Encrypted Disk Images - Mac OS X 10.7.4 (Lion)

Mac OS X provides a native method for creating and using encrypted disk images, which is described below.

Files can be stored in an encrypted disk image created with the Mac OS X command-line tool hdiutil as follows:

  1. First create the simplest possible certificate in Keychain Access using the procedure described here.

  2. Then, find the public key (40 digits, in hex) for this certificate:
    % security find-certificate -c "FooDisk" | \
        grep hpky | awk '{print $1;}' | sed 's/^.*x//'
    
    The output of the command will look like the following (a 40 digit hex string):
    70CAF2CD1EC2F631294B32428B27FC16D12B9546
    
  3. Then, to create (for example) a 1GByte (max) AES-256 encrypted sparse image (a virtual disk image that can expand up to a pre-determined maximum size) using the newly created key, and also a keyboard-entered password, enter the following commands:
    % set NAME="FooDisk"
    % set SIZE="1g"
    % set PUBKEY="70CAF2CD1EC2F631294B32428B27FC16D12B9546" 
    
    % /usr/bin/hdiutil create \
      -type SPARSE \
      -size "${SIZE}" \
      -fs HFS+J \
      -layout GPTSPUD \
      -volname "${NAME}" \
      -nospotlight \
      -encryption AES-256 \
      -agentpass \
      -pubkey "${PUBKEY}" \
      "${NAME}"
    
    You will be prompted (twice) to enter a password to open the encrypted disk image. Consider this password to be a backup, if (for some reason) you are not able to get access to the Public Key from your Keychain. In normal use, you should double click the (locked) encrypted disk image icon, and you will be prompted to unlock your Keychain (with its own password), then the Public Key that you created above (and stored in your Keychain) will be provided to the Finder to open (decrypt) the encrypted disk image. Once opened (decrypted), you can access and copy/modify/delete files in the open disk image exactly as you would files on any other MacOS device.

    hdiutil options explained:
    -type SPARSE
      creates a sparse image, which is expandable, as needed, up to the size indicated by the -size   option.
    -size ${SIZE}
      sets the maximum size of the sparse image.
      Note that the size can be specified as follows: -size ??b|??k|??m|??g|??t|??p|??e   in the style of mkfile(8) with the addition of tera-, peta-, and exa-bytes sizes (note that 'b' specifies a number of sectors, not bytes).
    -fs HFS+J
      makes the format of the Virtual Disk to be Mac OS Extended (Journaled).
    -layout GPTSPUD
      makes the partition map scheme GUID (the standard partition map for Macintosh computers with an Intel processor).
    -volname "${NAME}"
      sets the mounted volume name.
    -nospotlight
      disables Spotlight indexing of the mounted volume.
    -encryption
      causes the sparse image to be encrypted with the AES-128 cypher.
    -encryption AES-256
     causes the sparse image to be encrypted with the AES-256 cypher (the same encryption used for PGP Virtual Disks).
    -agentpass
      includes a password to open the encrypted disk image.
      You will be prompted to enter a password (twice) during the creation of the sparse image.
      This is a good backup in case the public key for the certificate (in the user's login keychain) isn't available.
    -pubkey "${PUBKEY}"
      uses the 40 digit hex key to encrypt the sparse image.
    "${NAME}"
     This will be the name of the sparse image file (with the extension .sparseimage  added).

  4. Then, to check the newly created disk image and confirm that it is encrypted:
    % hdiutil imageinfo "${NAME}".sparseimage
    % hdiutil isencrypted "${NAME}".sparseimage
    
  5. Then, this new sparseimage can be mounted (by double-clicking on the name in Finder) and files can be stored in the mounted disk image.
    All files stored in the sparseimage are encrypted.
This method of storing files in an encrypted disk image appears to have most (perhaps all) of the advantages of the PGP Virtual Disk, but has the distinct advantage of not requiring any additional 3rd party software.
See the man page on hdiutil for more information on the various options.
Last Updated: 2012 July 25, Wednesday, 19:13:59 PDT (UTC-0700)