AFPS Support

[paviro]

Any plans for AFPS support? :)

[jridgewell]

It's been a few years since I upgraded my mac, and don't use this anymore. I don't know what's required to support AFPS.

I'd be happy to accept a PR.

[BrianAker]

What do you use? Or have you found a method that allows you to bypass the need for this? I have an alternative method where by I boot into one account and from there mount drives before launching into my own account, but that is a bit cumbersome.

…

On Aug 23, 2017, at 00:10, Justin Ridgewell ***@***.***> wrote: It's been a few years since I upgraded my mac, and don't use this anymore. I don't know what's required to support AFPS. I'd be happy to accept a PR. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[paviro]

I switched to using a fusion drive got now :)

…

Am 23.08.2017 um 13:36 schrieb Brian Aker ***@***.***>: What do you use? Or have you found a method that allows you to bypass the need for this? I have an alternative method where by I boot into one account and from there mount drives before launching into my own account, but that is a bit cumbersome. > On Aug 23, 2017, at 00:10, Justin Ridgewell ***@***.***> wrote: > > It's been a few years since I upgraded my mac, and don't use this anymore. I don't know what's required to support AFPS. > > I'd be happy to accept a PR. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub, or mute the thread. > — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jridgewell]

I upgraded to a new macbook without a cd drive, so I don't have a second hard drive anymore. Are you using AFPS?

[paviro]

Yes that’s the main reason the old script does no longer work.

…

Am 23.08.2017 um 19:25 schrieb Justin Ridgewell ***@***.***>: I upgraded to a new macbook without a cd drive, so I don't have a second hard drive anymore. Are you using AFPS? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jridgewell]

Do you mean the install script? Or is it the unlock commands?

[paviro]

I think both. It does not find any drives anymore on install and I think you no longer use core storage commands for mounting and unlocking but haven’t checked in detail.

…

Am 23.08.2017 um 19:25 schrieb Justin Ridgewell ***@***.***>: I upgraded to a new macbook without a cd drive, so I don't have a second hard drive anymore. Are you using AFPS? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jridgewell]

That's probably because of my horrible bash scripting. Can you give the output of

diskutil cs info `mount | grep " / " | cut -d " " -f 1`

[paviro]

Will do when I am at home. If it is the command from the installer without changes I can already give you the output: nothing :)

…

Am 23.08.2017 um 19:58 schrieb Justin Ridgewell ***@***.***>: That's probably because of my horrible bash scripting. Can you give the output of diskutil cs info `mount | grep " / " | cut -d " " -f 1` — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[jridgewell]

This is just one of the commands the installer runs, I'm trying to figure out what changed in the text we try to parse.

[paviro]

Will do tonight :)

…

Am 23.08.2017 um 19:58 schrieb Justin Ridgewell ***@***.***>: That's probably because of my horrible bash scripting. Can you give the output of diskutil cs info `mount | grep " / " | cut -d " " -f 1` — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ressl]

Apfs has changed a lot.

diskutil cs info `mount | grep " / " | cut -d " " -f 1`
/dev/disk1s1 is not a CoreStorage disk

diskutil apfs
Usage:  diskutil [quiet] ap[fs] <verb> <options>
        where <verb> is as follows:

     list                (Show status of all current APFS Containers)
     convert             (Nondestructively convert from HFS to APFS)
     create              (Create a new APFS Container with one APFS Volume)
     createContainer     (Create a new empty APFS Container)
     deleteContainer     (Delete an APFS Container and reformat disks to HFS)
     resizeContainer     (Resize an APFS Container and its disk space usage)
     addVolume           (Export a new APFS Volume from an APFS Container)
     deleteVolume        (Remove an APFS Volume from its APFS Container)
     eraseVolume         (Erase contents of, but keep, an APFS Volume)
     changeVolumeRole    (Change the Role metadata bits of an APFS Volume)
     unlockVolume        (Unlock an encrypted APFS Volume which is locked)
     lockVolume          (Lock an encrypted APFS Volume (diskutil unmount))
     listCryptoUsers     (List cryptographic users of encrypted APFS Volume)
     changePassphrase    (Change the passphrase of a cryptographic user)
     setPassphraseHint   (Set or clear passphrase hint of a cryptographic user)
     encryptVolume       (Start async encryption of an unencrypted APFS Volume)
     decryptVolume       (Start async decryption of an encrypted APFS Volume)
     updatePreboot       (Update the APFS Volume's related APFS Preboot Volume)

diskutil apfs <verb> with no options will provide help on that verb

diskutil apfs list
APFS Container (1 found)
|
+-- Container disk1 DCD081F1-B6B7-4EE8-B750-F69252F2F822
    ====================================================
    APFS Container Reference:     disk1
    Capacity Ceiling (Size):      999590961152 B (999.6 GB)
    Capacity In Use By Volumes:   431271096320 B (431.3 GB) (43.1% used)
    Capacity Available:           568319864832 B (568.3 GB) (56.9% free)
    |
    +-< Physical Store disk0s2 9CE096C6-D65F-4FBC-8FEE-9E987D76284E
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk0s2
    |   Size:                       999590961152 B (999.6 GB)
    |
    +-> Volume disk1s1 8D4E430C-8810-37E7-9625-94DC5F634411
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s1 (No specific role)
    |   Name:                      Macintosh HD (Case-insensitive)
    |   Mount Point:               /
    |   Capacity Consumed:         428373557248 B (428.4 GB)
    |   Encrypted:                 Yes (Unlocked)
    |
    +-> Volume disk1s2 9FC6CF2D-ACD7-4362-A8E6-76208117CA83
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s2 (Preboot)
    |   Name:                      Preboot (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         22331392 B (22.3 MB)
    |   Encrypted:                 No
    |
    +-> Volume disk1s3 F8C3B80B-59E3-48B1-8197-C6E7C106E252
    |   ---------------------------------------------------
    |   APFS Volume Disk (Role):   disk1s3 (Recovery)
    |   Name:                      Recovery (Case-insensitive)
    |   Mount Point:               Not Mounted
    |   Capacity Consumed:         519995392 B (520.0 MB)
    |   Encrypted:                 No
    |
    +-> Volume disk1s4 B24BC1A6-BE7D-447C-859D-50690FFA60B4
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk1s4 (VM)
        Name:                      VM (Case-insensitive)
        Mount Point:               /private/var/vm
        Capacity Consumed:         2147504128 B (2.1 GB)
        Encrypted:                 No

[Taffjones]

Hi,

I've made some modifications to the code that should allow this to work with APFS. It works when I run from terminal EXCEPT I'm asked to re-authorize halfway through execution and it doesn't work at all during startup (password is not found). I think it's an Apple issue in the SecItem calls as discussed here ...

https://forums.developer.apple.com/thread/88888
https://forums.developer.apple.com/thread/87095

So, it seems to be blocked until Apple fix this. I'm on 10.13.2 Beta (17C60c) btw, and can't validate against other versions.

Simon

[ressl]

@Taffjones That sounds very good. :-) Can you publish your changes?

[Taffjones]

Ok, but the install script isn’t updated yet (I modified the keychain entry manually) and the Apple bug is a blocker... I’ll have some time to work a bit more on Monday.

Simon

tldr;

For the record, the unlock command is the same for both file systems except one has apfs and the other has cs in the middle. My logic is to store the fs type in the comment field of the keychain entry so the couple of lines of code I’ve added to the executable can plug it into the right part of the command.

[Taffjones]

Looks like I don't have push access (probably a good thing to be honest)!

I've attached the files I've changed in this zip - @jridgewell maybe you can incorporate them for me.

NOTE - This still needs the Apple keychain bug fix before it'll work

Archive.zip

[juanjonol]

In case this helps anyone, my fork of Unlock supports APFS. Keep in mind that I haven't tested it yet as well as I would like and that you need to install Python 3.

[galaxy4public]

I don't mean to hijack the thread, but for APFS I created a pure bash-based solution to unlock encrypted volumes at startup, see https://github.com/openwall-com-au/BootUnlock (the project can create a package even without any development tools installed, or you can use the released package over there) :)

[dmedina2015]

Absolutely great job @jridgewell for CS and @galaxy4public for APFS. Just moved my home folder to an SD Card and was struggling with this lack of MacOS feature. Just thank you!