How to secure individual private files in OS X

SecurityIconXYour account in OS X should be relatively secure, and provided you store your files within the structure of your account (ie, the Documents, Music, Movies, and Photos folders in your home directory), then other users on your system will not be able to access your documents. However, this security has its limits, and may break down for several reasons, especially if you transfer documents from your Mac to other systems, or to online services which you access from other systems:

  1. Permissions modifications — The exclusive access to your account is set up by file and folder permissions; however, if some error (perhaps when restoring from a backup or otherwise modifying your system) has affected permissions, then folders you think are private may in fact be readable by others.
  2. Administrative access — If someone has administrative access to your Mac, then they can override any permissions settings and gain access to files and folders.
  3. Bypassing OS X — Your OS X installation is what implements and upholds file and folder security, but this can be bypassed by someone removing your drive and putting it another system, or by booting your Mac to an external boot drive.

To overcome these three security issues, you have two options: Filevault, and individual file security.

FileVault in OS X

Click this button in the Security & Privacy system preferences to enable FileVault.

FileVault is Apple’s built-in full-disk encryption routine for OS X, which ensures the entire drive (including installed applications, system files, and your documents) are scrambled data unless a proper unlocking password or encryption key is provided. This is a great routine to have, provided you keep all of your documents on your Mac; however, with sharing services like Dropbox, and other means of copying files (including to unencrypted backup drives), you can easily and inadvertently duplicate your FileVault-secured files to other unsecured computers. This is true even if the storage in a service like like Dropbox is secure, since you can simply use its Web interface to download a file from it to another Mac that is not encrypted.

As a result of this, even if you use FileVault, be sure to further secure any sensitive documents you have by using individual file security options. For this you essentially have two options:

File-specific security

These options are simply the security features that programs offer for the files they create. For instance, when you create a Pages or Numbers document you can set a file password (in the File menu) that will be required to open that document. The same goes for third-party programs like Word, TurboTax, and many others. The unfortunate issue here is that some programs will have these features, and others will not, so you will have to look into which ones support these security options, and then implement them accordingly.

Creating an encrypted disk image in Disk Utility

Click the toolbar option in Disk Utility to create a new disk image, and select the encryption you wish to use. Be sure to set the image to be a “sparse” image, with no partition map, in order to have it be dynamically resizable.

Encryption wrappers

If a program you use does not have an option for securing document content, then you can still secure files using a disk image as an encryption wrapper. To do this, you can use Disk Utility to create a dynamically resizable but encrypted disk image, that can be mounted with a password, and then will only be the size of the documents and data that are stored within it.

  1. Open Disk Utility
  2. Choose “Blank Disk Image” from the File > New submenu (or click the “New Image” button in the toolbar).
  3. In the window that appears, choose either 128-bit or 256-bit encryption from the “Encryption” menu.
  4. Choose the size of the disk and other options to most appropriately match your data, or better yet, choose a combination of a large size and “Compressed” or “Sparse” as the image format, along with “No Partition Map” for the partition type, to make the disk image dynamically resizable.

With the disk image created, you can open it and provide your password when prompted, and then copy files to it. When you unmount (“eject”) the image, the files on it will be secured by the image’s encryption, and you can then copy the whole image to any online service (or anywhere else) you want, and know the files on it will not be accessible without knowing the image’s password. This approach does require you copy the image itself, is a requirement for keeping files safe that do not support their own encryption options.

6 thoughts on “How to secure individual private files in OS X

  1. Chris Hart, Independent Mac Consultant, Connecticut

    Another alternative is to use a third-party utility that makes using encrypted files images easier. Such as Knox from Agile Bits, which I have recommended to a number of clients and use myself.

    1. Chris Hart, Independent Apple/Mac Consultant, Connecticut

      Sorry for the URL in the middle of my first sentence. That’s due to a TextExpander shortcut (and amazingly I didn’t notice that it had done its job). I can’t seem to edit the posting and remove it.

  2. Gustavo

    I recommend TrueCrypt too, the last valid version that is (7.1a, NOT 7.2). Works seamless on Macs.

  3. biletubes

    I tried the disk image approach and created the disk image Okay. It’s just that when I open it it opens in a thing called DiskImageMounter and it doesn’t behave like finder at all. In fact I can’t move or copy any files into it or use it from an app’s ‘save as’ operations.

    I didn’t quite set it up the same was as above: I opened Disk Utility and then did File -> New -> Disk Image from Folder and then selected an existing folder to turn into a disk image.

    Am I doing something wrong?

Comments are closed.