Jamf Nation Community

yeah i have multiple partitions so i can participate in see programs and easily get back to a useful OS and not have to copy my data every time I rebuild.

If I may ask, what was the reasoning behind putting Users on a separate partition? Also, did you name that partition "Users"? I've setup Mac Pro's with mixed HDD and SDDs. I had named a drive "Users" to store home folders and I had several problems with it not mounting properly, or I would end up with 2 mounts, "Users" and a "Users 1" shadow volume. This was without encryption. Those problems went away when I renamed the volume to something else. I don't know if this affects you, but it's something to be careful about.

@arielper My methodology is based around the fact that if i can restore an OS to a good known working state in about 10 minutes what would be the point in trying to figure out why something stopped working properly. And when it comes time to upgrade an OS for the users i can pre-stage the OS on the other partition and then reboot to the new OS when we are ready to change. And as I said personally i belong to the Seed program so I am always running the latest and newest updates or OS, and sometimes they are not all that fun to run so i fall back to a stable OS.
we name the partition UserData and we mount at /Users has been working for 4 years.
Now that many of our users are going to laptops we need to start encrypting, but turning on FV only encrypts the OS partition, other whole disk encryption tools will encrypt all 3 partitions and they mount properly, but you cannot change the boot device so there is not much point in having an alternate boot device. Seems that this is not a simple thing to do.

You could probably script a startup item/launch daemon that consults an encrypted keychain stored on the boot partition that automatically decrypts and mounts your Users partition upon booting into the encrypted boot partition. By making this keychain, and the script, readable/executable by root only and storing them on the encrypted boot partition, you'll minimize your security risk. You'll likely need to work with the "security" and "diskutil cs" commands.

@Josh_S that is likely what I will do, just add the item to the system keychain, and write a launchdeamon and script to mount, but i was really hoping that fstab had an undocumented mount option i could use and not have to get that deep. Thanks for verifying that as an idea though.

I'm not in the Seed program, but this sounds like a testing problem best solved with a virtual machine setup.

i used to test not on my primary machine but never found problems.
Using what i have to live off of points out problems right away.
i have 6 machines on my desk, and rebuild most of them in week except the server.

https://github.com/jridgewell/unlock

or Chris, need to do some finger yoga before starting to type for the day I see

Has anyone tried this? I like the look of it, but I don't see how the password gets updated. Especially AD users whose password gets changed using an external process. Just hoping I don't have to go back to PGP.

I don't think that would be a problem as the password is stored in the System Keychain