One of the more interesting—and less visible—new features in Mountain Lion is the ability to encrypt almost any disk. OS X has long offered the ability to encrypt your startup disk using Apple’s FileVault, but Mountain Lion extends this feature to other disks, even to simple USB flash drives. Here is an overview of how this feature works, how you can encrypt and decrypt a disk, and what options you have when doing so.
Encrypt a disk from the Finder
This new full-disk encryption feature is well hidden in Mountain Lion. Typically, you use Apple’s Disk Utility (in /Applications/Utilities) to work with hard disks or other types of removable media. Disk Utility can erase, partition, and repair hard disks, but curiously, it cannot encrypt a hard disk.
Control-click to encrypt To encrypt a disk, instead right- or Control-click on a hard disk’s icon on the Desktop, or in a Finder window sidebar. Choose Encrypt Disk Name and enter a password. You’ll have to enter the password a second time, and you won’t be able to go any further unless you also enter a password hint. You need to choose a good, secure password, but it shouldn’t be something too complicated.
You’ll most likely use the encryption feature for a portable disk you carry around with you. When you connect the disk to your Mac, or to someone else’s Mac, you’ll need to remember the password to access the files. When you use the disk with your Mac, or, say, a Mac at work, you can store the password in the keychain.
Expect a wait After you’ve entered your password, and clicked on Encrypt Disk, you’ll have to wait. Depending on how big your disk is, your wait could be a few minutes or several hours. In my tests, I found even a 1GB flash drive took several minutes to encrypt. Unfortunately, there is no progress bar, so you have no way of knowing how long this process will take. The only way to be sure something is happening is if the disc has an LED that flashes as it is being read or written to. For this reason, if you are encrypting a large hard disk, you may want to let the process go overnight.
When the disk is finished encrypting (the blinking light on your drive will be your clue), eject it as you would any other disk. When you next connect it to your Mac, a dialogue box will display asking you to enter your password. You can select Remember This Password In My Keychain if you wish to use this disk often and don’t want to have to enter the password every time. If you forget the password, click on Show Hint to see the hint that you recorded. Click on Unlock to allow OS X to decrypt the disk.
Don’t lose your password Copy files to and from this disk, and they will be encrypted or decrypted on the fly. This feature uses uses full disk, XTS-AES 128 encryption, which is secure enough for most uses. But I cannot stress enough that if you lose this password, you will not have access to any of the files on the disk. Period. Unlike FileVault, which presents you with a “recovery key” that you can use if you’ve lost your password, there is no safety net here.
If you ever want to turn off encryption, right- or Control-click on the disk and choose Decrypt Disk Name. Enter your password, then click on Turn Off Encryption. As with the encryption process, there is no progress bar or other feedback.
While you can turn on or off encryption while your disk contains files, there is always the chance that something may go wrong. It’s best to make sure you have a copy of those files before encrypting or decrypting.
Use disk encryption from the command line
Can you encrypt your disks from the command line? Of course you can. If you’re not the geeky type, you may not want to read any further. But if you do know how to wield Terminal commands and want more feedback about the encryption process, the following will certainly interest you.
Prepare a disk by converting You encrypt disks with the
diskutil command, but first, you have to convert them to a format called CoreStorage.
Start by running this command:
This returns a list of all the disks connected to your Mac. For example, on my Mac, I see this:
diskutil list /dev/disk0 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *251.0 GB disk0 1: EFI 209.7 MB disk0s1 2: Apple_HFS Mac OS X 250.1 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 /dev/disk1 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk1 1: EFI 209.7 MB disk1s1 2: Apple_HFS Music Ext 2.0 TB disk1s2 /dev/disk2 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *2.0 TB disk2 1: EFI 209.7 MB disk2s1 2: Apple_HFS Boot Backup 150.0 GB disk2s2 3: Apple_HFS Backup 1.6 TB disk2s3 4: Apple_HFS TM Backup 249.4 GB disk2s4 /dev/disk3 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *750.2 GB disk3 1: EFI 209.7 MB disk3s1 2: Apple_HFS Music 749.8 GB disk3s2 /dev/disk4 #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *1.0 GB disk4 1: Apple_HFS Untitled 1.0 GB disk4s1
The disk I want to encrypt is the last one, called Untitled. To the right of its name, you can see its identifier, disk4s1. With that information, I can convert the disk to the CoreStorage format with the following command:
sudo diskutil corestorage convert disk4s1
Terminal will request your administrator’s password, then will begin the conversion process. Note that you’ll even see a progress bar on the last line in Terminal, as below.
Started CoreStorage operation on disk4s1 Untitled $Resizing disk to fit Core Storage headers $[ | 0%..10%.............................................. ]
When this process has completed, you’ll be shown information about the disk in Terminal:
$Creating Core Storage Logical Volume Group $Attempting to unmount disk4s1 $Switching disk4s1 to Core Storage $Waiting for Logical Volume to appear $Mounting Logical Volume $Core Storage LVG UUID: C33BF3C6-B808-4BE4-8D18-02DBC0151667 $Core Storage PV UUID: 9D312FD5-33F1-4A53-8F49-1C64010710D1 $Core Storage LV UUID: 2D74D3DA-95DF-4652-A48C-CDC86898B5EF $Core Storage disk: disk5 $Finished CoreStorage operation on disk4s1 Untitled
Encrypt the disk The important information above is the LV UUID, or logical volume universally unique identifier. Using that information, you can then run the command to encrypt the disk, as follows:
sudo diskutil corestorage encryptvolume 2D74D3DA-95DF-4652-A48C-CDC86898B5EF -passphrase password
Replace password with your password. And make sure you don’t forget it!
You’ll see the following when the process is finished; as above, with the method of encrypting a disk from the Finder, this may take a while:
Started CoreStorage operation on disk5 Untitled $Scheduling encryption of Core Storage Logical Volume $Core Storage LV UUID: 2D74D3DA-95DF-4652-A48C-CDC86898B5EF $Finished CoreStorage operation on disk5 Untitled
At this point, your disk is now encrypted. You can eject it from the Finder (or, if you want to stay in Terminal, you can eject it with this command:
diskutil eject Untitled), and use it as described above. The next time you connect it to a Mac, you’ll be asked for the password.
Decrypt the disk Decrypting a disk from the command line is pretty simple. Here’s the command you can use, with the LV UUID we saw above. Replace password with your password.
diskutil cs decryptvolume 2D74D3DA-95DF-4652-A48C-CDC86898B5EF -passphrase password
For most users, encrypting volumes in the Finder is simplest option, but power users may enjoy the feedback and control they get with the command line. Either way, Mountain Lion’s new encryption feature is a great way to secure portable disks to carry sensitive files.