launchd and hdiutils
Hi everybody I want to use launchd to mount an encrypted dmg image which contains my home directory (AES 256 - enterprise encryption guidelines ) and other directories i want to encrypt like /tmp, etc ... Therefore i created a launchd.plist which starts hdiutils to attach the image. To be able to enter the password, i directed stdin, stderr and stdout to /dev/console. Furthermore i modified com.apple.loginwindow.plist to wait until the image is mounted. Everything seems to work but after I logged in, the images isn't mounted anymore. Does anyone has an idea how to solve this problem ? By the way, which key derivation algorithm is used to derive the encryption key from the password. Kind regards Thomas Fritz
On Dec 11, 2009, at 5:10 AM, Thomas Fritz wrote:
Hi everybody
I want to use launchd to mount an encrypted dmg image which contains my home directory (AES 256 - enterprise encryption guidelines ) and other directories i want to encrypt like /tmp, etc ...
Therefore i created a launchd.plist which starts hdiutils to attach the image. To be able to enter the password, i directed stdin, stderr and stdout to /dev/console.
Furthermore i modified com.apple.loginwindow.plist to wait until the image is mounted.
Why not just use FileVault?
Everything seems to work but after I logged in, the images isn't mounted anymore.
It sounds like you mounted the image from a daemon, which runs in a different environment from your user environment. Though I honestly don't know much about how the disk images subsystem works.
Does anyone has an idea how to solve this problem ?
By the way, which key derivation algorithm is used to derive the encryption key from the password.
Try apple-cdsa. -- Damien Sorresso BSD Engineering Apple Inc.
At 14:10 +0100 11/12/09, Thomas Fritz wrote:
I want to use launchd to mount an encrypted dmg image which contains my home directory (AES 256 - enterprise encryption guidelines ) and other directories i want to encrypt like /tmp, etc ...
You're not going to be able to do this reliably via launchd. The problem, regardless of the hdiutil issues, is that system startup is asynchronous, with implicit dependency tracking via service provision. Thus, if you put your hdiutil stuff is a launchd daemon, there's no guarantee that daemon will run /before/ the user has logged in, because the login process does not use any of the services provided by your daemon. The best solution to this problem IMO would be to structure your code as a login agent. This has a couple of benefits: o It runs synchronously with respect to login. o You can access the password that the user provided for login. o You can access the GUI, if necessary, to request a password. For more details on this, see TN2228 "Running At Login". <http://developer.apple.com/mac/library/technotes/tn2008/tn2228.html> S+E -- Quinn "The Eskimo!" <http://www.apple.com/developer/> Apple Developer Relations, Developer Technical Support, Core OS/Hardware
participants (3)
-
Damien Sorresso
-
Quinn
-
Thomas Fritz