How to move your Home directory to an APFS Encrypted external drive

I recently got a new Mac Mini M4 with the smallest internal SSD (512 GB), fully expecting to move my Home folder to a larger and cheaper external SSD by following [these instructions](https://appleinsider.com/inside/macos-ventura/tips/how-to-move-your-home-directory-in-macos-ventura). Like many others though, I ran into the issue that these steps don't work if your external drive is APFS encrypted. You'll need additional tweaking to overcome this. The trick is to create a LaunchDaemon that will take care of unlocking your external drive during boot, but before user login. Below is what I did. Needless to say, if you're going ahead, you're doing so at your own risk. As a precaution, ensure you create a second user account on your Mac with Admin privileges that continues to have its home directory on the internal drive. This can be your life saver in case anything in the next steps goes wrong. The second account will still let you in. f you hadn't done so yet, prepare your external drive using Disk Utility. You'll format it as encrypted APFS. Open Keychain Access. Click on the System keychain (hint: you might need to click away and click on it again to see its contents; some weird bug). Press CMD+N to create a new item. Enter an Item Name and Account Name. In this example, I'll call both of them 'bootdisk'. In the password field, enter the password that you use to encrypt/decrypt your external drive. Be precise – Keychain won't tell you if the password you type doesn't match the one for your external drive. You'll now need to lookup 'bootdisk' in the list to make an additional change. On my system, our newly created entry somehow doesn't show up until I exit and restart Keychain Access, so you might need to do that first. Then, double-click 'bootdisk'. In the window that appears, click Access Control (you might need to authenticate). Here, hit the + button in the lower left corner. A new window opens to locate a file. Press `CMD + Shift + g` and in the window that appears, type `/usr/bin`. You'll now need to find the file called `security`. Click it and press Add, then press Save Changes. (`security` is a command line tool that allows scripts to access the Keychain. By performing this step, you're telling Keychain that the security command is allowed to access the 'bootdisk' credentials.) Now, we'll create the LaunchDaemon. That's a mechanism in macOS that allows you to run a script during boot. First, we'll create the LaunchDaemon itself, and then we'll write the script. Open Terminal, and run the following commands. When prompted, enter your password: cd /Library/LaunchDaemons/ sudo touch com.bootstrap sudo nano com.bootstrap Nano is a simple text editor in Terminal. Copy-paste the following contents into the file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">         <dict>                 <key>EnvironmentVariables</key>                 <dict>                         <key>PATH</key>                         <string>/bin:/usr/bin:/usr/local/bin:/usr/sbin</string>                 </dict>                 <key>Label</key>                 <string>com.bootstrap</string>                 <key>Program</key>                 <string>/usr/local/bootmount.sh</string>                 <key>RunAtLoad</key>                 <true/>                 <key>KeepAlive</key>                 <false/>         </dict> </plist> Press CTRL+X (so that's *not* CMD+X) and then Y to save the file and exit Nano. You've now created the LaunchDaemon, however, we must tell macOS we did so with the following command in Terminal: sudo launchctl load /Library/LaunchDaemons/com.bootstrap This command should return immediately without any error or feedback. Now, it's time to write the script itself: cd /usr/local sudo touch bootmount.sh sudo chmod +x bootmount.sh sudo nano bootmount.sh Yep, we're back in Nano. Enter the following: #!/bin/sh passphrase=$(security find-generic-password -w -s 'bootdisk' -a 'bootdisk') diskutil apfs unlockVolume disk7s1 -passphrase $passphrase There's one thing to watch out for: you'll need to replace `disk7s1` with the identifier of the volume that you want to use. If you don't know it, then open Disk Utility, click on the Volume in the list on the left (under 'External'), and find the name next to Device in the table on the right. Once done, press CTRL+X and Y again to save. Now, you should have everything in place for macOS to mount your drive during boot and grabbing the password from keychain. You can test if the script works by going to Disk Utility to unmount the external drive. Then, Terminal: cd /usr/local sudo ./bootmount.sh This should mount your drive again. You can now follow steps [like these](https://appleinsider.com/inside/macos-ventura/tips/how-to-move-your-home-directory-in-macos-ventura) to actually move your Home directory to the external drive. Provided you followed all other steps correctly, after a reboot, you should now be able to login with your account normally. If not, come back in through your second account to troubleshoot.