Encrypt any disk in Mountain Lion

Secure portable disks to carry sensitive files with this hidden feature

One of the more interesting--and less visible--new features in Mountain Lion is the ability to encrypt almost any disk. OS X has long offered the ability to encrypt your startup disk using Apple's FileVault, but Mountain Lion extends this feature to other disks, even to simple USB flash drives. Here is an overview of how this feature works, how you can encrypt and decrypt a disk, and what options you have when doing so.

Encrypt a disk from the Finder

This new full-disk encryption feature is well hidden in Mountain Lion. Typically, you use Apple's Disk Utility (in /Applications/Utilities) to work with hard disks or other types of removable media. Disk Utility can erase, partition, and repair hard disks, but curiously, it cannot encrypt a hard disk.

Control-click to encrypt To encrypt a disk, instead right- or Control-click on a hard disk's icon on the Desktop, or in a Finder window sidebar. Choose Encrypt Disk Name and enter a password. You'll have to enter the password a second time, and you won't be able to go any further unless you also enter a password hint. You need to choose a good, secure password, but it shouldn't be something too complicated.

You'll most likely use the encryption feature for a portable disk you carry around with you. When you connect the disk to your Mac, or to someone else's Mac, you'll need to remember the password to access the files. When you use the disk with your Mac, or, say, a Mac at work, you can store the password in the keychain.

Expect a wait After you've entered your password, and clicked on Encrypt Disk, you'll have to wait. Depending on how big your disk is, your wait could be a few minutes or several hours. In my tests, I found even a 1GB flash drive took several minutes to encrypt. Unfortunately, there is no progress bar, so you have no way of knowing how long this process will take. The only way to be sure something is happening is if the disc has an LED that flashes as it is being read or written to. For this reason, if you are encrypting a large hard disk, you may want to let the process go overnight.

When the disk is finished encrypting (the blinking light on your drive will be your clue), eject it as you would any other disk. When you next connect it to your Mac, a dialogue box will display asking you to enter your password. You can select Remember This Password In My Keychain if you wish to use this disk often and don't want to have to enter the password every time. If you forget the password, click on Show Hint to see the hint that you recorded. Click on Unlock to allow OS X to decrypt the disk.

Don't lose your password Copy files to and from this disk, and they will be encrypted or decrypted on the fly. This feature uses full disk, XTS-AES 128 encryption, which is secure enough for most uses. But I cannot stress enough that if you lose this password, you will not have access to any of the files on the disk. Period. Unlike FileVault, which presents you with a "recovery key" that you can use if you've lost your password, there is no safety net here.

If you ever want to turn off encryption, right- or Control-click on the disk and choose Decrypt Disk Name. Enter your password, then click on Turn Off Encryption. As with the encryption process, there is no progress bar or other feedback.

While you can turn on or off encryption while your disk contains files, there is always the chance that something may go wrong. It's best to make sure you have a copy of those files before encrypting or decrypting.

Use disk encryption from the command line

Can you encrypt your disks from the command line? Of course you can. If you're not the geeky type, you may not want to read any further. But if you do know how to wield Terminal commands and want more feedback about the encryption process, the following will certainly interest you.

Prepare a disk by converting You encrypt disks with the diskutil command, but first, you have to convert them to a format called CoreStorage.

Start by running this command:

diskutil list

This returns a list of all the disks connected to your Mac. For example, on my Mac, I see this:

diskutil list



0: GUID_partition_scheme *251.0 GB disk0

1: EFI 209.7 MB disk0s1

2: Apple_HFS Mac OS X 250.1 GB disk0s2

3: Apple_Boot Recovery HD 650.0 MB disk0s3



0: GUID_partition_scheme *2.0 TB disk1

1: EFI 209.7 MB disk1s1

2: Apple_HFS Music Ext 2.0 TB disk1s2



0: GUID_partition_scheme *2.0 TB disk2

1: EFI 209.7 MB disk2s1

2: Apple_HFS Boot Backup 150.0 GB disk2s2

3: Apple_HFS Backup 1.6 TB disk2s3

4: Apple_HFS TM Backup 249.4 GB disk2s4



0: GUID_partition_scheme *750.2 GB disk3

1: EFI 209.7 MB disk3s1

2: Apple_HFS Music 749.8 GB disk3s2



0: GUID_partition_scheme *1.0 GB disk4

1: Apple_HFS Untitled 1.0 GB disk4s1

The disk I want to encrypt is the last one, called Untitled. To the right of its name, you can see its identifier, disk4s1. With that information, I can convert the disk to the CoreStorage format with the following command:

sudo diskutil corestorage convert disk4s1

Terminal will request your administrator's password, then will begin the conversion process. Note that you'll even see a progress bar on the last line in Terminal, as below.

Started CoreStorage operation on disk4s1 Untitled $Resizing disk to fit Core Storage headers $[ | 0%..10%.............................................. ]

When this process has completed, you'll be shown information about the disk in Terminal:

$Creating Core Storage Logical Volume Group

$Attempting to unmount disk4s1

$Switching disk4s1 to Core Storage

$Waiting for Logical Volume to appear

$Mounting Logical Volume

$Core Storage LVG UUID: C33BF3C6-B808-4BE4-8D18-02DBC0151667

$Core Storage PV UUID: 9D312FD5-33F1-4A53-8F49-1C64010710D1

$Core Storage LV UUID: 2D74D3DA-95DF-4652-A48C-CDC86898B5EF

$Core Storage disk: disk5

$Finished CoreStorage operation on disk4s1 Untitled

Encrypt the disk The important information above is the LV UUID, or logical volume universally unique identifier. Using that information, you can then run the command to encrypt the disk, as follows:

sudo diskutil corestorage encryptvolume 2D74D3DA-95DF-4652-A48C-CDC86898B5EF -passphrase password

Replace password with your password. And make sure you don't forget it!

You'll see the following when the process is finished; as above, with the method of encrypting a disk from the Finder, this may take a while:

Started CoreStorage operation on disk5 Untitled

$Scheduling encryption of Core Storage Logical Volume

$Core Storage LV UUID: 2D74D3DA-95DF-4652-A48C-CDC86898B5EF

$Finished CoreStorage operation on disk5 Untitled

At this point, your disk is now encrypted. You can eject it from the Finder (or, if you want to stay in Terminal, you can eject it with this command: diskutil eject Untitled), and use it as described above. The next time you connect it to a Mac, you'll be asked for the password.

Decrypt the disk Decrypting a disk from the command line is pretty simple. Here's the command you can use, with the LV UUID we saw above. Replace password with your password.

diskutil cs decryptvolume 2D74D3DA-95DF-4652-A48C-CDC86898B5EF -passphrase password

For most users, encrypting volumes in the Finder is simplest option, but power users may enjoy the feedback and control they get with the command line. Either way, Mountain Lion's new encryption feature is a great way to secure portable disks to carry sensitive files.

Senior contributor Kirk McElhearn writes about Macs, music and more on his blog Kirkville. Twitter: @mcelhearn Kirk is also the editor of Mac OS X Hints.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kirk McElhearn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place