How to Strongly Encrypt a File (for free) in OS X

| How-To

There are many tools for encrypting files in OS X. GUI apps to do that have varying prices. Unfortunately, OS X itself doesn't have many built-in ways to encrypt a file. I'll show you the two native methods available in OS X.


Introduction. Encryption is a vast and complex subject. There are many nuances and gotchas. In this article, we'll keep it short and sweet for beginners so that it's easily understandable for a specific, simple task. For those who want to go further and expand their knowledge, I'll list some resources at the end of this How-to.

Method #1. Encrypted DMG. A "DMG" file, short for "disk image," can be used as a container to store one or more files if desired. It uses AES-256 encryption, which is considered fairly strong encryption.

You've likely seen DMG files before because they're handy ways to distribute software. In this case, we'll encrypt the contents of a DMG file and set a passcode to decrypt it.

The OS X utility you'll use is /Applications/Utilities/Disk The example here uses the version found in OS X 10.11 El Capitan.

1. Launch Disk

2. Go to the app's File Menu and select New Image > Blank Image.

The Disk Utility File menu.

3. You'll see and popup with fields to fill out. The first field, "Save As:" will be the name of the DMG file. The third field, "Name" is the name of the volume that will mount. They can be the same, but make them different to easily, visually differentiate them.

4. As soon as you select the encryption method, AES-256, you'll be prompted for the passcode. Make it at least 12 characters and don't forget it. After you select a volume size, you can leave the rest of the items as the default.

5. Click save. On your desktop you'll see your encrypted DMG file and also the mounted volume that you named above. You can drag the files you want encrypted into this volume, then unmount it. (Don't forget to delete the originals.) Now your data is (fairly) safe.

Your encrypted DMG file looks like this.

6. To access the now encrypted data, double click your DMG file. You'll be promoted for the passcode you entered in step #4 above. The decrypted volume will mount, and you can access the original files.

Do NOT check the box to save the password in the Keychain else anyone who has access to your Mac can easily decrypt your DMG with a double-click.

Now you have a secure container in which you can drag anything you like. Just remember that when you drag sensitive files, across volumes, into the container to delete the originals and select "Secure Empty Trash." However if you're using an SSD and/or El Capitan, read this article first. "How to replace El Capitan's missing Secure Empty Trash."

Next page: You knew it was coming. A command line technique.

Popular TMO Stories



Hey John, perhaps for a future article you could describe ways to transmit messages encrypted. OS X has S/MIME capability built-in to Mail, but it requires the acquisition and exchange of certificates. After that, it’s just a checkbox away. Apple has done a great job here in iMessage to keep the peer-to-peer encryption easy to use.

For a really geeky article you could then go into the use of PGP (or GnuPG) for the command line experts.

I’ve tried to educate people on the use of S/MIME (and PGP), but encryption is just really hard for most to wrap their heads around.

Oh, and don’t forget about FileVault! Your entire hard drive is encrypted and requires a password at boot.

John Martellaro

I can’t commit ahead of time, but I’m pondering a part II that covers some of the GUI apps to do the same thing.  Like Keka in the Mac App store for $2.00.

Your suggestions are all great.

Also, Jeff Gamet covered a lot of ground here, including File Vault.

I didn’t get into detailed forensics or methods here.  Baby steps.


Thank you for the article John.
FYI & FWIW: OpenSSL is deprecated and discouraged by Apple( see OPENSSL section on this page: <>“Use of the OS X OpenSSL libraries by apps is strongly discouraged”. Clearly this is aimed at developers and it’s likely most readers won’t use the command line approach.


@brilor Just because it is deprecated by Apple doesn’t mean it is by the rest of the world. And, for the use John describes, it is perfectly acceptable. If/when Apple decides to remove OpenSSL from OS X, one can always install a newer version using Homebrew or some other package manager.


jbruni wrote: “And, for the use John describes, it is perfectly acceptable.”

Agreed, which is why my comment is prefaced with FWIW.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account