data is located and ran your script. Curiously it did'nt ask me for the password of the encrypted volume - only for my User-Password. After that I recieved "Installed 100%" (or something).

I've booted and logged in with another User (whos Data is stored on the 1. Drive) - it didn't mount or decrypt my 2nd Drive (but asked me for the password) which is quite like expected. Logging in with my main User, it decrypts the Volume without knowing my password? The password isn't either stored in the keychain.

I've tried it a several time and it always works like described. How is that possible?

The current script relies on security, which can be used by any user on the system (and be used to return the passpharse...). This script should be programmed in Objective-C, so the passphrase can be requested and used without a middleman program (and never returned).

Hi, I just tried install this on the Beta for Sierra. I get:

$ curl -L https://raw.github.com/jridgewell/Unlock/master/install.sh | bash
Installing...
mv: rename name.ridgewell.unlock to /Library/PrivilegedHelperTools/: No such file or directory
chown: /Library/PrivilegedHelperTools/name.ridgewell.unlock: No such file or directory
chmod: /Library/PrivilegedHelperTools/name.ridgewell.unlock: No such file or directory
Do you want to unlock Users at boot? (y/N)

Not compatible?

It seems to be fairly unconventional to store the unlock binary in /Library/LaunchDaemons/. Given that homebrew sets crazy permissions on many /usr/local/ directories, and all of /System and /sbin are locked down by SIP, perhaps /Library/PrivilegedHelperTools/ would be a reasonable place to put the binary?

Any plans for AFPS support? :)

Hi everyone,
I recently have installed Ubuntu onto my Laptop that already has Windows 10 on it as well.
And now my hard drive is locked (bitlocker2)
Any help would be much appreciated.
Thanks Heaps
Will

Unlock appears to be exactly the solution I need - have run it twice but still locked out of my filevault 2 disk.
Would love any advice on why this unlock be failing.

Anticipatory thanks...

Dave

I have noticed a couple of recent changes (problems) with the links for unlock.

1. The curl 'unlock' command no longer works. this started a couple of weeks ago.
2. If I download and run the script the plist file fails to download. This started a day or so ago.

Regards

Johnathan Redman

I think it might be interesting/useful to split install.sh into at least two scripts, an installer, and a separate script adds a volume (or all volumes except /) to the keychain, so users can add additional volumes later (or in my case, I wanted to build the tool myself rather than download it). The separate helper script could be called unlock and could potentially grow features like listing/removing volume entries, if that's reasonably possible with the underlying keychain tools.

Let me start by saying that I'm nowhere near knowledgeable about how this works, so my apologies if this is a dumb idea, but regarding this:

The program is not aware of who is logging in and I don't know of a way to make it aware other than making it a User LaunchDaemon, which won't work. A pull request implementing this would be greatly appreciated.

What about a LoginHook? If the user logging in != the user whose $HOME is encrypted, then unmount the encrypted $HOME. Would that gain you anything?

(ISTM that the FileVault 2 must know which user has requested the unlock/login, because it's going to auto-login to that user's account, right? But I have no idea if that information is available programmatically.)

Thanks for sharing.

I tried it, and it works, but only if the external drive is plugged in when the computer is rebooting. Is this expected?

My use case is that I have 2 macs and my home dir is on an external drive. It does not seem to allow to plug the drive in at the login window and then log-in. Is that the case?

Thanks!

Is there a way to specify a mount point when using "Unlock"? I looked at the code and all it does it unlocks an encrypted partition: I don't see anything which actually mounts it. So, I'm assuming after it is unlocked, the OS mounts it to "/Volumes". However, I'd like to mount the partition to a different location (in my case I want to mount an encrypted partition to "/Users").

I can probably modify the code myself, but am not familiar if it's possible to specify a mount point when unlocking a CoreStorage volume using "diskutil", or if there is a way to tell OS X to use mount to a specific directory (like through "fstab").

Thanks!

Hey there!

Your tool is really cool, but I tested something and I thing this is a little security problem.

1st partition ist NOT encrypted (Macintosh HD)
2nd partition is encrypted (Users)

So when I boot in target mode and go in to de Macintosh HD copy the system keychain to an other machine, install unlock on the this machine and boot, I can mount the Users partition without a password.
I tested this on two Macs (10.9 and 10.8)

best regards
Steve

I have a dual hard drive MBP (SSD & non-SSD) of which, today, I unlock my home directory by logging in as a temporary user and then logging into my main account. I'm curious - I'll be rebuilding my system in the next week with Mountain Lion and am wondering if you've tested this at all in the new system?

Awesome work BTW - I'm not sure why Apple hasn't done something similar as an option for enterprise customers.

Thanks!

I created the HFS partition on the external hard drive and converted it with diskutil cs convert /Volumes/EXT_SSD -passphrase.
After installation, the program worked very well as long as the core storage conversion was running. I have my home directory on the encrypted partition, and was able to log in. After the conversion was complete, the program stopped working. Is there something wrong with the CS partition?

osx 10.15.7

% diskutil list
...
/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *500.1 GB   disk2
   1:                        EFI EFI                     209.7 MB   disk2s1
   2:          Apple_CoreStorage EXT_SSD                 499.8 GB   disk2s2
   3:                 Apple_Boot Boot OS X               134.2 MB   disk2s3

/dev/disk3 (external, virtual):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS                        +499.4 GB   disk3
                                 Logical Volume EXT_SSD on disk2s2
                                 B50387F8-59FE-492C-B90F-70C5B63A148C
                                 Locked Encrypted

Offline
                                 Logical Volume EXT_SSD on disk2s2
                                 B50387F8-59FE-492C-B90F-70C5B63A148C
                                 Locked Encrypted

system.log

Feb  7 12:46:14 Mac-mini-Sasa com.apple.xpc.launchd[1] (name.ridgewell.unlock): Unknown key for string: ServiceDescription
Feb  7 12:46:14 Mac-mini-Sasa com.apple.xpc.launchd[1] (name.ridgewell.unlock): Please switch away from OnDemand to KeepAlive.
Feb  7 12:46:14 Mac-mini-Sasa name.ridgewell.unlock[553]: Unlocking volume B50387F8-59FE-492C-B90F-70C5B63A148C
Feb  7 12:46:14 Mac-mini-Sasa name.ridgewell.unlock[553]: Unlocking volume B50387F8-59FE-492C-B90F-70C5B63A148C

StandardOut:

Started CoreStorage operation
Logical Volume successfully unlocked
Logical Volume successfully attached as disk3
Core Storage disk: disk3
Finished CoreStorage operation

StandardError

2021-02-07 12:48:19.044 name.ridgewell.unlock[112:783] Unlocking volume B50387F8-59FE-492C-B90F-70C5B63A148C
2021-02-07 12:48:20.240 name.ridgewell.unlock[112:783] Unlocking volume B50387F8-59FE-492C-B90F-70C5B63A148C
B50387F8-59FE-492C-B90F-70C5B63A148C is already unlocked and is attached as disk3

When I start LaunchDaemon manually, the volume will be unlocked, but not mounted.

sudo launchctl load -w /Library/LaunchDaemons/name.ridgewell.unlock.plist

/dev/disk3 (external, virtual):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:                  Apple_HFS                        +499.4 GB   disk3
                                 Logical Volume on disk2s2
                                 B50387F8-59FE-492C-B90F-70C5B63A148C
                                 Unlocked Encrypted

diskutil cs list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group A090EE46-67C5-4D9C-BF35-3C2265120557
    =========================================================
    Name:         EXT_SSD
    Status:       Online
    Size:         499763888128 B (499.8 GB)
    Free Space:   18989056 B (19.0 MB)
    |
    +-< Physical Volume 69138B48-D7B3-486A-8402-97CC2BCD5595
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk2s2
    |   Status:   Online
    |   Size:     499763888128 B (499.8 GB)
    |
    +-> Logical Volume Family 191ADAFE-5526-44F8-91D3-945C454C5A80
        ----------------------------------------------------------
        Encryption Type:         AES-XTS
        Encryption Status:       Unlocked
        Conversion Status:       Complete
        High Level Queries:      Fully Secure
        |                        Passphrase Required
        |                        Accepts New Users
        |                        Has Visible Users
        |                        Has Volume Key
        |
        +-> Logical Volume B50387F8-59FE-492C-B90F-70C5B63A148C
            ---------------------------------------------------
            Disk:                  disk3
            Status:                Online
            Size (Total):          499392577536 B (499.4 GB)
            Revertible:            Yes (unlock and decryption required)
            LV Name:               EXT_SSD
            Content Hint:          Apple_HFSX

There are several ways (loginhook, launchdaemon etc.) to automount a sparsebundle before logging in, but there's none without writing down the password in plaintext for automount an encrypted sparsebundle.

Reading out the password from the keychain requires to unlock it before, therefore it's not possible to automate the process without user action.

#!/usr/bin/env bash -e
# SOURCE: http://risponderetag.wpdev8.com/p/35966.html

SPARSEBUNDLE_PATH="/Users/Shared/username.sparsebundle"
SPARSEBUNDLE_MOUNT_PATH="/Users/username/"
KEYCHAIN_PATH="/Users/username/Library/Keychains/login.keychain"

# Check existing states
if [ -e "$SPARSEBUNDLE_MOUNT_PATH" ]; then
    echo "Already mounted."
    exit 0    
fi

# The mount command uses security find-generic-password
# to get the password from the keychain store
MOUNT_PASSWORD=$(security find-generic-password -w -D "disk image password" -l username.sparsebundle $KEYCHAIN_PATH)
printf $MOUNT_PASSWORD | hdiutil attach -stdinpass -mountpoint "$SPARSEBUNDLE_MOUNT_PATH" "$SPARSEBUNDLE_PATH" 

Please add support for sparseimages: specifing the $SPARSEBUNDLE_PATH and the $$SPARSEBUNDLE_MOUNT_PATH.

For further informations see:
http://apple.stackexchange.com/questions/104770/can-i-mount-an-encrypted-image-before-finder-loads
http://techanic.net/2012/10/14/programmatically_mounting_encrypted_disk_images_in_os_x.html

Install process should ideally display nothing or *'s on passphrase key entry.

Works perfectly up to latest Catalina 10.15.3

Stopped working on new Cataina 10.15.4 Beta (19E224g) and returns this error:

2020-02-09 18:32:48.593 name.ridgewell.unlock[1461:11677] Error: SecItemCopyMatching returned -25300!

Hi there,

your tool sounds like exactly what I'am searching for. But because you are always talk about 10.7 Lion only in your descriptions, I would like to know if you ever testet it on OS X 10.8.5 Mountain Lion or 10.9.4/10.9.5 Mavericks?

Maybe Apple implemented this option into 10.8 or 10.9?

Or is it still needed?

Would be nice to get some information about it.

All the best,
Marcel

Very interested to use Unlock but:
Impossible to install on two different MacBook Pro, both running same El Capitan plus as root.
MacBookPro5,1: installation ok but doesn't work after 9 times reinstall
MacBookPro9,1: error during install: bash: line 1: 400:: command not found

I really need this running, because i have always used seperated partitions for users.
Now i have them encrypted because i shaw the possibility of Unlock.

Other question: Why is it either impossible to install from downloaded Unlock master?
I find it strange to have to connect to the internet to install Unlock while in root. ;)

The script works fine for internal disks, but it does not propose me to auto mount external drive.
Please add support for that.
EDIT: Ok, after reading the script, I understand it does not find them becasue they are not CS volumes, but encrypted APFS volumes.
Can you add support for APFS volumes ?

The first time I tried it appeared to work but the second time if reported error. Here is my log:

Vinces-MacBook-Pro-II:~ vince$
Last login: Thu Oct 4 00:56:57 on console
Vinces-MacBook-Pro:vince vince$ curl https://raw.github.com/jridgewell/Unlock/master/install.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2853 100 2853 0 0 233 0 0:00:12 0:00:12 --:--:-- 313
Attempting to re-run as root...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2853 100 2853 0 0 266 0 0:00:10 0:00:10 --:--:-- 348

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:

Downloading...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 509 100 509 0 0 46 0 0:00:11 0:00:10 0:00:01 57
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 139 100 139 0 0 9 0 0:00:15 0:00:14 0:00:01 15

100 27900 100 27900 0 0 1023 0 0:00:27 0:00:27 --:--:-- 6339

Installing...

Installed!
Vinces-MacBook-Pro:vince vince$ curl https://raw.github.com/jridgewell/Unlock/master/install.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2853 100 2853 0 0 837 0 0:00:03 0:00:03 --:--:-- 1362
Attempting to re-run as root...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:01:19 --:--:-- 0curl: (7) couldn't connect to host
chmod: install.sh: No such file or directory
Password:
bash: ./install.sh: No such file or directory
rm: install.sh: No such file or directory
Vinces-MacBook-Pro:vince vince$ curl https://raw.github.com/jridgewell/Unlock/master/install.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2853 100 2853 0 0 576 0 0:00:04 0:00:04 --:--:-- 950
Attempting to re-run as root...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

100 2853 100 2853 0 0 1040 0 0:00:02 0:00:02 --:--:-- 1417

Downloading...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:01:19 --:--:-- 0curl: (7) couldn't connect to host
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- 0:01:21 --:--:-- 0curl: (7) couldn't connect to host

Installing...

mv: rename ./* to /Library/LaunchDaemons/*: No such file or directory

Installed!
Vinces-MacBook-Pro:vince vince$ curl https://raw.github.com/jridgewell/Unlock/master/install.sh | bash
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2853 100 2853 0 0 725 0 0:00:03 0:00:03 --:--:-- 1288
Attempting to re-run as root...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2853 100 2853 0 0 917 0 0:00:03 0:00:03 --:--:-- 1153

Password:

Downloading...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 509 100 509 0 0 109 0 0:00:04 0:00:04 --:--:-- 138
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 139 100 139 0 0 1 0 0:02:19 0:01:29 0:00:50 15

100 27900 100 27900 0 0 289 0 0:01:36 0:01:36 --:--:-- 6573

Installing...

Installed!
Vinces-MacBook-Pro:vince vince$ diskutil CoreStorage list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 35B00C2F-C182-42A7-8A59-E559A9260F28
=========================================================
Name: Data HD
Size: 499113885696 B (499.1 GB)
Free Space: -none-
|
+-< Physical Volume 16D4C683-4A13-4747-B8A0-AB4E3F85BF90
----------------------------------------------------
Index: 0
Disk: disk0s2
Status: Checking
Size: 499113885696 B (499.1 GB)
Vinces-MacBook-Pro:vince vince$

The program will unlock all the volumes it can, even if the user's home directory is not on that volume. The program should determine which volumes are necessary for login, and only unlock those.

This might be possible with a user created keychain that is not in the user directory?

It seems that you missed a path on the last commit.

line 40
-w "${password}" -T "" -T "/Library/LaunchDaemons/name.ridgewell.unlock" -U "/Library/Keychains/System.keychain"

Should be
-w "${password}" -T "" -T "/Library/PrivilegedHelperTools/name.ridgewell.unlock" -U "/Library/Keychains/System.keychain"

right?

regards