Quick Fix: Mount Encrypted APFS Drive with AppleScript

To supplement last week’s post on automatically mounting an external drive to create a clone, here is a quick tip for doing the same thing with an encrypted APFS volume. Ideally, you should be encrypting your backups. If you’re running macOS 10.13 High Sierra, or the impending macOS Mojave, then you will be cloning your system to an APFS volume. If that’s the case, you’ll need to no how to automatically unlock APFS volume with AppleScript.

Automatically unlock APFS volume with AppleScript

There is a little more work involved here, but none of it difficult. The file system might be new, but diskutil is still the command line program doing all the work managing volumes. There is simply a couple more commands involved. This assumes you have already encrypted the drive with Disk Utility.

To mount, or rather unlock an encrypted APFS volume with AppleScript, we need the following information:

  • APFS volume ID
  • Cryptographic user ID
  • The encryption password

The password is the same one you used when you formatted the drive. Here is how to get the other two pieces of the puzzle.

  1. Find the APFS volume ID for your clone drive. You can see this information clearly in Disk Utility. For every volume listed there is a table of information, the device field has what you are looking for. It is some variation of disk1s1. Or if you prefer, with the drive already mounted you can run a terminal command to have the information of all your drives listed, like so:

diskutil apfs list

That command will take a moment, then print a whole lot of information to screen like below. Look for volume you intend to clone your system to and note down the APFS Volume Disk.

Automatically Unlock Apfs Volume With Applescript
You can find the APFS volume ID in a couple of places, if you know where to look
  1. Once you have the volume ID.  In the terminal run the following command (replace ‘apfs_volume_id’ with your disk)

diskutil apfs listcryptousers /dev/apfs_volume_id

You will get something that looks like this:

+-- B4BA200D-B0B7-4AB2-A48C-BDE9FFA7E3BA
	Type: Disk User
	Hint: 1pw

That long alphanumeric code is the Cryptographic user. Copy that code and you have everything you need to make your AppleScript work.

  1. Create the AppleScript to automatically mount your encrypted APFS volume. The script looks like this:
do shell script "diskutil apfs unlockVolume [name_of_your_drive] -user B4BA200D-B0B7-4AB2-A48C-BDE9FFA7E3BA -passphrase [enter your passphrase here]" 

Naturally, you will enter the name of your drive, and replace the user code with the one you copied above. Make sure you remove the square brackets.

  1. Find a way to launch the script when you need it. There are a bunch of options in my previous post. My preferred option is currently Keyboard Maestro, but an Automator Calendar Alarm, or Lingon X work just as well.

Congratulations, you can automatically unlock an APFS volume with AppleScript.

 

Photo by Patrick Lindenberg on Unsplash