OS X’s FileVault is a popular—although often criticized—feature. Popular because it keeps all your data safe. Criticized because—since it stores your entire user folder as an encrypted disk image—it can adversely affect performance; can make backing up your computer more of a hassle; and, most seriously, can result in the loss of your entire account if something should ever go wrong with FileVault’s monolithic disk image.
As a result of these criticisms, many people have opted to instead use smaller encrypted disk images to store specific data—financial information, private documents, or even email. You can create these disk images using OS X’s Disk Utility. Just choose File: New: Blank Disk Image; choose the desired size; enable encryption; and click Create. (By choosing File: New: Disk Image from Folder, Disk Utility will automatically copy the contents of a particular folder to a new, appropriately-sized, disk image.) Whenever you need access to the data on such an image, just double-click it and provide your password; when you’re done, you unmount the disk—its contents will be inaccessible to anyone but the NSA.
The ability to create and use these images is a handy feature, but if you use them frequently, or have a bunch of them already, it can be a hassle to manage them. Marko Karppinen & Co.’s Knox 1.1.1 ( ; $30) offers help by letting you quickly create new images, or open existing ones, from its Dock menu.
Choosing New Vault from the Knox Dock menu (or from the Vault menu from within Knox, or from Knox’s optional menu-bar menu) brings up the New Vault dialog. You give your new vault—Knox’s term for an AES-128 -encrypted disk image—a name; provide a password; and choose whether or not to use the Keychain to store your password. The latter option lets you open any Knox vault without having to provide your password each time; this is a convenient feature, but it means that whenever you’re logged in to your account, the contents of your vault are accessible. For the best security, leave this option disabled.
Before clicking OK to create the new vault, I recommend taking a look at the advanced options at the bottom of the New Vault dialog. First, you can choose the maximum size of your new vault; although it might seem like a good idea to use a larger value here—so you never run out of space—the larger you set the maximum size, the larger the initial size of your vault. So if you know you’ll never need more than 1GB for a particular vault, choose that amount. You can also choose where to store your new vault and whether or not to allow Spotlight to index the contents of the vault. The latter feature lets you quickly find files in the vault via Spotlight searches; however, because of the way Spotlight works—each volume’s Spotlight index is stored on that volume—you’ll be able to find data in a vault only when that vault is actually open (mounted). Finally, you can drag files and folders into the list at the bottom of the dialog in order to have them copied to the new vault automatically; once the vault is created and the copy is complete, you can then use the Finder’s Secure Empty Trash function to wipe the original files off your hard drive.
Whenever you want to open a vault, you simply choose it from Knox’s Dock menu (or, if you’ve enabled it via Knox’s preferences, its menu-bar menu). If you’ve chosen to store the vault’s password in your Keychain, the vault will be opened—which means its disk image will be mounted in the Finder—immediately; if you didn’t choose that option, you’ll first be asked for the vault’s password. By choosing the vault from the menu again, it will be closed (i.e., its disk image will be unmounted). Open vaults display a checkmark next to their names in the menu.
(The disk images created by Knox are standard OS X disk images, so you can also open them by double-clicking them in the Finder, and unmount them just as you would any other removable volume. This means that your data isn’t “locked into” Knox if you should ever choose to stop using it.)
The Vaults screen of Knox’s preferences dialog lets you manage your vaults: You can rename or move a vault, change its password, or compact it so that it uses less space on your hard drive; the latter is useful if you’ve recently deleted a bunch of files from the vault.
Knox also offers a useful backup system, accessible via the Backups screen of Knox’s preferences. By choosing a backup location and schedule, Knox can automatically back up any or all vaults to a local hard drive, an iPod, an iDisk, or a network volume. (Each vault will be unmounted at the its designated backup time, so you should choose a time when you’re unlikely to be using that vault.) Each vault can have its own backup schedule and settings, and you can also back up a vault manually via the Dock or menu-bar menu. Whenever a vault is backed up, a copy of that vault’s disk image is created in the backup location, with the date and time of the backup included in its filename.
If you ever need to restore a vault, choose Restore from Knox’s Dock or menu-bar menu; you’ll be presented with a list of backup disk images residing in the backup location. Select one and click Restore Selected Backup, and the current vault will be replaced by the backup version. The only problem with this feature is that if you choose a location for your Knox backups that also includes other disk images, those images will appear in the list, as well. (The “iTunesBackup” item in the list below is an example of this.)
This backup feature is notable, considering that if you’re encrypting data, it’s likely to be especially important to you. Not to mention that corruption on an encrypted image is more serious than corruption on an unencrypted volume, as it’s much more difficult to recover data from the former.
Overall, Knox is a nifty utility that gives you many of the benefits of FileVault without the overhead, along with many of the benefits of individual encrypted disk images via an easier-to-use interface. Its biggest drawback is that its $30 price may be a bit high for those who aren’t heavy users of encryption.
Knox works with Mac OS X 10.3.9 or later and is a Universal binary.
UPDATED 10/11/2006 to correct error with respect to Spotlight indexing of Knox vaults.