Everyone has some files that they don't want other people to see. They may be important business documents, tax returns, health information or anything else someone would want kept secret. While it's all well and good to have a password on your Mac, if someone gets past that password (and there are ways), or comes across your Mac while it is logged in, they have access to all your files.
For that reason, it is worth having a second line of defence; by having your most important files locked away securely except when they are actively in use, you can keep them as safe as possible. In this tutorial I will show you three methods for doing so; making your own solution with Apple's Disc Utility, using the open source TrueCrypt and using AgileBits' Knox.
How to Set Up and Use Password Protected Vaults on Your Mac
The Case for Password Protected Folders
Having additional layers of security is not just for whistleblowers, drug dealers and spies. Important documents such as passports, birth certificates or credit cards are worth having digital records of in case the originals get misplaced or stolen.
Similarly, digital copies of tax filings or wills are useful things to have, but are not something you want anyone who uses your computer to be able to access.
Storing these important files in a password protected vault means that you can access them when you want to, but that they are not available when you are just browsing the web, sending emails or watching movies.
While the chance of someone gaining access to your most important files may be low, the cost if it happens can be very high. If you are going to have sensitive files on your Mac, protecting them from unauthorised access is, as this tutorial shows, very simple. I believe the cost is well worth the benefits.
OS X's Disk Utility has the ability to create password protected, encrypted disk images. If you are just looking for a way to securely store a few files, this is the easiest. There are two different kinds of disk images, regular disk images and sparse disk images.
A regular disk image takes up a specific size regardless of the size of the contents, a sparse disk image only takes up as much disk space as the contents need. I suggest you use a sparse disk image.
Setting Up an Encrypted Disk Image
- Open Disk Utility from the Applications folder.
- With no volume already selected, click New Image.
- What you enter in the Save As field is what the unmounted volume will be called, and where it will be located, what you enter in the Name: field is what the mounted volume will be called. For Size: select the maximum size you would like to allow the volume to reach. Under Encryption: select 128-bit AES Encryption (Recommended). Finally, for Image Format: select sparse disk image. Click Create to continue.
- Enter the password you would like to use for the encrypted disk image. Uncheck Remember password in my keychain, otherwise there is no point to what we have done so far, and click OK.
- Your vault will now mount like any other external volume. Move any files you want to keep secure to it using Finder.
- To eject it, simply click the eject icon in the Finder sidebar. To mount it again, double-click on the sparse disk image file.
The Case for Disk Utility
If you only have a few files that you need to keep safe then using Disk Utility is the simplest option and requires no extra software. The two methods that I show further on in this tutorial, using TrueCrypt and Knox, both offer far more options but are more effort.
Unless you have a reason to use one of the others, you should view this method as the default. It takes five minutes to set up and is the perfect way to secure a photocopy of your important documents.
TrueCrypt is a free, open source disk encryption software. It allows you to disguise a vault as any file on your hard drive. If someone tries to open the file without mounting it through TrueCrypt, it will appear to be corrupted. The vault otherwise acts like a normal file that can be moved, copied or deleted.
- Visit the TrueCrypt download page and download the Mac OS X .dmg package.
- Navigate to the Downloads folder and open the TrueCrypt .dmg file.
- Open the package file and follow the installer’s steps.
- Navigate to the Applications folder and open TrueCrypt.
Setting Up a TrueCrypt Volume
- With TrueCrypt open, click on the Create Volume button.
- In this tutorial I’m focussing on setting up an encrypted vault so select Create an encrypted file container and click Next.
- A hidden TrueCrypt volume is a TrueCrypt volume hidden inside another TrueCrypt volume. It is designed so that if you are being extorted or tortured you can give access to seemingly important files while not giving access to your most important files. Unless you are a spy, it's excessive. For this tutorial I’m just going to focus on Standard TrueCrypt Volumes so select that option and click Next.
- When creating a TrueCrypt volume you can either create a new file or overwrite an existing one. I am going to convert the file on my desktop, Selfie.jpg, into my vault. You can do the same or create a new file with an innocent sounding name. Click Select File and either enter a new file name or select one that already exists. Click Save and then Next.
- TrueCrypt offers a number of encryption options including stacking different algorithms together. This is far in excess of most people’s needs. I recommend you leave it at the defaults, AES and RIPEMD-160, and click Next.
- Empty space in a TrueCrypt vault is always filled with random data. From a security point of view, this means that no one can tell whether a TrueCrypt volume is packed full of sensitive documents or empty except for random 1s and 0s. This means that you need to specify the size of the volume when you create it. I recommend you create a small volume to start. You can always create a larger one later and transfer your files to it. You can also have more than one TrueCrypt volume. Enter the size you want to create into the input field and click Next.
- Enter a password for your volume. While TrueCrypt recommends a minimum length of 20 characters, you can create a shorter password. Depending on who you are trying to keep files safe from, I would recommend a password of around 10 or 12 characters. When you’ve done that, select Next.
- Next you have to select the format of the volume. If you are going to be moving the volume between different computers with different operating systems select FAT. Otherwise you can choose Mac OS Extended. Click Next to continue.
- Computers are bad at generating random numbers. To create pseudorandom encryption keys, TrueCrypt has you move your mouse cursor around and then uses an algorithm to turn that into a long key. Wave your mouse around for a few seconds in a random manner and then click Format.
- I’ve created the first TrueCrypt volume. If you want to create another, click Next, otherwise click Exit.
Using Your TrueCrypt Vault
- In TrueCrypt, click Select File, navigate to where you have your TrueCrypt vault, select it and click Open.
- Click Mount and enter the password you set for your vault.
- Presuming you’ve entered the right password, your TrueCrypt vault will mount just like any other external volume.
- Navigate to it in Finder and move any files you want to secure to it.
- To dismount your vault, click Dismount All in TrueCrypt or eject it in Finder.
The Case for TrueCrypt
TrueCrypt is the most secure of the three options I am showing you in this tutorial. Your vault is hidden as a corrupt file so unless someone knows what to look for, they won't even be able to find it. It's always a consistent size so that if they do find it, they don't know whether it's in use or not.
There are also extra security features that I didn't touch on in this tutorial such as hidden TrueCrypt volumes and keyfiles. If you are a spy, TrueCrypt is the way to go! For most people, however, TrueCrypt's options are excessive. Unless you have files you need to make sure no one can access or even know that you have, the Disk Utility method is simpler.
Vaults created with Knox are essentially the same as those created with Disk Utility. Knox, however, adds a GUI that allows you to manage multiple vaults easily, mount and unmount them using a menubar app and automatically back them up.
It can also allow Spotlight to search the contents of vaults even when they're closed. This makes Knox more suitable for managing multiple vaults with lots of files; people like lawyers or accountants, for example, who handle a large number of sensitive documents can really benefit from using Knox.
- Download the trial version of Knox from Agilebits’ site. After a 30 day free trial it is $34.99 although you are still able to access your vaults, just as you would those created with Disk Utility, if you decide not to buy.
- Navigate to the Downloads folder and open the .zip file.
- Drag the Knox application to the Applications folder and open it.
Setting Up a Knox Vault
- Click on Knox’s menubar icon and select New Vault….
- Enter a name for the vault and a password. As with the Disk Utility method, I recommend you don’t save it.
- Click on Show advanced options to change the location the Knox vault will be saved, by default it is in a newly created Knox folder in the Documents folder. You can also change the maximum size or the level of encryption of the vault.
- Click Create to create the vault.
Using Your Knox Vault
- To mount a Knox vault, click on the menunbar icon and select it from the list. This will prompt you to enter your password.
- Enter your password and click OK to mount it. Now it is mounted like any other external volume and can be treated as such.
- Mounted volumes have a tick beside them in the menubar application. To unmount a volume just click on it.
The Case for Knox
Knox is best when you have many sensitive files rather than secret ones. While a vault created with Disk Utility is perfect for storing a few important personal files.
A TrueCrypt volume is great for stolen state secrets, if you have important client documents, medical files, business plans or anything of that nature that you need to access regularly while still preventing unauthorised people from doing so, Knox is great.
In this tutorial I've explained the reasons why you should have a password protected vault. I've also shown you three ways to set it up using OS X's built in utilities, the open source TrueCrypt and Knox, and their relative strengths and weaknesses.
Am I being too paranoid? Or not paranoid enough? Have I missed some great software? Let me know in the comments.