Monthly Archives: August 2014

bash shell script to unlock encrypted disk in OS X 10.9

I finally buckled down and wrote my first bash shell script today.

I have been backing up my machines to two WD My Book 3 TB USB 3.0 Hard Drives.

I backup my hard drive to my server once a week. I also backup my hard drive to the WD USB drive every week.

I am swapping them out every week. I keep one drive at work at all times. This is keeping with the philosophy that at any one time I have

  • one backup on-site
  • one backup off-site

My only concern is that OS X leaves hard drives unencrypted by default. This means that anyone could plug an OS X-formatted drive into their Macintosh and read my files.

The solution: encryption.

On OS X, it is as easy as right-clicking on the hard drive in Finder and selecting ‘encrypt drive’. This is a good thing.

However, once I reconnect my USB drive I have to unlock the disk before I can make my backups. Complicating everything further, I divided the 3TB disk into four partitions: one for Cay’s computer, one for my boot drive, one for my /Users partition, and one that is on stand-by. So, every time I connect this drive I have to enter four different UUIDs to unlock the encrypted partitions.

Shell scripts to the rescue.

This weekend I spent some time learning to program UNIX shell scripts. I created a shell script to automate the unlocking of the USB drive upon connection. It was really fun investigating solutions for this. In the end I used many tools from the basic programming toolbox:

  • variables
  • redircts
  • pipes
  • regular expressions
  • arrays
  • and some more stuff

It was tons of fun and I learned a lot.

Here’s the code for the nerds out there.

#!/bin/bash

# =================================================================

# Copyright 2014 Eduardo Sanchez

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program. If not, see .

# ==================================================================

# This script is used to unlock encrypted hdds in OS X 10.9

# First open Disk Utility.app to see which hdd are available

# 'locked' hdd will appear greyed-out

open -g /Applications/Utilities/Disk\ Utility.app

echo

# collect the UUIDs of all of the attached hdd

clear
echo "These are the attached hard drives:"

tempIFS=$IFS
IFS=$'\n'
diskutil cs list | grep -E "(Logical Volume) [A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}" | cut -c 28-63 > hdd_UUIDs
uuid=($(cat hdd_UUIDs))
IFS=$tempIFS

echo

# collect the names of the Logical Volumes (disk names)

tempIFS=$IFS
IFS=$'\n'
diskutil cs list | grep "LV Name" | cut -c 36-70 > hdd_LV_Names
dname=($(cat hdd_LV_Names))
IFS=$tempIFS

# present the user with a listing of UUIDs and associated Logical Volume names

echo "0." ${uuid[0]} ${dname[0]}
echo "1." ${uuid[1]} ${dname[1]}
echo "2." ${uuid[2]} ${dname[2]}
echo "3." ${uuid[3]} ${dname[3]}
echo "4." ${uuid[4]} ${dname[4]}
echo

# ask the user which disk to unlock

echo Select the hdd to unlock
echo
echo

# gather the user's choice

read DISK

# DO NOT store the password as a variable!
# Keep passwords in a protected vault such as LastPass, Keypass, or 1Password

open -g /Applications/1Password\ 4.app

# unlock the disk selected by the user

diskutil cs unlockVolume ${uuid[$DISK]} -stdinpass

# User then pastes the password to complete the unlocking of the hdd

# TO DO List
#
# Figure out how to process the UUID and LV Name without creating
# an intermediate file
#
# Incorporate logic that will only present 'Locked' volumes
#
# this will do away with needing the Disk\ Utility.app open
#
# incorporate some crazy Keyboard Maestro kung-foo to auto run this
# script upon attaching an encrypted hdd

This could be a better way…

I’ve decided to change the tag lines of one of the post categories here. My original intent with the ‘You’re doing it wrong:’ tag line was to share my ideas about alternative ways of doing things.

My original choice of words sounded too judgy. I would rather it be taken as a possible alternative rather than the ‘best’ way of doing something. After all, I do not claim that my way is the best way. It is just a good way …for me …right now.

I can’t wait to hear about your better ways.