Data encryption is an important consideration if you keep sensitive or otherwise private documents on your Mac. While data encryption is not always necessary, such as for servers that can be physically secured in a closet, if a system can be stolen or opened so the drives can be removed, encryption is perhaps the only way to ensure your data is secure.
OS X supports four built-in options for encrypting your data: FileVault, Disk Images, CoreStorage encryption, and your Keychain.
The primary option for encrypting data in OS X is FileVault, which is Apple’s full-disk encryption technology. This enables a 128-bit AES encryption routine on the boot drive, in which the operating system, applications, and all data on the drive are encrypted. Because of this, if the drive is removed from your computer, this encryptions should prevent any access to the data:
- Go to the Security System preferences
- Click the FileVault tab
- Click the lock to authenticate
- Click “Turn On FileVault”
At this point, select the users to enable for FileVault access, and continue with the on-screen prompts. It may take a while to fully encrypt your drive, but when FileVault is enabled you can continue to use your system while the encryption takes place. When finished, the files on disk will not be accessible by anyone without either the password of an enabled account, or the recovery key (which can be stored with you, or with Apple if you choose).
CoreStorage in OS X is an advanced disk-management technology that allows for the handling of physical drive partitions as virtual ones, so multiple storage locations can be combined into a single logical partition, and also be encrypted if desired. CoreStorage is the underlying technology behind Apple’s FileVault, but while FileVault is reserved for the boot drive, CoreStorage encryption can still be set up on secondary and external drives:
- Attach your desired drive
- Right-click the drive in the Finder
- Select “Encrypt DRIVENAME”
- Provide the password to use for the encryption
Keep in mind that this routine requires a disk formatted to Mac OS Extended, with a GUID partition scheme. These can be set up by formatting the drive in Disk Utility.
Another option in OS X is its support for disk images, which are container files that when opened, mount on the system as if an external disk was attached. One feature of disk images is when you create them, you can choose either 128-bit encryption, or 256-bit encryption:
- Open Disk Utility
- Choose “Blank Disk Image” from the File > New submenu (or click the “New Image” button in the toolbar).
- In the window that appears, choose either 128-bit or 256-bit encryption from the “Encryption” menu.
Choose the size of the disk and other options to most appropriately match your data, or better yet, choose a combination of a large size and “Compressed” or “Sparse” as the image format, along with “No Partition Map” for the partition type, to make the disk image dynamically resizable.
Now when you wish to secure files, you can open the image, drag files to the disk that mounts in the Finder, and then eject this disk. Disk images (especially compressed ones) are useful for any data that might be stored on potentially insecure external drives, cloud storage, e-mail accounts (as attachments), or other servers.
While Apple’s keychain technology is intended for storing passwords, certificates, and other authentication information, it does support a feature called “Secure Notes,” where you can store text as well as images. These can be useful for storing anything from a secret recipe, to credit card information:
- Open Keychain Access
- Select your keychain (or create a new one)
- Select the “Secure Notes” section
- Click the plus button to add a new note
- Type, copy, or drag text into the note
- Click Save Changes to save the note
When closed, the note and its contents are secured by the encryption of the keychain, and can be accessed at any time using the Keychain Access utility.