Engineering, Technology, and DIY
Protect Your Sensitive Bits: Mac File Encryption
There comes a time in every boy’s life where he starts to become a man. He’ll notice many changes physically and mentally, as well as in his filesystem. School reports and LOLCats take a back seat to adult life, with tax reports and business documents. With the increased importance and sensitivity comes the desire to protect the new found information. On a Mac, there are a few easy, built-in options, as well as a range of third–party apps.
FileVault is a feature built into OSX v10.3 and newer which allows a user to encrypt their entire home directory in a sparse bundle image (This image type will be explained later). Files are encrypted and decrypted on-the-fly, and with recent improvements, the performance hit is minimal. It uses the 256-bit Advanced Encryption Standard, or AES, with a password-based key to protect files. Additionally, a master password can be set, allowing the recovery of the accounts on the machine should login passwords be forgotten.
Accessible from the System Preferences, FileVault is extremely easy to use. It’s simply a matter of turning it on. When enabled, one doesn’t have to worry about inputting any additional passwords or seeing any change in the usage experience. That said, FileVault does have several drawbacks. Most notably is it’s limitation to only the home directory and the entirety of it. Depending on how one organizes files, this could be an issue. Furthermore, once logged in, everything is open and accessible, which leaves everything unprotected in a public environment. On top of that, there can be problems arising with migration of home directories and possible limitations related to TimeMachine backups.
Often the best solution is a sparse bundle, which is a subset of the sparse image, both of which can be encrypted using 128– and 256–bit AES, or no encryption at all if simple password protection alone is desired. Unlike a standard disk image, a sparse image is only takes up as much space as the files contained, up to a predefined limit. This limit can actually be larger than the available space on the hard disk; when the disk is full, it will still show free space in the sparse image, but it will need to be moved to a larger disk in order to continue adding more content. As files are added, the size on disk grows. However, when files are deleted, it does not automatically shrink in size. Resizing can be done using either Disk Utility or the hdiutil command line interface.
Sparse bundles take this one step further, breaking the image up into an array of 8MB “bands”. This means that backups are significantly faster, only needing to update the modified bands instead of the entire image.
Sparse bundle breaks sparse image into 8mb bands. Additionally, unlike FileVault, one is neither limited to specific files or directories nor exposing their encrypted files anytime one is logged in.
Creating A Sparse Bundle
Managing A Sparse Bundle Size
A sparse bundle can be resized from within Disk Utility (the icon is right next to the New Image icon) or from the command line using hdiutil. In either case, the sparse image must be unmounted. The two hdiutil commands one is going to need are:
hdiutil resize -size 10g example.sparseimage
This changes the size limit set on the sparse image. Change ’10g’ to whatever size the new limit should be and ‘example’ to whatever the image file is named.
hdiutil compact example.sparseimage
This compacts the size on disk back down after removing files. Again, change ‘example’ to the proper file name.
These are just a few of the ways to secure files on Mac OS X, using built in functionality. There are a number of other applications out there that can handle file encryption and have an array of functionality beyond the stock options, but for most users, such apps are unnecessary.
If you’ve got another method of securing your files, I’d love to hear it!