Using Mac OS X FileVault 2 Whole-Disk Encryption with Long Passwords

I’ve been using KeePass for years to store my passwords for all the various sites, servers, etc. that I need to access. As such, I have liberated myself from having to remember any of them and can therefore choose entirely unguessable, randomly-generated passwords for highly-secure things like, for instance, accessing my online back accounts.

I tried to use such a password on an external disk I recently attached to my Mac running OS X 10.8. I generated a 128-character password and let the corestorage framework get started on the multi-day effort of encrypting a 3TiB drive. Then I disconnected the drive to relocate it and when I plugged it back into my Mac, I was asked for the password in a dialog. No problem: drag-and-drop from KeePass into the password-entry dialog.

That didn’t work: the password-entry dialog isn’t a text-drop-target.

Okay, no problem: copy from KeePass and paste into the password-entry dialog.

That didn’t work, either: the password-entry dialog doesn’t allow text-paste actions.

Boo.

So I hand-entered the enormous password. Three times. All three times I must have screwed-up something. Maybe I thought an I was an l or a 1 or whatever. It doesn’t matter. It’s not going to work long-term: I’m simply not going to hand-enter a huge password whenever I want to access that disk.

Fortunately, a bit of Googling found this excellent post by Rich Trouton: http://derflounder.wordpress.com/2011/11/23/using-the-command-line-to-unlock-or-decrypt-your-filevault-2-encrypted-boot-drive/. His post describes all the things you can do from the command-line with corestorage including mounting encrypted volumes with a password entered through a Terminal window instead of a password-entry dialog.

Both drag-and-drop and copy/paste work with the command-line.

Sure, I have to go through the extra step of going to the CLI to mount that external disk (after dismissing the passsword-entry dialog when first attaching the device) but a) I’ve got the CLI open all the time anyway and b) I get to use my super-secure password without having to hand-type it.

Comments are closed.