Encrypted Disk Images without Filevault

When I upgraded my macbook to Leopard last year, I was really quite surprised to discover that Time Machine and FileVault really don’t work well together. The thought of having my laptop stolen is traumatic enough, without also having to worry about someone sifting through my finances, bank statements and other personal files. Until Leopard, FileVault had been a real boon for keeping all of those sensitive files locked safely away in a password protected, encrypted container. Unfortunately, Time Machine then treats my whole home directory as a single giant file, and backs up a new revision of the entire thing every time I make even the tiniest of changes to any of the files inside it: Another copy of my 60Gb of iTunes files and 10Gb of iPhoto files to fit on my overstuffed Time Machine drive!

All is not lost, however! The trick is to make a small mountable encrypted disk image of your own to securely store all your confidential files. Here’s how to make a 660MB image to do just that with the Disk Utility application, so that you can turn FileVault off entirely. As a bonus, as long as the files you need to store inside will fit into less than 660MB, you can also keep a password protected backup on an 80 minute CD-R:

  1. Select New -> Blank Disk Image from the File menu (or click New Image in the tool bar).
  2. Fill in the dialog box, to look something like this, making sure you select encryption (I always choose the strongest available, since I’ll only want to access the files inside a few times a week, and speed is less important than security):
  3. When prompted for a password, you’ll need to untick the option for saving to the keychain (otherwise, there’s no point encrypting the disk image in the first place, since your keychain is unlocked while you are logged in!). Make sure you choose a strong passphrase that you won’t forget — there’s no way to ever recover the files inside if you ever do forget it.
  4. Disk Utility will create the disk image and mount it for you. You can then copy any files that you want to keep inside by dragging them to the mounted disk icon in the Finder. Don’t delete the originals just yet…
  5. Unmount the image by dragging it to the Trash, and then remount it by double clicking the Private.dmg file. Of course you’ll have to enter your passphrase every time you mount it from now on. This step is to check that the passphrase is what you expect (i.e. you didn’t mistype it twice and lock yourself out), and that all the files you dragged in are present.
  6. Optionally, put a blank CD-R in the drive and drag Private.dmg to it to burn a physical backup. If anyone tries to mount the resulting CD, they’ll also need to supply that same passphrase. You might like to make one of these from time to time and mail it to a friend, incase your computer and Time Machine backups are all washed away in a flash flood or something.
  7. Now you can delete the originals of any files you copied to the disk image, safe in the knowledge that you have copies safely tucked away in the encrypted image. Make sure that you drag those originals to the Trash, and then use the Empty Securely button to make it near impossible to recover the originals forensically from your harddrive.

Leave a comment