You may have com across a time where you need to send or save a collection of stuff that needs to be kept secure, absolutely no one can access it unless you say so. Maybe you need to send some tax files to an accountant, maybe a collection of evidence on the crimes of a super villain, or maybe you share your Mac with someone and want to give yourself some extra privacy. Maybe you want the convenience of cloud storage for your files, want really want to protect some extra sensitive stuff in there. Mac provides you an easy way to do this with encrypted disk images. We’ve written before about how to encrypt PDF documents on your Mac, but this will work with any file type or folders and can provide even more security.
To get started you’ll need to open Disk Utility from your Utilities folder in the Applications folder, or by searching for it in Spotlight. Once it’s open, click “File” in the menubar, then hover over “New Image”. You’ll be presented with several options. We’ll be creating a new blank image, but not that you can created an encrypted based off a hard drive or pre-existing folder, which will leave the original drive or folder intact but create an encrypted image out of them.
Once you’ve select New Blank Image, a new window will pop up with a number of options. We’ll go over these step by step, but here’s a quick list of defaults in case you don’t want all the details:
- Your name, save as, and file size should be your own choice.
- Format: Leave as Mac OS Extended (Journaled) if you’re keeping this on Mac systems, ExFAT if you’re going to use this on other systems.
- Encryption: AES-256 bit
- Partition: GUID
- Image Format: Sparse bundle disk image
The Details of the Settings
Save As: This is the name of the encrypted image you’re creating. Note this will be different from the Name section you’ll see further down the window. Save As will be title of the encrypted disk image that you’ll see saved onto your machine and that will be passed around.
Tags: This makes it easier to search for and find in the Finder Menu. If you think you may have trouble finding it, you may want to tag it with a color and type, but it depends on how secretive you want to be with it.
Where: Here you’ll pick where you want to save the image when it’s created. It defaults to your document folder, but you can pick any other folder or location where you want it to go.
Name: When you unencrypt the file, it will mount like other installer images or flash drive. This name will what you see when it is unencrypted. This can be a clearer name since if someone has unencrypted this, they have the password and know the contents saved within it.
Size: Here you’ll set the size your disk image will take up and be able to hold. The default size Disk Utility sets disk images to is 100 megabytes, but you can edit this value to be whatever size you can hold on your machine, and change it from megabytes to gigabytes by replacing the “M” with a “G”. Note that depending on what Image Format you set this disk image to be may not be the final size of the file you see on your machine. We’ll explain that more in that section.
Format: Here is where you’ll set the format of the disk image, much in the same way you would with a flash drive. If you plan on just using this on a Mac (or multiple Mac systems), then you can leave it as either Mac OS Extended (Journaled) or APFS for newer Mac systems. If you’ll be using this with other Windows or Linux systems, then you’ll like want to set it to ExFAT.
Encryption: You’ll have 3 options for encrypting your file: None, 128-bit AES, or 256-bit AES. As Disk Utility describes, 128-bit is faster, but generally considered less secure while 256-bit is the exact opposite: more secure, but takes longer to encrypt and decrypt. Overall, you’re typically better off just selecting the 256-bit encryption. For most disk images, the decryption time isn’t that noticeable, and if it’s worth protecting with encryption, its worth giving the strongest you can.
If you select either 128-bit or 256-bit encryption, you’ll be prompted to create a password either on your own or with Mac’s built in password creation tool by hitting the little key icon in the password window. You can also use this tool to test the strength of your own password. This shouldn’t be the same password you use to unlock your Mac, Apple account, or any other service. Make sure to give it a good, long, complex password. Use Apple’s own password generator or another one like LastPass if you prefer. Once you create it and save it, it will set the encryption method once you’re ready to encrypt.
Partitions: Much like a flash drive, you will need to set a partition map for when the image is in a decrypted state so it can be processed. Typically this will be in a single partition, but you can create multiple partitions later with Disk Utility if you desire, though they’ll all be locked under the same encryption scheme and password. It’s best to leave it under the default GUID partition scheme unless you’re either going to burn this to a disk (in which case use the CD/DVD scheme) or share it with an older Windows/Linux machine (use the Master Boot Record scheme).
Image Format: Here you have 4 options, explained below.
- read/write disk image: This is the default one selected. When unlocked, any disk image will have the ability to have files added or removed from it. This essentially makes it like a little encrypted vault. However, whatever size you set it to at its creation is the size it will take up on the disk, regardless of what is actually in it, and it can not be resized after the fact.
- sparse disk image: This format functions as a somewhat resizeable image format. Similar to the other formats, you still set a size at creation, but unlike the read/write disk image, the size you set for a sparse disk image is the maximum size and may not be the size on your machine. If you set the size to be a 1 GB but only store a 100 MB file, then the size of the encrypted disk image on your machine will only be 100 MB. While the file can’t grow or store anything larger than the size you set automatically (at least not without some finagling), it does give you some flexibility in the future and prevent you from eating up the storage space on your machine.
- sparse bundle disk image: This is an updated version of the sparse disk image format and was introduced with OS 10.5 “Leopard” for use with the built-in Time Machine. It functions much the same, however it stores files in smaller blocks. Meaning that the entire file doesn’t have to be re-written, instead only that block does. This is more useful if you expect to be updating this disk image a lot, need it to be backed-up, and can potentially make data recovery easier. If there’s damage to the disk image, the damage may be limited to only some files within it while other files might still be recoverable, whereas in the sparse disk image they could all be gone. I would recommend using this disk image unless you know another one would be better for your needs
- DVD/CD master: This, as the name implies, is for use with DVD and CD. When you select this option (in 10.11 and newer) the max size is automatically reset to 177 MB, the max size for a standard 8 mm CD.
Creating the image
Once you’ve got everything set like you want, then you can hit the save button. The settings window will go away, and instead a new window will pop up with a loading bar and detail the creation of your encrypted disk image. If it completes without issue, your should get a green check mark on the disk icon and a message saying “Operation Successful”. Now if you go to your Documents folder or wherever you chose to save your file, you’ll see a .dmg or other image type with the “Save As” name you gave it earlier (in my case, “Nothing to See Here.dmg”.
After it’s initial creation, the disk image will already be decrypted and mounted onto your machine so you can add files and folders as you need. You can access it either from the Finder sidebar on the left, or you may see it mounted like a flash drive with the name you gave it (in my example, “Super Secret Spy Files”). Either way, you can click on it to open it, and drag stuff on and off of it like a flash drive. When you’re done using it and ready to lock it all up, you just need to “Eject” the disk image like you would a flash drive. You can right click on the disk either on the desktop or in the Finder sidebar and hit the “Eject” option. Once it’s ejected, the .dmg will still be on your computer, but any files in there are locked and encrypted. To unlock them and see or change the contents, you’ll need to double click on the disk image file and type in the password for the file.
You may be see the checkbox to “Remember password in my keychain”, referring to your Apple Keychain. If checked, it means the password for this encrypted file will be saved in your Apple Keychain, and you won’t be prompted for the password when opening the file. For security purposes, I don’t recommend enabling this. It just removes a layer of security in case some gets your Mac and into your user account.
And that’s it. Now you can share these with whomever you want or secretly store those files somewhere.
Was this guide helpful? Let us know in the comments below or on social.