Mac OS X 10.10.5 - How can I encrypt only my home folder without Apple FileVault

macos filevault encryption

I do this on my own Mac at home with scripts that run at boot and mount a Core Storage volume. I'm on 10.11.6, but the same principles should apply.

To be clear, FileVault is much simpler, but it is possible to do what you ask. I went down a rabbit hole to get an encrypted $HOME working, and so I still use it, but FileVault is superior in just about every way.

I wrote up an article detailing how I did this. I'd post the vital steps here, but it is a fairly long and involved process.

Here's the gist of it. You need to do the following:

  1. Format a USB drive
  2. Add a keyfile (max 1023 chars) to that drive
  3. Create a core storage volume somewhere
  4. Encrypt that core storage volume with your keyfile
  5. Migrate files to your new encrypted home
  6. Create a Launchd task that runs a mount script on boot
  7. Create that mount script.
    1. The mount script will read the keyfile from your USB drive
    2. The mount script will attempt to unlock your core storage volume using the contents of the keyfile
    3. The mount script must unmount the core storage volume from /Volumes
    4. The mount script must mount the core storage volume to /Users
  8. Unmount the USB drive so the keyfile isn't just sitting there

It took me a lot of trial and error.

There are probably ways to improve my steps like using an exported keychain rather than a plain text keyfile. You could probably also re-define the location of $HOME for your user in System Preferences, but I opted to mount the encrypted home over the normal home so that the path would be standard.

I tried changing $HOME to /Volumes/THE_ENCRYPTED_DRIVE, but I immediately noticed things like my iTunes library were messed up. All the library file references were stale and needed to be updated. That's an example of how screwing with $HOME can get messy.

Really, FileVault would be way easier if you can get it going. If FileVault is not an option, you should check out VeraCrypt, which is a fork of TrueCrypt that was recently audited and seems legit.

Related

Can I dismiss a Notification Center Alert using the mouse?
How can I empty the trash with "rm -rf ~/.Trash/*" from Finder?
Triple-booting Ubuntu on MacPro w/ Win10 and High Sierra (two separate drives)
ugly math in preview of Wikipedia pdfs
Double entries in Launchpad (Mac OSX 10.7, Lion)
Different Apple ID contacts appear on my device
Why can't I delete the second partition
How to stop iTunes from syncing voice memos from my iPhone?
2018 MacBook Pro won't let me install macOS High Sierra 10.13 from USB installer
Where are my options in Safari Share menu [duplicate]
How do I remotely wake my Mac over Wi-Fi?
Is there any way to list all .pkg packages that I have installed? [duplicate]