macOS Ventura

[jgeusebroek]

After upgrading to Ventura it doesn't seem to work anymore. I tried reinstalling to no avail. Is there a way I can debug this issue?

[galaxy4public]

Somehow I missed that Ventura is out :). I just installed it, then installed BootUnlock, specified my Home encrypted volume, rebooted, verified that the volume has been automatically mounted, created a user and pointed its home directory to the mounted Home volume, then I shutdown the system. When I started it up again I was presented with two users (the admin one and the standard user I created) and I was able to login as my standard user with its home residing on the encrypted Home volume.

Systemss-MBP:~ galaxy$ uname -a
Darwin Systemss-MBP.intranet 22.1.0 Darwin Kernel Version 22.1.0: Sun Oct  9 20:14:54 PDT 2022; root:xnu-8792.41.9~2/RELEASE_X86_64 x86_64
Systemss-MBP:~ galaxy$ mount | grep /Home
/dev/disk1s1 on /Volumes/Home (apfs, local, journaled)
Systemss-MBP:~ galaxy$ grep -A2 Home /var/log/BootUnlock.log | tail -3
Trying to unlock volume "Home" with UUID 19244E26-BB84-4335-AAC1-517B5DC6339F ...
Unlocking any cryptographic user on APFS Volume disk1s1
Unlocked and mounted APFS Volume
Systemss-MBP:~ galaxy$ 

So, I would say that I cannot reproduce the issue. I am running an Intel-based Mac, so I cannot verify this on M1 or M2, but for Intel-based Macs there is no issue, as far as I can tell. Please check /var/log/BootUnlock.log for any error messages. It may give a hint.

P.S. I will keep the issue open for a couple of days to give you an opportunity to respond, but even if I close it, feel free to re-open it with additional information.

[jgeusebroek]

Thanks for the reply!

Darwin MBP-15 22.1.0 Darwin Kernel Version 22.1.0: Sun Oct  9 20:14:54 PDT 2022; root:xnu-8792.41.9~2/RELEASE_X86_64 x86_64 i386 Darwin
/dev/disk1s2 on /Volumes/Data (apfs, local, journaled)

grep -A2 Data /var/log/BootUnlock.log | tail -3
Adding password for volume "Data" with UUID 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 to the System keychain...
=== Wed Oct 26 20:27:03 CEST 2022 ===
=== Wed Oct 26 20:27:13 CEST 2022 ===

I upgraded from Monterey and when I log on after a boot it has failed to unlock. When I log out en login again it has been unlocked successfully.

I tried again, this is the log:

===[ update.sh: Sun Oct 30 09:35:33 CET 2022 ]===
Verifying the specific cryptographic user 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 on APFS Volume disk1s2
Passphrase valid
Adding password for volume "Data" with UUID 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 to the System keychain...
=== Sun Oct 30 09:37:32 CET 2022 ===
Trying to unlock volume "Data" with UUID 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 ...
The APFS Volume disk1s2 is already unlocked (mounted)
ERROR: could not unlock volume 'Data', skipping the volume.
=== Sun Oct 30 09:38:02 CET 2022 ===
=== Sun Oct 30 09:39:14 CET 2022 ===

One thing to note, I have just one user installed and I have symlinked some directories to the Data volume (part of the home dir).

[galaxy4public]

I tried again, this is the log:

===[ update.sh: Sun Oct 30 09:35:33 CET 2022 ]===
Verifying the specific cryptographic user 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 on APFS Volume disk1s2
Passphrase valid
Adding password for volume "Data" with UUID 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 to the System keychain...

Something is not right here. The "Data" volume is the system macOS sub-volume of the primary system volume (where the OS lives). It is unencrypted aand mounted automatically with the primary system volume (no need for BootUnlock to do this).

=== Sun Oct 30 09:37:32 CET 2022 ===
Trying to unlock volume "Data" with UUID 6D1D854A-B6C9-4180-8784-D4D8DB3B7D29 ...
The APFS Volume disk1s2 is already unlocked (mounted)
ERROR: could not unlock volume 'Data', skipping the volume.

The last two lines just confirm what I said above, the Data volume has been automatically unlocked by macOS itself as part of the normal boot up procedure.

I think, you are just cooking it a bit wrong :). The goal of the BootUnlock is to unlock additional volumes at the boot time. The way how you are supposed to work with the system is as follows (I am assuming that you have a running system and want to upgrade to a new version of the OS):

• you launch the Disk Utility app and add a new APFS volume (this is cheap to do since APFS shares the disk blocks across all volumes, unless told otherwise). let's say you added APFS volume called "Ventura". This is where your OS is going to live.
• while in the Disk Utility app, add another APFS volume and call it, say, "Home". This volume is where your home directory will live. You need to choose APFS encrypted volume for this one and specify the passphrase right away.
• you install macOS to the "Ventura" volume, your Mac restarts and you log in as the user you created during the installation phase. I usually name that user "Systems Administrator" and give it login name sysadm. This is an administrative account and is supposed to be used for the system management things (usually via a prompt to authenticate as an administrative user)
• you install BootUnlock and when it prompts for a volume you want it to work with you select "Home" (and provide the passphrase)
• reboot the system now and when you log back in as sysadm you should see the Home volume unlocked and mounted -- this would confirm that BootUnlock did its job properly
• now, the fun part: you go to "System Preferences" (well, on Ventura they renamed it to "System Settings") and search for "User & Groups", there you create a new, standard user (not an admin). This will provision a standard user with its home in /Home (which is the default location, symlinked to /System/Volumes/Data/home)
• if this is the first time you setting things up, open Finder and drag the /Home/your_standard_user folder (where, obviously, "your_standard_user" is the user name you gave to the new user) to /Volumes/Home/ . You will be prompted by the system to provide the administrator password for that, do that.
• now, you need to right click on the newly created user, then choose "Advanced Options..." and change the home directory to the new location (which resides on the Home volume)
• that's it, reboot and you should be able to login as your standard user.

The benefits of this approach are numerous, starting with a much safer upgrade path: you can even run multiple versions of macOS in parallel, all of which can share the same Home volume. This is what I do when a new beta or a new major release comes out. I test it first with a safe, instant rollback to my previous system if needed (just by rebooting to a different volume). Additionally, working under a standard user instead of the administrator has its own benefits, especially if you are launching applications of questionable origin from time to time.

Hope this was helpful.