User aware unlock

[jridgewell]

The program will unlock all the volumes it can, even if the user's home directory is not on that volume. The program should determine which volumes are necessary for login, and only unlock those.

This might be possible with a user created keychain that is not in the user directory?

[jridgewell]

The problem with using a per user keychain is that their is no way to get the password used by the user to login (thankfully), so there's no way to unlock a keychain holding the passphrase. The program would have to use a single password for all keychains it managed, defeating the point of having multiple keychains per user. The only way I can think of making this work is by saving the keychain on removable media that would be required to be inserted before login. So, if user A wants to login, user A must insert his flash drive into the machine before he logs in.

Doable, but not really the solution I wanted. It turns this program into more of a login enabler instead of a volume unlocking.

[danielpunkass]

Hi - thanks for this tool - it's been a blessing ever since I found it several years ago. I am perennially annoyed by the fact that it has to be enabled for all users on the system, though in practice that's not a huge deal for me because I don't have any insecure accounts on my Mac.

Thinking out loud a bit here: the root of the challenge as you describe it seems to be the chicken-egg problem that user-specific credentials for unlocking the second volume are likely to be stored on the second volume, in the user's private keychain.

This sounds very skanky to me, and probably is, but I wonder if something clever could be arranged such that the user's home folder is technically configured to be in the "typical" location on the boot volume, but as a part of logging in, credentials from that typical location were used to unlock the external drive and then programmatically change the user's home folder path to the external volume? Then at logout time the path would be set back to the typical boot-volume location.

Along similar lines, I wonder if there is any way to mount the locked volume in such a way that it non-destructively supersedes an existing mounted path? I.e. can I mount a volume such it appears at /Volumes/Users/daniel without damaging the content of the boot volume that also has a folder at that path? If so then the "bare bones" standard home folder could contain a key chain sufficient for mounting the secure volume, which would then appear at the expected logical path configured for the user's home folder. (I'm not sure if this would prevent any weird keychain conflicts.)

Food for thought, possibly. Thanks again for the tool.