Creating an Encrypted Disk Image on MacOS X

current edition | about | archive | topic index

Introduction

One of the hidden gems of MacOS X is the ability to create an encrypted volume for private information. You won't find a whole bunch of help on the subject in Mac Help, but it's a pretty simple process, so most anyone should be able to encrypt databases of credit card numbers, email, configuration settings, etc...

The rest of this article describes using the DiskCopy.app application that comes bundled with MacOS X to encrypt a small section of your hard disk. We hope you find it useful. However, there are a few disclaimers before going any further...

There are no locksmiths in the realm of strong crypto. There's more about this at the end of the article. For now, just remember that you really, really, really want to remember the pass-phrase you use to encrypt your data.

Consider making a non-encrypted backup. This is a recommendation I make for home users sometimes. Consider making a non-encrypted backup and store it in a safe place (like in a safe in your house or a safe-deposit box at the bank.)

Don't be afraid to ask for help. There's simple help available in the Mac Help application. There are also forums at Mac related website, or you can even post a comment here.

This won't protect your data while the encrypted disk image is mounted. The encrypted disk image we're about to create is useful for securing data between sessions on a Mac. Once the encrypted disk image is unlocked and mounted, it is no more secure than any other part of the file system.

Creating The Image

1. Locate the Disk Copy application. It's in the Utilities folder in the Applications folder. I found it by opening a new file browser, clicking on the "Applications" icon on the top of the window, scrolling down until I saw the "Utilities" folder, then opening the Utilities folder.
2. Launch the Disk Copy Application by double-clicking on it.
3. Create a new disk image using the "File -> New -> Blank Image" menu item. You can also use the "Command-N" keyboard accelerator to do the same thing.
4. You're now going to be asked a couple of questions: Where do you want the encrypted drive image file to be stored? How big of an encrypted drive image do you want to create? What do you want to name your encrypted drive image? and What type of file system do you want to use? Fortunately, the answers aren't really too hard.
   • Disk Image Location. The drive image can be located just about anywhere on your hard drive. If you want multiple people to be able to use the encrypted drive (I'm not sure I recommend this, though) you need to put it in a public location in the file system. I put my encrypted drive images in a folder called "Disk Images" off the root of the file system. You can put them just about anywhere, just remember where you put them.
   • Disk Image Name. For the purposes of this demonstration, I recommend the name "SimpleEncrypted". Resist the urge to name your new disk image "private". While this is a good description of the contents, there's also a directory on the Mac called "/private". You could confuse your poor Mac and yourself by having both the disk image and the directory named private. Note that you'll have to enter the name twice; once in the text field next to the "Save As" label at the top of the panel, and once in the text field next to the "Volume Name" label.
   • Disk Image Size. The default size is 10Mb. I recommend you use this to test out using the encrypted disk image features before moving on to larger drives. If you have reason to make the drive larger or smaller, please do so. You can modify the size of the disk image using this selection list.
   • Format. The default is "Mac OS Extended". Unless you know what you're doing, I recommend using the default.
   • Encryption. This is the key setting (so to speak.) By default the "none" setting will be selected. Click on this selection list and move the mouse down to the entry that says "AES-128 (recommended)". Unless you have a tricked out version of the OS, this should be the only other option on this list.
5. Press "create". You should see an activity meter in a small dialog box as the disk image is created.
6. Enter your pass phrase. You'll now see a dialog box asking for your pass phrase. Select a good password or pass phrase and enter it in twice in the text fields provided. You should see a checkbox titled "Remember password (add to Keychain)". Depending on your comfort level with the way the MacOS X operating system was coded, you may choose to keep this box checked. Unchecking the box requires you to enter the pass-phrase every time you try to mount the disk image. Keeping it checked allows MacOS X to store a copy of the pass-phrase in a list of passwords that are essentially encrypted by the pass-phrase you use to log in. If you're paranoid, you want to uncheck this box. I recommend unchecking the box. Yes, you have to remember yet another password, but if you're sophisticated enough to be reading this article, you're probably sophisticated enough to remember yet another pass-phrase. Besides, keeping the pass-phrase you use here separate from your MacOS X login pass-phrase provides an extra layer of defense against people trying to steal your data. Please note, however, that if you forget this pass-phrase, there's no way to recover it.

Using the Image

At this point in the procedure, you have an encrypted drive image, ready to store credit card numbers, banking account passwords, marketing plans, customer identifying information and other sensitive data. As a reminder, any user on your machine, including malicious crackers can read the contents of this disk image while it is mounted. If you're ultra paranoid, you may want to unmount the disk image while you're not using it. Another thing you might want to do is to modify the user permissions of the disk image. Advanced users can use the command line to issue the command "chmod 700 /Volumes/SimpleEncrypted". Non-Unix types can change the permissions by going into the Finder, locating the "SimpleEncrypted" volume at the root of the filesystem, single-clicking on it, and pressing Command-I as a keyboard accelerator for the "File -> Get Info" menu item. This will put up a panel with Volume information. There's an expandable UI section titled "Ownership & Permissions". It's the second from the bottom. Expand this section by single clicking on the triangle next to the "Ownership & Permissions" label. You should see a list of selection lists labeled: Owner, Access, Group, Access, and Others. The values of the "Access" selection lists will likely be "Read & Write". You want to change the values of the second "Access" list (that's the one under the "Owner" selection list) and the Others selection list to read "No Access". When you're finished, the top "Access" selection list should still read "Read & Write", but the bottom one should read "No Access". The selection list labeled "Others" should also read "No Access."

You now have a relatively safe location for sensitive information. We would like to remind you, however, that it is still possible, though unlikely, that an attacker could access this drive image while it is mounted. When the drive image is unmounted, the protections of strong crypto are in effect making it extremely difficult to see the contents. Once the drive is mounted, however, you rely on the Unix filesystem permissions to prevent attackers from seeing the disk image's contents. At the time this document was written, there were no serious attacks against a properly patched MacOS X system. However, there have been exploitable vulnerabilities in the past, and there are likely to be vulnerabilities in the future. The thing to remember about the disk image created via this process is that it provides strong cryptographic protection while the disk image is unmounted. We think it's ideal for people that use laptops. Laptops get turned on and off all the time. They're also portable and easily stolen or lost. A nice feature about the disk image we've just created is that items you place in the "SimpleEncrypted" disk image are automatically encrypted on disk.

Mounting the Encrypted Drive Image. You now have an encrypted drive image. After you reboot your Mac, your computer will unmount the disk image and forget your pass-phrase. If you want to remount the image, all you need do is double-click the image and re-enter the pass-phrase. (Remember we mentioned earlier that it's a really good idea to remember where you stashed the disk image on your hard drive.)

A Few Words About Key Management

I mentioned earlier in the article that I would say a few words about key management for encrypted disk images. The key point here is that in the words of Jimmy Upton, former Treasurer of the International Association of Cryptologic Researchers, "there are no locksmiths in the digital realm." If you forget the pass-phrase used to protect your newly created disk image, all the information contained in it is effectively lost. If you get run over by a bus or otherwise incapacitated, the information will be lost.

Many corporate users who would otherwise be very interested in using encrypted disk images are a little leery of the fact that information could be protected so well it could be lost. There is a solution to this problem of password management, but it's not implemented with the "out of the box" tools available on the Mac. Third party tools such as PGP Disk from PGP, Inc. have a number of advanced "key management" and "key splitting" features that can be used to recover disk images or pass-phrases by a legitimate recovery party when the original user is incapacitated or has forgotten the pass-phrase. We strongly encourage corporate or governmental users to investigate products with such features.

Conclusion

As a final note, we didn't mention smart cards or "hardware tokens" in this article. MacOS X comes with support for the PC/SC and Cryptoki interfaces to Smart Cards and USB key dongles. There has been some adoption in the industry of these technologies, and we are looking forward to the time when the key to unlock an encrypted disk image can be placed on such a token.

We hope this article has been instructive. As we mentioned earlier. There is some help available in the "Mac Help" application. You can also post comments to this article asking questions and our staff will be happy to answer them as best they can.

Copyright © 2002,2003 Security Technique, All Rights Reserved