- Version: 2.4.5
- Date: December 15, 2025
- Compatibility: macOS 15+ (Sequoia) and macOS 26+
- FIXED: Password hints can now have spaces when encrypting
- Fixed it twice. Should really work now. Default Managed Pref was blocking.
-
FIXED: Passwords can now have spaces when encrypting
-
Fixed a typo in the error dialog
-
Fixed the highlighted text in the installer packge install flow
KNOWN ISSUES:
-
If HFS formatted volume has a MBR pation scheme then conversion to APFS will fail. You will need to erase the drive
-
CHANGED: Safer option. It does not offer to erase non-encryptable disks , only mount read only or eject
-
Instructions in dialog to erase disks after backin up data
-
Re-name script from "DiskEncrypter_Enhanced-NO-ERASE.sh" to "DiskEncrypter_Enhanced.sh" to use if installing manually
KNOWN ISSUES:
-
If HFS formatted volume has a MBR pation scheme then conversion to APFS will fail. You will need to erase the drive
-
Password can't have spaces when encrypting.
- Changed: Auto-mount unencrypted disks as read-only before prompting user
- Use "DiskEncrypter_Enhanced.sh" v.2.3 to if installing manually for the "EraseEncrypt" option
- Updated dialog options: "Keep Read-Only", "Eject", "Encrypt"
- Improved user workflow with safer default (read-only mount)
- Scans for Internal SD card slot volumes
- Fixed: Read-only mount re-prompt issue - volumes mounted as read-only or unmounted are now automatically skipped during scanning, preventing repeated prompts when new volumes appear
This package contains all files needed to deploy the DiskEncrypter solution:
DiskEncryption2.0/
├── DiskEncrypter_Enhanced.sh # Main encryption script
├── com.custom.diskencrypter.volumewatcher.plist # LaunchDaemon configuration
├── com.custom.diskencrypter.plist # Settings/preferences (example)
├── install_launchdaemon.sh # Installation script
├── uninstall_launchdaemon.sh # Uninstallation script
└── README.md # This file
sudo mkdir -p "/Library/Managed Preferences"
sudo cp com.custom.diskencrypter.plist "/Library/Managed Preferences/"
sudo chmod 644 "/Library/Managed Preferences/com.custom.diskencrypter.plist"
sudo chown root:wheel "/Library/Managed Preferences/com.custom.diskencrypter.plist"sudo bash install_launchdaemon.shThe installer will:
- Copy the script to
/Library/Application Support/Custom/ - Install the LaunchDaemon plist to
/Library/LaunchDaemons/ - Set correct permissions
- Create log files
- Load and start the daemon
sudo launchctl list | grep diskencrypterYou should see: com.custom.diskencrypter.volumewatcher
# View main log
tail -f /var/log/diskencrypter.log
# View error log
tail -f /var/log/diskencrypter_error.log- in v.2.4.2 and above there is no erase option (NO_ERASE version of the script)
- instructions for erasing after backups only
- Automatically detects unencrypted external drives and mounts as read-only (v.2.3)
- Prompts users to encrypt, eject or keep mounted as read-only (Encrypt and erase option only in v.2.3)
- Supports APFS, HFS+, ExFAT/FAT/NTFS volumes
- Skips read-only volumes - won't re-prompt for volumes already mounted read-only
- Skips unmounted volumes - ignores volumes that aren't currently mounted
- Prevents duplicate prompts - when new volumes appear, previously handled volumes are automatically skipped
- Encrypt - Convert and encrypt the volume with user-provided password (Note: in v2.3 exFAT, FAT and NTFS volumes will be erased. Make sure your data is backed up if you choose this option)
- Keep Read-Only - Keep the volume in read-only mode (all un-encrypted volumes are automatically re-mounted as read-only)
- Eject - Unmount and eject the volume
- Dry-run mode for testing
- Configurable log levels (0-3)
- AC power requirement for encryption
- SwiftDialog integration for user notifications
- Multi-volume summary
- Automatic log rotation
Edit /Library/Managed Preferences/com.custom.diskencrypter.plist to customize:
<!-- Enable dry-run mode (no actual operations) -->
<key>dryRun</key>
<string>no</string>
<!-- Log level: 0=minimal, 1=normal, 2=verbose, 3=debug -->
<key>logLevel</key>
<integer>1</integer>
<!-- Enable user notifications -->
<key>notifyUser</key>
<string>yes</string>
<!-- Password requirements -->
<key>passwordRegex</key>
<string>^[^\s]{4,}$</string>The script can also be run manually with options:
# Test without making changes
sudo /Library/Application\ Support/Custom/DiskEncrypter_Enhanced.sh --dry-run
# Run with verbose logging
sudo /Library/Application\ Support/Custom/DiskEncrypter_Enhanced.sh --log-level 2
# Combine options
sudo /Library/Application\ Support/Custom/DiskEncrypter_Enhanced.sh --dry-run --log-level 3-d, --dry-run- Test mode (no actual disk operations)-l, --log-level LEVEL- Set log level (0-3)-h, --help- Show help message
sudo bash uninstall_launchdaemon.shThis will:
- Unload the LaunchDaemon
- Remove installed files
- Optionally remove log files
sudo launchctl list | grep diskencrypter# Stop
sudo launchctl unload /Library/LaunchDaemons/com.custom.diskencrypter.volumewatcher.plist
# Start
sudo launchctl load /Library/LaunchDaemons/com.custom.diskencrypter.volumewatcher.plist# Main log
cat /var/log/diskencrypter.log
# Error log
cat /var/log/diskencrypter_error.log
# System log
log show --predicate 'process == "DiskEncrypter"' --last 1h# Dry-run mode to test without changes
sudo /Library/Application\ Support/Custom/DiskEncrypter_Enhanced.sh --dry-run --log-level 3| Component | Location |
|---|---|
| Script | /Library/Application Support/Custom/DiskEncrypter_Enhanced.sh |
| LaunchDaemon | /Library/LaunchDaemons/com.custom.diskencrypter.volumewatcher.plist |
| Settings | /Library/Managed Preferences/com.custom.diskencrypter.plist |
| Main Log | /var/log/diskencrypter.log |
| Error Log | /var/log/diskencrypter_error.log |
| Log Archives | /var/log/diskencrypter_archives/ |
- macOS 15+ (Sequoia) or macOS 26+
- Full Disk Access permission
- Root/administrator privileges
- AC power for encryption operations
- SwiftDialog (auto-downloaded if not present)
- FIXED: Password hints can now have spaces when encrypting
- FIXED: Passwords can now have spaces when encrypting
- Fixed a typo in the error dialog
- Fixed the highlighted text in the installer packge install flow
- Fixed duplicate dialog issue caused by LaunchDaemon re-triggering
- Added lock file mechanism to prevent concurrent runs
- Added processed volumes tracking to prevent re-processing
- Prevents feedback loop from disk unmount events
- Improved dialog layout with infobox for detailed instructions
- Reduced main message text to prevent scrolling
- Better user experience with cleaner dialog presentation
- CHANGED: Safer option. It does not offer to erase non-encryptable disks , only mount read only or eject
- Instructions in dialog to erase disks after backin up data
- Re-name script from "DiskEncrypter_Enhanced-NO-ERASE.sh" to "DiskEncrypter_Enhanced.sh" to use if installing manually
- Changed: Auto-mount unencrypted disks as read-only before prompting user
- Updated dialog options: "Keep Read-Only", "Eject", "Encrypt"
- Improved user workflow with safer default (read-only mount)
- Scans for Internal SD card slot volumes
- Fixed read-only mount re-prompt issue
- Volumes mounted as read-only are now skipped during scanning
- Unmounted volumes are also skipped
- Prevents duplicate prompts when new volumes appear
- Enhanced with comprehensive logging
- Added dry-run mode
- Added command-line arguments
- Improved macOS 15+ compatibility
- Multi-volume support
- Two-phase processing (scan then encrypt)
- Volume name display
- Encryption summary dialog
For issues or questions, check the logs first:
tail -100 /var/log/diskencrypter.log
tail -100 /var/log/diskencrypter_error.log© 2022 Thijs Xhaflaire
Created by: Thijs Xhaflaire in 2022 Enhanced: December 2025