FileVault 2 encrypts your whole Mac, and Disk Utility can encrypt parts

In last week's column, I explained the use and benefit (and some of the drawbacks) of turning on full-disk encryption (FDE) with Apple's built-in FileVault 2.

Readers had a few questions--I answered some in the article's comments section, and I'll expand here too. Then I'll provide a longer explanation of encrypting individual files, not entire drives.

FileVault 2 clarifications

FileVault 2 encrypts data at the hard drive level. Programs that run on your Mac see the data as if it has no encryption. This lets you back up drives while you're logged in, even if the system is locked. But the files copied to Dropbox, an online backup service, a local drive, or a Time Machine destination are unencrypted, although you can layer encryption on all of those options.

Time Machine and other local drives can be encrypted using the same technology as FileVault 2, as noted in the original article, by selecting the drive and choosing Encrypt Drive Name.

You can change your FileVault 2 recovery key if you've lost it, as one reader believes he did, so long as you still have the password for any account with the privilege to start up the computer. It's tedious: You have to disable FileVault 2, which decrypts the entire drive, and then enable it again. Give yourself a couple of days and a steady supply of AC power.

Some readers believe that FileVault 2 dramatically slows down OS X. Benchmarks, my own experience, and other readers' testimony would indicate otherwise. For newer computers (2012 or later for all models, and some released in 2010 and 2011), and with an SSD on most models, performance is only slightly impaired and only when you're engaged in disk-heavy operations.

And now on to Disk Utility!

How to use Disk Utility to encrypt files

FileVault 2 affects your whole disk, and has some scary elements, chiefly that your files are completely unrecoverable if you ever forget your password and lose your disk Recovery Key. But you can choose, instead or in addition, to create a virtual disk that encrypts everything inside of it.

Not long ago, there were multiple options for encrypting files and folders on a Mac. TrueCrypt, a mostly anonymous free and open-source encryption tool, abruptly stopped development in May 2014. Years ago, PGP offered Mac tools for file encryption, but not for folder or virtual disk access. (GPGTools has a Mac version that primarily helps with managing encryption with email.)

That leaves Disk Utility, our hoary friend that handles repairing permissions on disks, but can also manage and create disk images. If you're not a software developer, you may have never needed to make a disk image, which is just a flat file (or OS X package for one subtype) that preserves the file and folder placement and hierarchy, file permissions, and other data just as if it the data were stored on a physical internal or removable disk. (DropDMG is a $24 utility that puts a sensible interface on top of OS X's disk image commands, including encryption, while offering management options, too.)

Apple offers a full step-by-step set of instructions for creating an encrypted disk image. I'd suggest picking the higher level of encryption, 256-bit AES. You can use an encrypted disk image on top of FileVault 2; the two technologies don't conflict.

I also suggest using the sparse bundle image format, which only occupies as much disk space as required for the actual files stored plus a little overhead, instead of the full size you specify for the image. That is, specify 10GB and use only 100MB, and the image is just a bit over 100MB. The "bundle" part means that the image is silently divided up into a number of files, which allows easier backup of just portions of the image when the disk is unmounted. Otherwise, an encrypted disk image can change considerably based on small changes, making incremental updates consume more archiving storage and bandwidth.

You set a password for the disk image's encryption, which is required every time you want to mount and use it. Storing it in the keychain is an option at creation and any time you mount the disk, but it adds risk if you're concerned about someone having access to your running, unlocked computer at any point. If you're confident that your machine is always under your control or shut down when not, then keeping the password in the keychain removes a step--and makes it more likely you'll pick a longer or stronger password, if we're honest.

As with other forms of encryption, lose or forget the password (and it's not stored in the keychain) and your files are lost forever.

Join the CSO newsletter!

Error: Please check your email address.

Tags FileVault 2AppleSecurity suitesDisk Utilitydropboxsecuritysoftwaresecurity software

More about AppleDropboxPGP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place