How to Strongly Encrypt a File (for free) in OS X

There are many tools for encrypting files in OS X. GUI apps to do that have varying prices. Unfortunately, OS X itself doesn't have many built-in ways to encrypt a file. I'll show you the two native methods available in OS X.


Introduction. Encryption is a vast and complex subject. There are many nuances and gotchas. In this article, we'll keep it short and sweet for beginners so that it's easily understandable for a specific, simple task. For those who want to go further and expand their knowledge, I'll list some resources at the end of this How-to.

Method #1. Encrypted DMG. A "DMG" file, short for "disk image," can be used as a container to store one or more files if desired. It uses AES-256 encryption, which is considered fairly strong encryption.

You've likely seen DMG files before because they're handy ways to distribute software. In this case, we'll encrypt the contents of a DMG file and set a passcode to decrypt it.

The OS X utility you'll use is /Applications/Utilities/Disk The example here uses the version found in OS X 10.11 El Capitan.

1. Launch Disk

2. Go to the app's File Menu and select New Image > Blank Image.

The Disk Utility File menu.

3. You'll see and popup with fields to fill out. The first field, "Save As:" will be the name of the DMG file. The third field, "Name" is the name of the volume that will mount. They can be the same, but make them different to easily, visually differentiate them.

4. As soon as you select the encryption method, AES-256, you'll be prompted for the passcode. Make it at least 12 characters and don't forget it. After you select a volume size, you can leave the rest of the items as the default.

5. Click save. On your desktop you'll see your encrypted DMG file and also the mounted volume that you named above. You can drag the files you want encrypted into this volume, then unmount it. (Don't forget to delete the originals.) Now your data is (fairly) safe.

Your encrypted DMG file looks like this.

6. To access the now encrypted data, double click your DMG file. You'll be promoted for the passcode you entered in step #4 above. The decrypted volume will mount, and you can access the original files.

Do NOT check the box to save the password in the Keychain else anyone who has access to your Mac can easily decrypt your DMG with a double-click.

Now you have a secure container in which you can drag anything you like. Just remember that when you drag sensitive files, across volumes, into the container to delete the originals and select "Secure Empty Trash." However if you're using an SSD and/or El Capitan, read this article first. "How to replace El Capitan's missing Secure Empty Trash."

Next page: You knew it was coming. A command line technique.

Page 2 - Method #2, the UNIX Command Line


Method #2. SSL Encryption on the command line. OS X has within its UNIX core the facility to encrypt individual files. You can do this on the command line with the "openssl" command. For more details, including the nuance of the alternate method to encrypt for email transmission, this tutorial on SSL. We're going to encrypt a text file. The method I show here also uses AES-256 encryption.

1. Encrypt. Open the terminal command and navigate to the file to be encrypted. I'll assume you know how to use the UNIX "cd" command to navigate to it. Let's call it secret.txt. Enter this on the command line.

openssl enc -aes-256-cbc -salt -in secret.txt -out secret.enc

You'll be prompted to enter the passcode and then verify it. The original file will automatically be deleted and the output encrypted file is named "secret.enc". My encrypted text file looks like this:

2. Decrypt. Again, on the command line, navigate to the encrypted file and enter:

openssl enc -d -aes-256-cbc -in secret.enc > secret.txt

You'll be promoted for the passcode. The decrypted text file will be written to the file after the ">" symbol, and the original encrypted file will be retained.

This second method is a bit geeky, but after some experimenting with some dummy test data, you should get the hang of it. Of course, if you wanted to get really geeky, you could wrap the above commands in a shell script with user inputs, but that's way beyond the scope of this article. 

Final Note: There is a similar technique that uses the zip command on the command line. Utilities like Cocoatech's Path Finder wrap a GUI around it. However, for backwards compatibility, so far as I know, the OS X implementation of the zip encryption remains very weak and should not be used. OpenSSL is your best, more secure method.

Further Reading

1. Why we use the -salt option above.

2. Details on the OpenSSL Command

3. AES Encryption Standard