Thought I'd share this for anyone who might find it useful.
We have users whose FileVault2-encrypted Macs are backed up with Time Machine to un-encrypted external hard drives. This kind of destroys the point of securing the data on the internal drive, so we're changing our policies to require the external drives to be encrypted. As such I've been working on a way to encrypt the drive and add the password to the user's keychain so that they are not prompted to unlock the drive when it is connected. Eventually I'll work this into Self Service and prompt the user to provide a password. Here's what I have for now:
#!/bin/bash
#Encrypt Time Machine drive
mountPath=`tmutil destinationinfo | grep "Mount Point" | awk -F ": " '{print $2}'`
if [ "$mountPath" = "" ]
then
#Drive not mounted
exit 1
fi
diskutil cs convert "$mountPath" -passphrase "$PASSWORD"
#Add password to user keychain
uuid=`diskutil cs info "$mountPath" | grep UUID | awk '{print $2}' | head -n 1`
volumeName=`tmutil destinationinfo | grep "Name" | awk -F ": " '{print $2}'`
currentUser=$(ls -l /dev/console | awk '{ print $3 }')
security add-generic-password -a "$uuid" -D "Encrypted Volume Password" -s "$volumeName" -w "$PASSWORD" -T /Applications/Utilities/Disk Utility.app/ -T /System/Library/CoreServices/CSUserAgent /Users/"$currentUser"/Library/Keychains/login.keychain
Feedback is appreciated.
Thanks,
Eric
