Howto und Script, Mac OS X: Open SafeStick Login automatically and much more! (Update 2)

Here I show you how the login-application of the hardware encrypted USB flashdrive, e.g. SafeStick from Blockmaster (you can buy it at can automatically be opened when you insert it. Furthermore it will be checked if it really is the USB flashdrive with the application you are expecting. After typing in the right passphrase, a script will be executed that uses data from the decrypted USB flashdrive, e.g. a command that copies keyfiles in a ramdisc (/dev/shm) of a remote computer, whose encrypted volumes will be thus decrypted (see the example below).


You need the attached AppleScript safestick. A few variables need to be adjusted to your needs:

set SAFESTICKLOGINAPP to '/Volumes/SafeStick Login/'
set DECRYPTEDDIRNAME to 'encStoepsel'
set READONLYDIRNAME to 'SafeStick Login'
set SHELLSCRIPT to 'scp /Volumes/encStoepsel/encrypted/server/keys/* root@server:/dev/shm/; ssh root@server /root/'
set SHA512SUMOFSAFESTICKAPP to '374fe0a9c15851bb395f07ac428ad1a5b1e22e94c81cd98fd841223d6c0aeaf53b299956e7895f0886ec4b604c43871d169b2dd3f65c5a43faa288450048880e'

SAFESTICKLOGINAPP doesn’t need to be adjusted in most cases (should already comply with your environment). DECRYPTEDDIRNAME represents — as the name says — the name of the decrypted partition.

Proof with a hash

SHA512SUMOFSAFESTICKAPP has to be the sha512 sum of the tared folder on the flashdrive. You can calculate it with tar cP /Volumes/SafeStick\ Login/ | shasum -a 512 | awk '{print $1}'. Every time you insert the SafeStick and start its Login Application automatically with this script the checksum is verified – an error is shown if it differs from the expected value.


SHELLSCRIPT will be executed after DECRYPTEDDIRNAME is added to /Volumes/, which means that you have entered the correct passphrase. In my case keys from the stick will be transfered to the server via SCP to the RAM (a tmpfs-directory), several encrypted partitions will be mounted and finally the keys will be deleted with wipe. Some extractions of the script:


# only stops everything if called with argument stop
if [[ '$1' == 'stop' ]]
 # stop server, or directories will be busy

 # unmount

 # losetup -d …

 # cryptsetup luksClose …

# not called with stop

 # do not try to mount something twice
 if grep -q '[[:space:]]/backup[[:space:]]' /proc/mounts; then
 echo 'already done'
 exit 1

 # stop programs

 # losetup … …

 # cryptsetup luksOpen

 # wipe keys

 # mount

 # start server

exit 0

What is still missing is the folder action responsible for loading the AppleScript when a new directory is added to /Volumes

Open in Finder the directory /System/Library/CoreServices/ with the shortcut ⌘⇧+G and then start the program Folder Actions Setup. Add the directory /Volumes (choose it using the shortcut ⌘⇧+G). The AppleScript has to be copied to ~/Library/Scripts/Folder Action Scripts/ (create the directory if not existent) in order to add it as an folder action. After that it should look like this:


The AppleScript: safestick.scpt


  • 4th February 2011: “try” deleted, otherwise needless errors will sometimes occur when something else than the flashdrive is inserted.
  • 30th January 2011: Short message is generated when the ssh-script was executed successfully.
    display dialog "Script executed successfully!" buttons {"OK"} default button "OK" giving up after 1
    • Steve
    • January 24th, 2011 10:16am

    Geil, darauf habe ich wirklich gewartet. Danke!

  1. No trackbacks yet.


Durch die weitere Nutzung der Seite stimmst du der Datenschutzerklärung,
dem Haftungsausschluss und der Verwendung von Cookies zu. Weitere Informationen

Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.