In last week’s column, I explained the use and benefit (and some of the drawbacks) of turning on full-disk encryption (FDE) with Apple’s built-in FileVault 2.
Readers had a few questions—I answered some in the article’s comments section, and I’ll expand here too. Then I’ll provide a longer explanation of encrypting individual files, not entire drives.
FileVault 2 clarifications
FileVault 2 encrypts data at the hard drive level. Programs that run on your Mac see the data as if it has no encryption. This lets you back up drives while you’re logged in, even if the system is locked. But the files copied to Dropbox, an online backup service, a local drive, or a Time Machine destination are unencrypted, although you can layer encryption on all of those options.
Time Machine and other local drives can be encrypted using the same technology as FileVault 2, as noted in the original article, by selecting the drive and choosing Encrypt Drive Name.
You can change your FileVault 2 recovery key if you’ve lost it, as one reader believes he did, so long as you still have the password for any account with the privilege to start up the computer. It’s tedious: You have to disable FileVault 2, which decrypts the entire drive, and then enable it again. Give yourself a couple of days and a steady supply of AC power.
Some readers believe that FileVault 2 dramatically slows down OS X. Benchmarks, my own experience, and other readers’ testimony would indicate otherwise. For newer computers (2012 or later for all models, and some released in 2010 and 2011), and with an SSD on most models, performance is only slightly impaired and only when you’re engaged in disk-heavy operations.
And now on to Disk Utility!
How to use Disk Utility to encrypt files
FileVault 2 affects your whole disk, and has some scary elements, chiefly that your files are completely unrecoverable if you ever forget your password and lose your disk Recovery Key. But you can choose, instead or in addition, to create a virtual disk that encrypts everything inside of it.
Not long ago, there were multiple options for encrypting files and folders on a Mac. TrueCrypt, a mostly anonymous free and open-source encryption tool, abruptly stopped development in May 2014. Years ago, PGP offered Mac tools for file encryption, but not for folder or virtual disk access. (GPGTools has a Mac version that primarily helps with managing encryption with email.)
That leaves Disk Utility, our hoary friend that handles repairing permissions on disks, but can also manage and create disk images. If you’re not a software developer, you may have never needed to make a disk image, which is just a flat file (or OS X package for one subtype) that preserves the file and folder placement and hierarchy, file permissions, and other data just as if it the data were stored on a physical internal or removable disk. (DropDMG is a $24 utility that puts a sensible interface on top of OS X’s disk image commands, including encryption, while offering management options, too.)
Apple offers a full step-by-step set of instructions for creating an encrypted disk image. I’d suggest picking the higher level of encryption, 256-bit AES. You can use an encrypted disk image on top of FileVault 2; the two technologies don’t conflict.
I also suggest using the sparse bundle image format, which only occupies as much disk space as required for the actual files stored plus a little overhead, instead of the full size you specify for the image. That is, specify 10GB and use only 100MB, and the image is just a bit over 100MB. The “bundle” part means that the image is silently divided up into a number of files, which allows easier backup of just portions of the image when the disk is unmounted. Otherwise, an encrypted disk image can change considerably based on small changes, making incremental updates consume more archiving storage and bandwidth.
You set a password for the disk image’s encryption, which is required every time you want to mount and use it. Storing it in the keychain is an option at creation and any time you mount the disk, but it adds risk if you’re concerned about someone having access to your running, unlocked computer at any point. If you’re confident that your machine is always under your control or shut down when not, then keeping the password in the keychain removes a step—and makes it more likely you’ll pick a longer or stronger password, if we’re honest.
As with other forms of encryption, lose or forget the password (and it’s not stored in the keychain) and your files are lost forever.