Password on encrypted volume not being "forgotten"

Yes. By the way, I just tried switching to another account (the one I use for admin purposes) and the password for the encrypted disk image was "remembered" there too (but not in any login chains there either). So it's something at a system, not account, level, and I suspect has nothing to do with the Finder per se. I should try connecting from another system as guest to see what happens, but I don't have the time right now to try that (not that it matters much since I'm on a very small home network firewalled away from the net.) Ah, I just checked with a terminal command (open) and the disk image opened without me supplying the password, so it's definitely something below the Finder.

I just checked, and restarting does indeed cause the system to "forget" the password. What I found interesting is that if I attempted to open the encrypted image (a sparsebundle, if that matters) from a terminal window, after the password had been "forgotten", with a Unix "open" command, I got an OS X dialogue asking for the password -- not something in the terminal window (as when it asks for a sudo password.) So there isn't a pure layering of OS X and Unix.

Some more experiments. Since I was using the encrypted image to simulate FileVault, I put the image in the /User directory (which is where the old FileVault put its image for an account.) This time I created another encrypted sparsebundle in a directory on my desktop -- the system did *not* remember the password for it (I had to enter it each time I opened it.) More interestingly, diskutil *knew* about and remembered the image I'd put in /Users, but not the one on my desktop. Diskutil even said that the volume inside it was an unmounted (encrypted) partition. So it appears the system is "remembering" images that are in the /User directory -- I have no idea if there are other directories (say, /Library) where it would be remembered too. But the "memory" has something to do with the live system -- since if I restart, the "memory" is lost. Whether it is kept in some none-obvious place in the file system that disappears on shutdown or restart or just in virtual memory I of course don't know.

Eureka -- I figured it out. It was seeing disk utility sometimes showing "dismount" and sometimes "eject" that gave me the clue. I had been using "diskutil unmount force <myvolume>" to close the encrypted disk image. That just *unmounted* the image (partition) -- not ejecting it. Somewhere the system remembers where unmounted but still physically present disk partitions are -- including those in encrypted disk images. (I browsed through all the invisible system folders, but couldn't find any obvious one where the info is kept.) But if I used "diskutil eject <myvolume>" the system lost all knowledge of it. Now, directly using "eject" didn't work -- even though the account using the volume was logged out, the system still thinks somebody has it in use. So I had to first use "unmount force" option, then open the volume again in the script, then eject it. And that worked.