LaunchDaemon, LaunchAgent and script to run Crypt as root at login without using a loginhook. The user can click on the desktop and quit the app, but it does get around any networking issues that might happen when running before login is finished.

com.grahamgilbert.crypt.launcher.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.grahamgilbert.crypt.launcher</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/crypt/Crypt.app/Contents/MacOS/Crypt</string>
	</array>
	<key>WatchPaths</key>
	<array>
		<string>/usr/local/crypt/watch</string>
	</array>
</dict>
</plist>

com.grahamgilbert.crypt.login.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.grahamgilbert.crypt.firstrun</string>
	<key>LaunchOnlyOnce</key>
	<false/>
	<key>ProgramArguments</key>
	<array>
		<string>/Library/Scripts/filevault.sh</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

filevault.sh

#!/bin/bash

readonly DISKUTIL="/usr/sbin/diskutil"

log() {
  echo "${@}" >&2
  logger -t request_encryption "${@}"
}



check_encryption_state() {
  ${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Pending'
  if [[ ${?} -eq 0 ]]; then
    log "Disk encryption pending, skipping."
    exit 0
  fi

  ${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Complete'
  if [[ ${?} -eq 0 ]]; then
    log "Disk encryption complete, skipping."
    exit 0
  fi

  ${DISKUTIL} cs list | grep -q -e 'Conversion\ Status.*Converting'
  if [[ ${?} -eq 0 ]]; then
    log "Disk encrypting or decrypting, skipping."
    exit 0
  fi
}


main() {
  check_encryption_state

  
  touch /usr/local/crypt/watch/launch
  sleep 5
  rm /usr/local/crypt/watch/launch

}


main "${@}"