Using Encrypted Disk Images

If you have downloaded software for Mac OS X from the Internet, you may have noticed that the file format of choice for storing installer packages ends with the suffix .dmg. This type of file is known as a disk imagea very powerful method of storing multifolder and multifile hierarchies in a single, Internet-friendly file.

Disk images appear to the Mac OS X file system as though they are mounted drivesif you've mounted one by double-clicking it, you notice that a disk-like image shows up on your desktop and in the Finder (and, for those who prefer the CLI, it gets mounted in the standard location /Volumes). A disk image may be read-only or read/write; it may be fixed in size or resizable as its contents grow; and it may be one of many file-system types: HFS+ (aka Mac OS Extended) and its journaled or case-sensitive varieties, UFS (UNIX File System), or the MS-DOS file system.

When you are done with a disk image, you "eject" it. The disk image will then be unmounted, and all contents are reconstituted back into the original .dmg file. In other words, with a read/write disk image, you can modify the contents of the mounted disk image as though it was a virtual drive. When you "eject" that disk image, all of your changes are folded back into the original .dmg file, so when it is reopened, it will be as though you mounted the disk again with your changes intact.

So how can you leverage these single-file-based virtual drives for security? Disk images can be password-protected (double-clicking the disk image to open it will require the user to enter a password) and encrypted (so if the disk image falls into the wrong hands, its contents cannot be easily obtained). You can create as many password-protected, encrypted disk images as you want, with different passwords for different users (whether they are meant to be shared or not), and you can populate each disk image as though it was its own very secure virtual drive (which, basically, it is).

Password-protected, encrypted disk images ensure that your highly sensitive data can be safely packaged up in an easy-to-use and very secure file, which you can then share with selected recipients or keep to yourself.

You can use Disk Utility to create encrypted disk images. Like any other disk image file, an encrypted disk image can be copies or created on network volumes or removable media, including USB flash media and FireWire drives. You can also burn encrypted disk images onto a CD-R or DVD-R disk for archival purposes. Each encrypted disk image is protected by a password, which may be composed of 7-bit ASCII characters and can be 1 to 255 characters in length.

Creating Encrypted Disk Images

You can create disk images using either the GUI Disk Utility tool or the CLI hdiutil:

hdiutil create sizespec [options] imagepath

hdiutil provides much more power and granularity in creating disk images than Disk Utility does, including the ability to create MS-DOS file-system images and unformatted disk images.

More Info

For more information, see the man page for hdiutil.

To create an encrypted disk image, do the following:

Note

Because Disk Utility uses 128-bit encryption, your data will be irretrievably lost if you forget the password.