Napkin Diagrams

Engineering, Technology, and DIY

Protect Your Sensitive Bits: Mac File Encryption

There comes a time in every boy’s life where he starts to become a man. He’ll notice many changes physically and mentally, as well as in his filesystem. School reports and LOLCats take a back seat to adult life, with tax reports and business documents. With the increased importance and sensitivity comes the desire to protect the new found information. On a Mac, there are a few easy, built-in options, as well as a range of third–party apps.

FileVault is a feature built into OSX v10.3 and newer which allows a user to encrypt their entire home directory in a sparse bundle image (This image type will be explained later). Files are encrypted and decrypted on-the-fly, and with recent improvements, the performance hit is minimal. It uses the 256-bit Advanced Encryption Standard, or AES, with a password-based key to protect files. Additionally, a master password can be set, allowing the recovery of the accounts on the machine should login passwords be forgotten.

Location of FileVault preference pane

Click to embiggen.

Accessible from the System Preferences, FileVault is extremely easy to use. It’s simply a matter of turning it on. When enabled, one doesn’t have to worry about inputting any additional passwords or seeing any change in the usage experience. That said, FileVault does have several drawbacks. Most notably is it’s limitation to only the home directory and the entirety of it. Depending on how one organizes files, this could be an issue. Furthermore, once logged in, everything is open and accessible, which leaves everything unprotected in a public environment. On top of that, there can be problems arising with migration of home directories and possible limitations related to TimeMachine backups.

Sparse Bundle
Often the best solution is a sparse bundle, which is a subset of the sparse image, both of which can be encrypted using 128– and 256–bit AES, or no encryption at all if simple password protection alone is desired. Unlike a standard disk image, a sparse image is only takes up as much space as the files contained, up to a predefined limit. This limit can actually be larger than the available space on the hard disk; when the disk is full, it will still show free space in the sparse image, but it will need to be moved to a larger disk in order to continue adding more content. As files are added, the size on disk grows. However, when files are deleted, it does not automatically shrink in size. Resizing can be done using either Disk Utility or the hdiutil command line interface.

Sparse bundles take this one step further, breaking the image up into an array of 8MB “bands”. This means that backups are significantly faster, only needing to update the modified bands instead of the entire image.
Sparse bundle breaks sparse image into 8mb bands. Additionally, unlike FileVault, one is neither limited to specific files or directories nor exposing their encrypted files anytime one is logged in.

Creating A Sparse Bundle

Main window of Disk Utility

Step 1. Open Applications > Disk Utility and click 'New Image'. Note, 'Resize' is right next to it.

Saving a new sparse bundle

Step 2. Saving the Sparse Bundle Image. Settings are self explanatory. Leave Format and Partitions alone unless you know what you're doing.

Disk Utility Set Sparse Bundle Password

Step 3. Set the password for the encrypted sparse bundle. Uncheck the option to save it in the keychain.

Managing A Sparse Bundle Size
A sparse bundle can be resized from within Disk Utility (the icon is right next to the New Image icon) or from the command line using hdiutil. In either case, the sparse image must be unmounted. The two hdiutil commands one is going to need are:

hdiutil resize -size 10g example.sparseimage

This changes the size limit set on the sparse image. Change ’10g’ to whatever size the new limit should be and ‘example’ to whatever the image file is named.

hdiutil compact example.sparseimage

This compacts the size on disk back down after removing files. Again, change ‘example’ to the proper file name.

These are just a few of the ways to secure files on Mac OS X, using built in functionality. There are a number of other applications out there that can handle file encryption and have an array of functionality beyond the stock options, but for most users, such apps are unnecessary.

If you’ve got another method of securing your files, I’d love to hear it!


One response to “Protect Your Sensitive Bits: Mac File Encryption

  1. Dan Erlich September 23, 2012 at 11:41 pm


    My girlfriend made a .sparsebundle on her MacBook to store some videos we made… Unfortunately she’s forgotten the password she used. We’d really like to regain access to these files, since they’re not stored anywhere else…

    Do you know of any solution that can help us? Brute force would work fine, since the computer is hers, and even if it takes a while we’ve been locked out for so long that we just want the files back! Doesn’t matter if it takes all year!

%d bloggers like this: