How to Create a Secure, Encrypted File Container in OS X

| How-To

Concerns regarding personal data security and privacy have been with us since the dawn of computing, when the Chinese introduced the abacus back in 2600 B.C. With increased connectivity, work collaboration, social networking and remote data storage, these concerns have increased many-fold. This is a good thing in that everyone's data security awareness is at a level never before seen. However, there is a fine line between security paranoia – which can be paralyzing, therefore counter-productive – and a level-headed awareness of the security of computing habits and data storage. There are many aspects of personal data security and privacy and just as many ways to ensure that your information is secure.

In this article, I talk about a free method for creating safe, password-protected and encrypted "containers" for your files. These containers are also called encrypted disk images or encrypted archives, but that can be misleading to the non-technical. While I will refer to these by their proper name – Disk Images – you can think of them as containers we're all familiar with: folders.

But first, what exactly is a Disk Image?

A Disk Image is a file that looks and functions like a disk. It contains other files and folders. When you open it, the Mac “mounts” it, appearing on your desktop or in a Finder window sidebar just as any storage device would. Disk images can be used to move files between Macs or send them to other users via email. The image can also be burned to a CD or DVD disc for safekeeping. Finally, and what we are going to learn here: the disk image can be used to store confidential files securely using industry-standard file encryption schemes.

Here on The Mac Observer, I have written several articles covering a few of the wonderful, and sometimes little-known, OS X applications that come gratis with every Mac. Today's gem is Disk Utility which is located inside a folder called Utilities residing in the Applications folder. You can get to it quickly in Finder via Go > Utilities.

The Disk Utility application icon.

The Disk Utility application is located inside your Applications folder, look for the Utilities folder.

Disk Utility is a vital application that lets you manage several aspects of your internal and attached storage drives and is also used for drive maintenance and troubleshooting. (Warning: issuing commands you are not familiar with in Disk Utility can lead to data loss! You have been warned.)

There are plenty of third-party apps that let you create these encrypted containers we're discussing. They all mostly just apply a simpler interface to the operation, but fundamentally the behind-the-scenes processes are the same as the ones Disk Utility uses.

So, let's jump right in.

1. Locate and launch Disk Utility.

2. Click on the "New Image" icon located in the toolbar at the top. This refers to a Disk Image – the container I referred to earlier.

The main Disk Utility Window highlighting the New Image icon in the toolbar at the top.

Get started by creating a New (Disk) Image.

3. A panel appears asking for some information. This is essentially a SAVE File Dialog Box. The file naming operation is basically a two-step operation. First, create a name for the secure disk image file you are about to create. Indicate where you wish to store it on your system. Eventually, this will show up as a single password-protected, encrypted file. As we'll see, when you double-click that file and you authenticate successfully,  a newly mounted image of a disk will appear in Finder, containing your super-secret folders and files.

The SAVE panel in Disk Utility, highlighting the naming of the Disk Image file and the Disk Image.

It's important to understand the difference between naming the Disk Image file and the Disk Image that will mount.

4. The second naming operation is found in the center section of the SAVE panel. You have to assign a name to the actual disk image that will eventually mount in the Finder when double-clicking the disk image file and successfully inputting your password. This doesn't have to necessarily be the same name you assigned in the previous step to the secure disk image file, but it certainly can be if you wish, and is probably best to do so. In my illustration, my disk image file is called "MY SECRETS". That file will eventually decrypt and mount a disk image called "The Secret of Life."

5. Next in the SAVE panel, you need to indicate what the maximum Size of your disk image will be – just as any disk has a certain amount of capacity to it. Select the size via the pop-up menu. Be sure the size will at least accommodate all the files you wish to protect within it. You will see some typical sizes as presets. Note that you can also configure a custom size.

6. Set Format to the default Mac OS Extended (Journaled).

7. Set Encryption to 128 bit-AES or 256 bit-AES. The latter is the most secure but will be slower when securing the data. The password you will be assigning will be used as the key to encrypt (scramble) and decrypt (unscramble) your data.
For Partitions, select "Single partition - Apple Partition Map" for maximum compatibility with older Macs.

8. For Image Format, select "Sparse Bundle Disk Image."

9. Click CREATE.

Because you selected an encryption option in step 7, you will next be prompted to set a password, which goes hand-in-hand with data encryption. Be sure to create a strong password with upper and lower case letters, and one or more numbers and symbols. The Set Password panel will help you determine the strength of your password and even provide you with a little utility to help configure your secure password. You get to it by clicking on the little key icon next to the first password field.

The password assignment panel.

Be sure that your password is NOT stored in your keychain.

Caveats: For maximum privacy and security, DO NOT check the "Remember password in my keychain" checkbox. It's better to be always prompted for your password to better ensure that unauthorized users will stay out. Also,  remember this: if you forget your password, you are SOL (so out of luck)!
Click OK. Your disk image file will be created at the location you specified. You can now QUIT Disk Utility.

The file with the name you set in step 3 will now appear in the Finder. Additionally, the disk image with the volume name from step 4 will mount as if it were an attached drive or a CD/DVD. This is your secure container, and behaves similarly to a folder or disk. Simply drag-copy the files and folders you wish to secure to the disk image, but remember that this is a COPY operation, not MOVE. This means that, if appropriate, you will need to delete the original folder/file otherwise it will still be on your system and vulnerable to unauthorized access.

The desktop icons representing the Disk Image file and the mounted Disk Image.

The Disk Image File (left) and the mounted Disk Image (right).

In step 5, you set a maximum size for your disk image, and in step 9 you set its format as Sparse Bundle Disk Image. (Not to be confused with Sparse Disk Image, an older format.) The Sparse Bundle Disk Image is the perfect choice as it allows you to continue adding files to the disk image any time you wish, while conserving space. That's because, under this scheme, the disk image is just large enough to hold the files in it and expands to its maximum size (from step 5) as you add files to it. For example, if you create a 500 MB sparse bundle disk image, its maximum size is 500 MB.

The portion of a Finder window's sidebar showing that a Disk Image is mounted.

This is the sidebar of any Finder Window. There is a Disk Image mounted.

When you are done using or copying files and are ready to re-encrypt and secure the disk image, simply UNMOUNT it as you would any other disk or disk image. The fastest way is to drag it to the trash can (which momentarily turns into an "eject" symbol). Oh, (or should I say, d'Oh!) be sure you are NOT moving your disk image file to the trash. Alternatively, right-click (or control-click) on the mounted disk image icon and select "Eject." The Mac re-encrypts the files and unmounts the disk image – as if ejecting a DVD.

Your disk image file containing your precious data is now securely encrypted and is still located where you indicated you wanted to save your disk image file in step 3. As with any file, you can move or copy or alias it as you need to.  In my example, I assigned the name MY SECRETS. The encrypted disk image file is called "MY SECRETS.sparseimage". NOTE: If you have disabled Show all filename extensions in Finder Preferences, you will not see the file extension (.sparseimage).

Any time you need to access your secured files, simply double-click your disk image file to open it. You will be prompted for your password which you established in step 11, then click OK. Your disk image will mount in the Finder as you'd expect any other disk, CD, DVD or disk image to. You are now free to access your sensitive folders and files. If you need to, you can add, move, edit or delete files. Because it's a sparse bundle formatted file, it will expand up to the limit you set in step.

If you are concerned about additional security for your data saved to services like Dropbox or CrashPlan, the encrypted disk file is one great solution.

In conclusion, continue to explore the possibilities that come with your Mac without added expenses. Go ahead – create as many disk images as you want with Disk Utility, but be sure to back up your disk image files along with all your other important data!

Comments

Tony

Sandro, very clear and helpful article. Can you mention a few things that this would be most useful for? I was thinking that my 1Password database would qualify, but I’m fairly sure that’s already encrypted. Perhaps my contacts database… though I guess when dealing with files other programs rely upon, if you don’t mount the image before triggering them you might have problems? Or are they smart enough to just issue a warning?

Jaguar

Just use TrueCrypt instead!

droid

Your iPassword database is encrypted, so that is fine Tony (so long as you picked a good password). The same is true of the Mac OS keychain that also saves passwords.

The contacts DB is another question, it isn’t very easy to encrypt it safely by using the disk image method mentioned.
If you are actually worried about it you can use File Vault. You enable full disk encryption in the Security section of system preferences. Once the process completes everything will be encrypted, so the only way to get at the contacts is either via hacking you when you are using the system or if they have the password to File Vault or your user account.

Truecrypt can also encrypt the entire disk if you don’t trust Apple to do the job.

Log-in to comment