HOW TO | encrypt your files
1 Encrypt a volume containing files
If you only need to move files between Macs, it doesn’t matter if the volume on which they’re stored already contains files. There’s a shortcut to encrypt everything in situ, though there there are some prerequisites. In Disk Utility, select the row of the drive that contains the volume. At the bottom of the window, Partition Map Scheme must say GUID Partition Table, otherwise the drive must be wiped. Select the row that shows the volume’s name. At the bottom again, Format must say Mac OS Extended. If either condition isn’t met, you can back up the drive’s contents and skip to 2 below, or see 3 for a less disruptive option.
Otherwise, open a Finder window, right-click the volume in the left pane, and choose the item that begins ‘Encrypt…’. You’re asked to set a password – twice for certainty – and a reminder, which is compulsory. Click Encrypt Disk.
It appears nothing is happening, but the menu item you chose now begins ‘Encrypting…’, and any activity light on the drive is busy. Ejecting and reconnecting the drive prompts for the password.
2 Encrypt a new or blank drive
On a new or empty drive, there’s a quicker method. First, eject and disconnect other external drives, so that Disk Utility’s shows only your Mac’s internal drive and the one to encrypt. In that app, select the row that lists the external drive’s capacity. If its partition map scheme doesn’t say GUID, select the Partition tab, set the number of partitions to create – usually one – then click Options and choose GUID, press OK, name the volume, and press Apply. Notice that you can’t choose an encrypted disk format from here.
Next, select the Erase tab, set Format to ‘Mac OS Extended (Journaled, Encrypted)’, name the volume and click the Erase button. In the panel that appears, set a password. Click Erase. In short time, the encrypted volume becomes available in the Finder. Anything copied to it is encrypted right away.
3 Encrypt only some files
An encrypted disk image lets you choose which files are encrypted. In Disk Utility, choose File > New > Blank Disk Image…. In the window, provide an image name and choose to save it to your external drive. Set Size to the maximum capacity you think you’ll need. Set Format to ‘Mac OS Extended (Journaled)’. Choose either 128-bit or 256-bit AES encryption. Leave Partitions on its default value of GUID. Using ’read/write disk image’ for the image format preallocates your chosen size. Instead, choose ‘sparse bundle disk image’. The image grows as you add things to it.
Click the Create button. Set a password, bearing in mind that a disk image can be copied elsewhere, without your knowledge, and subjected to a brute force attack that could easily crack a weak password. Click OK and the image is created and mounted in the Finder.
4 Encrypt for cross-platform use
To encrypt files in a format that can be used on OS X, Windows and Linux, use Disk Utility’s Erase tab to change the volume’s format to ‘MS-DOS (FAT)’, to which all can write.
Install GPG Suite (gpgtools.org, OS X 10.6 or later). On first run, GPG Keychain Access requests your name and email address to associate with the key you use to encrypt files. Leave the option to upload this unchecked. It’s intended for sending and receiving encrypted files among trusted contacts.
Leave the advanced options on their defaults (see bit.ly/ gpgopts) except for the expiry, which you should uncheck to use the key in the long term. Click ‘Generate key’ and set a strong passphrase. In the Finder, select files to encrypt, rightclick one of them and choose Services > OpenPGP: Encrypt File. In the new window, check the box next to the key you created, then click OK. The files are packaged into an encrypted .gpg file. A PGP tool with your key installed is required to decrypt this file.
In the GPG Keychain Access app, select your key, choose File > Export… and check ‘Allow secret key export’ in the save dialog. To get this onto other computers, save it to a portable drive that contains no files encrypted with it, and store that in isolation during transport. Files encrypted with this tool can be copied to a volume that’s readable and writeable by Macs and other PCs with a PGP tool installed. On Windows, the equivalent tool is Gpg4win (gpg4win.org).