FileVault provides full-disk encryption to secure the contents of an entire hard drive. This ensures that all your files are safe from prying eyes, requiring your login password in order to decrypt and gain access. But sometimes this all-or-nothing encryption approach doesn't address all needs.
Encrypted disk images allow you to store files on smaller, virtual drives, with their own unique passwords. This gives you more granular control than the all-or-nothing encryption approach of FileVault. You might want an encrypted disk image to restrict access to passwords or store confidential project documents.
An encrypted disk image exists as a file on your hard drive. If you open the file, you are prompted to enter the password, then the image mounts in the file system akin to an external hard drive. It appears in Finder as a Device, along with your other hard drives, jump drives, and media. You can open, save, and move files to/from the mounted image just as if it were a physical disk. When you unmount or eject the image, the files are no longer accessible until the image is remounted.
Create Encrypted Disk Image
Encrypted disk images are created using Disk Utility. You can create an empty disk image and add data to it.
Launch Disk Utility. It lives in the Applications/Utilities folder.
From the File menu, select New Image > Blank Image...
In the next window, configure your disk image. You only need to make changes to the following fields:
- Save as: Enter a filename for the disk image, then choose where to save it.
- Tags: add tags if necessary (optional)
- Name: This is the name that appears on your desktop and in the Finder sidebar, after you open the disk image.
- Size: Enter a size for the disk image. Too small and all your files might not fit. Too large and it takes up space on your physical hard drive.
- Encryption: Select 128-bit AES encryption
- Why not 256-bit?
- "The key schedule for 256-bit keys is not as well designed as the key schedule for 128-bit keys." Ref
- To brute force 128 bit key would take 2,158,000,000,000 years on special-purpose hardware Ref
- 128-bit is faster
- About AES encryption
- You will be prompted to enter the password
- Use a password not easily guessed and which is not used on web sites or other places where it could become known
- Do NOT save this password to your keychain, or else this disk may be mounted without re-entering the password
- If you accidentally add it to the Keychain, use the Keychain Assistant utility to remove the password
- Why not 256-bit?
This disk image will be created. You can quit Disk Utility.
How To Mount an Encrypted Disk Image
Navigate to where you saved the disk image and double-click on it.
Enter your password and the image will mount.
To unmount the image, so that it is not longer accessible, eject it.