Encrypt files for safety
True story: A friend of mine—a programmer I’ll call Annie—came home one day to find her new town house burglarized. Among the stolen items was the PowerBook she used for work. While she hoped that the thief would simply junk or erase the hard drive, there was no way for Annie or her employer to be sure that the many office and personal files she had on the PowerBook hadn’t been compromised.
Within days, Annie had a replacement MacBook Pro, and she asked me to help her set it up so she wouldn’t have to endure that anxiety again. My proposed solution: an encrypted folder, where she could store her most sensitive files.
Encrypted data is thoroughly scrambled and can be unscrambled only with the correct password. The best encryption methods—known as strong encryption —make it essentially impossible to decrypt data, no matter how much trickery or brute force the thieves use.
Encrypted folders are particularly good if you carry your data around on a laptop. In the office, you can often copy confidential files to a secure server, and you have other security tools (like locked doors and server-based backup systems) to protect your data. When you’re carting your livelihood around in a shoulder bag, you’re better off building the security into it.
Fortunately, Mac OS X has some powerful built-in encryption tools. It has included FileVault—which encrypts your entire Home folder—since version 10.3. But few Mac owners use FileVault, and security experts agree that it’s overkill, because it’s clunky and less than foolproof, and because it’s kind of silly to encrypt all your music, photo, and video files along with your truly confidential documents.
Your Mac also includes a less blunt instrument: Disk Utility. With it, you can create encrypted disk images that act (in most respects) like regular folders, except for one big difference—they won’t mount unless you supply the correct password; when unmounted, they’re digitally scrambled. You can even set up such an encrypted folder to open automatically (with a password) whenever you restart or log in to your Mac. You can then put only the files you really need to protect into that encrypted folder, while leaving your iTunes and iPhoto libraries, browser cache files, and less sensitive documents alone.
Here’s how to create such a folder and set it to open only with the proper password. (You must be running OS X 10.4.)
Create your disk image
First, launch Disk Utility (/Applications/Utilities). Choose File: New: Blank Disk Image. Choose a maximum size for your folder; I use 4.7GB, so even if I fill up the disk image, I can still burn it to a DVD-R. Under Encryption, choose AES-128 (the only encrypted option). From the Format pop-up menu (near the bottom of the New Blank Image dialog box), choose Sparse Disk Image. Give your encrypted disk image a name in the Save As field, and choose a storage location on the hard disk. I called mine Cryptobaby.sparseimage and saved it in my Documents folder. When you’re done with all of that, click on the Save button.
Now it’s password time. When the Authenticate dialog box appears, choose a password. Many of us choose bad passwords—we use obvious words or number sequences that anyone with a bit of patience, intelligence, and password-cracking software could figure out.
That’s why you should press the key button next to the Password text box. Doing so will summon Apple’s Password Assistant, which will help you generate a good, strong password. In the Type menu, select Memorable (it uses combinations of words, numbers, and punctuation that are relatively easy to remember). You can create shorter or longer passwords by adjusting the Length slider; longer passwords are, obviously, more secure. If you don’t like the password in the Suggestion box, click on the down-arrow button to see more. Password Assistant will rate each suggestion in its Quality bar. You can provide your own passwords; Password Assistant will tell you what’s wrong with them in the Tips box. If you absolutely must, write down the password and store the paper in a secure place away from your laptop; otherwise, commit it to memory. Remember that if you lose the password, you’ll lose the data in the folder.
Once you’ve picked a password, verify it in the Verify box, deselect the Remember Password option, and click on OK. Disk Utility will save your new disk image wherever you specified, with the name you supplied.
Test your new disk image by double-clicking on it and supplying the password. It should appear as a new disk in the Finder sidebar, just like any other drive or removable disk. The only difference is that when you eject it, the disk image file remains on your hard drive, though no one can read or mount it without the password.
Encryption in action
Now that you’ve created your folder, it’s time to put files in it. Since it’s a working folder, not an inactive archive, you’ll be adding files to it all the time. In Annie’s case, I suggested she just turn her Work and Personal subfolders in Documents into one encrypted disk image. Your case may be different. Perhaps you just need to protect certain project folders; in that case, those are the only ones you need to copy into your disk image. Subfolders are fine; you just want to make sure you have everything you want to protect, and nothing you don’t, in one place. Once you’ve figured out which files to include, just open your new disk image and copy them into it.
Check that everything works. Eject and try to remount the virtual disk. Log out and back in. Open the files you copied into the virtual disk, to make sure they work properly. Once you’ve confirmed that your data is safe yet accessible, you can erase the unencrypted originals (or keep backups somewhere else). Choose Finder: Secure Empty Trash to make sure they’re really gone.
For maximum convenience, you can add the encrypted disk image file to your login items. That way, it’ll open and be available whenever you launch OS X. To do so, choose System Preferences: Accounts and select the Login Items tab. Click on the plus-sign (+) button, select the disk image, and click on Add. (You could also just drag the file from the Finder into the Login Items tab.) Now, whenever you restart or log in to your account, your Mac will ask for your decryption password; once you supply it, the virtual disk will mount. If you choose not to enter the password, you can continue working without mounting the disk image. If you do mount it, you can protect your files by ejecting it at any time—such as when you put your computer to sleep or step away from your desk.
Finally, make sure that whatever backup system you have includes your encrypted disk image, and that those backups are stored off-site.
Annie now saves all work-related documents to her disk image. When she goes home, she ejects the virtual disk and puts the MacBook to sleep. Even if her laptop is stolen, or even if she leaves it running on her kitchen table, she knows that no one else can read her confidential files.
[ Derek K. Miller is a writer, an editor, a musician, and a podcaster who blogs at penmachine.com. ]A Better Password: OS X’s Password Assistant can suggest passwords that are both easy to remember and hard to crack.Drawing a Blank: Using OS X’s Disk Utility, you can create a blank disk image that’s encrypted and password-protected.