hoakley November 22, 2019 Macs, Technology

How to encrypt files and folders in APFS

Whole disk encryption is far superior in most respects to encrypting individual files and folders. If your Mac has a T2 chip, like it or not, your internal storage will be fully encrypted. But if your Mac has to perform encryption in software – as it will for any external storage even when it does have a T2 chip – you may not want the whole disk encrypted. As few of us have no documents with sensitive contents, you may still want some to be suitably protected.

Cast your mind back to when Apple first announced APFS and its wonderful new features. Do you remember it referring to both whole-disk and individual file and folder encryption? Look as hard as you like in the Finder, its Quick Actions, contextual menus, and so on, and it’s nowhere to be found. Has Apple not yet got round to implementing this?

It has, but perhaps not in the direct way that you expected. It’s all done with Disk Utility (hdiutil if you prefer), and once set up works rather well.

Setting up an encrypted harbour for your files is straightforward. I’ll do it here using a sparse bundle, although if you prefer you can use a disk image instead. Sparse bundles have the advantage that they store the encrypted contents in chunks or bands, which can minimise the amount of backup space they require as they are modified. They also only use the space they require.

In Disk Utility, make a Blank image using the New Image… command in the File menu. This produces quite a busy dialog, into which you should enter:

a suitable file name and location for the encrypted sparse bundle, and a name for the mounted volume;
the maximum size you want the sparse bundle to grow to. Because this is sparse storage, it only occupies the space it needs at the time, so ensure this is healthily large, in GB or even TB;
APFS as its format;
either of the encryption options, as you prefer. When you select one, you’ll be prompted for its password;
a single partition, GUID;
sparse bundle disk image (in this example).

Once you have set those up, go back and check its size, which Disk Utility has a habit of reverting to its default, so that it will be of little use. Then click on the Save button.

encryptedfiles01

You should then have a mounted disk image of around 33.5 MB in size, which will expand as required to accommodate up to the set maximum. Drag and drop your files and folders into it as you wish. You may then notice an old bug which was first reported in Mojave: the progress circles next to copied files persist in an incomplete state even though the copies have been made successfully. Don’t worry about that. Once your encrypted sparse bundle is complete, eject it.

encryptedfiles02

To mount and decrypt those files and folders, double-click the sparse bundle. You’ll then be prompted for its password. Once that has been entered, the bundle will be mounted, and you can add, remove and edit files within it just as for any read-write volume. Once you’re finished with it, close all files that are open in it and eject the volume.

One operation which you may find handy if the contents shrink noticeably is to compact the sparse bundle using the command
hdiutil compact mybundle.sparsebundle
where mybundle.sparsebundle is the path to and name of the bundle.

Encrypted sparse bundles work fine across both Catalina and Mojave, and perhaps with High Sierra too. They’re nowhere near as secure as whole disk encryption, but if you want to protect just a few items on a volume which would have to be encrypted in software, they may well prove ideal. They are a little fiddly to set up; for instance, if you leave their size set at the default, they can be infuriatingly obtuse.

25Comments

Add yours

1

Craig Maynard on November 22, 2019 at 10:13 am

In macOS 10.14.6, I had a problem compacting the sparse bundle:

~ $ hdiutil compact Protected.sparsebundle
Enter password to access “Protected.sparsebundle”:
hdiutil: compact failed – Function not implemented

LikeLiked by 1 person
- 2
  
  hoakley on November 22, 2019 at 12:16 pm
  
  Thank you. I will check this out in both 10.14 and 10.15 as soon as I can and correct the above as necessary.
  Howard.
  
  LikeLike
- 3
  
  hoakley on November 22, 2019 at 10:15 pm
  
  Thank you. I have now been able to check this on 10.14.6 and 10.15.1, and my sparse bundle compacted fine on both. So I’m not sure how you’re getting this error, I’m afraid.
  Howard.
  
  LikeLike
4

Sebastian on November 22, 2019 at 10:53 am

Do you remember it referring to both whole-disk and individual file and folder encryption? … Has Apple not yet got round to implementing this?

Indeed, it has not. The above feature of disk images and sparse bundles has been there for a very long time (I’ve been using it for about 10 years now, don’t know exactly when it was first introduced). It has nothing to do with APFS. Also, it is not actually encryption of arbitrary files or folders; it is encryption of a disk images/sparse bundles. You can put individual files or folders into those, but that’s a different thing. The purported ability of APFS itself to separately encrypt the individual contents of a volume is still missing.

That said, using disk images this way has one cool feature that gets it at least somewhat closer to resembling actual individual-file encryption. If you had a document from an encrypted image open but both the document and the image are closed now, the document will still be visible under your Recent Items (in the Apple menu, in the associated application’s menu and on that application’s Dock Icon, via a right-click). Trying to open the document from those places will not yield an error but present the password dialog for the underlying disk image. So apart from having to remember to close the image again after closing the file, that gets you pretty close to the document behaving as if it were individually encrypted. (Unfortunately, this does not work with aliases — which is unfortunate since then you wouldn’t be out of luck if the document had expired out of the recent items and could just store an alias to whatever “encrypted” file you regularly need access to, without having to locate and open the respective disk image first.)

On the other hand, that this is not actual file-system level encryption manifests itself in the fact that you have to choose a fixed (or at least maximum) size for your disk image when creating it, which will then be occupied even if the contents within are only a fraction of that size. Sparse bundles somewhat soften that impact since they grow only when files are actually added to them, but they too are bound by their initially designated maximum size, and they don’t automatically release free space again if you delete a file from the bundle. For that, you have to use the command line, as Craig Maynard has hinted at above. (And even that doesn’t always work, evidently.)

So, in a nutshell, that promised encryption capability would still be very helpful but is, by all appearances, still missing from APFS.

LikeLiked by 1 person
- 5
  
  Sebastian on November 22, 2019 at 11:05 am
  
  PS: Sorry, somehow overlooked the second-to-last paragraph. (Not that it changes much.)
  
  Also, the blockquote HTML tag seems to produce a quotation appearance that is somewhat out of proportion for the comments. Is there another tag I can use? Or should I just fall back to using simple quotation marks?
  
  LikeLiked by 1 person
  - 6
    
    hoakley on November 22, 2019 at 12:18 pm
    
    Thank you.
    I’m afraid that the blockquote style comes as part of the overall layout, and not something that I can change.
    Personally, given that the whole text is only a short scroll above, I’ve never been a fan of blockquotes in comments unless the article is a very long way above. Some comments made here consist of long quotes, followed by just a few words! I think that normal prose conventions on quotes are far better, and clearer.
    Howard.
    
    LikeLike
    - 7
      
      Sebastian on November 22, 2019 at 12:24 pm
      
      Yep, prose it is. I just thought I saw a much more compact quotation style here some time ago and was trying to replicate that, but I must have been mistaken.
      
      LikeLiked by 1 person
- 8
  
  hoakley on November 22, 2019 at 12:27 pm
  
  Thank you.
  Of course FileVault2 existed well before APFS as well, but that doesn’t stop it from being a feature of the new file system. Given its lamentable state of (un)documentation, it’s impossible to see there whether for APFS disk images and sparse bundles this encryption is implemented at the file system level, or somewhere else. So I’d be interest for any reference you might have which establishes whether this is file system or elsewhere, please.
  There are good reasons in APFS (and HFS+) for implementing file and volume encryption in a way that includes a local file system: extended attributes. As those are stored in the file system metadata, it’s not really possible to encrypt a whole file or a folder without including those metadata, which may well be why Apple has long preferred the system we now have. So I’m not sure whether any more direct encryption scheme would actually be worth using.
  That said, I think that my intro established that this is all small print in terms of the user’s needs: encrypted disks are increasingly common, but there are also many users who don’t want or need the penalties that they bring. These are very workable methods of protecting limited amounts of data.
  Howard.
  
  LikeLike
  - 9
    
    Jean-Daniel on November 24, 2019 at 6:31 am
    
    “it’s impossible to see there whether for APFS disk images and sparse bundles this encryption is implemented at the file system level, or somewhere else.”
    
    Isn’t “diskutil apfs list” supposed to tell you if the mounted image uses an encrypted APFS file system or not ?
    
    LikeLiked by 1 person
    - 10
      
      Sebastian on November 24, 2019 at 10:10 am
      
      Yes, and I just tested with three APFS disk images – one unencrypted, one encrypted with a 128-bit key and one with a 256-key – and all three show as “FileVault: No” with diskutil apfs list. Also, the Finder in its Get Info windows reports each volume’s “Format” as just “APFS”, while my encrypted APFS system volume shows as “APFS (Encrypted)”. This seems to be evidence APFS disk image encryption uses the same implementation as HFS+ disk image encryption, and not APFS’s native encryption capability.
      
      Also, it does seem rather telling that the creation dialog for all these disk images is exactly identical, including the choice between 128-bit and 256-bit key encryption. The file system can be chosen before or after encryption is selected and a password chosen, which strongly suggests encryption here is a feature of the disk image itself, not of the file system that is used to create useable volumes in it.
      
      Caveat: I tested this on 10.13.6. Maybe 10.14 or 10.15 are different. But Howard’s screenshot from the article above does look exactly like the interface I see in High Sierra.
      
      LikeLiked by 1 person
  - 11
    
    Sebastian on November 24, 2019 at 11:00 am
    
    Interestingly, if I mount an APFS disk image (encrypted or otherwise), I can use Disk Utility to erase the contained APFS volume (which is not encrypted) and replace it with an encrypted one. When Disk Utility is done, the new/erased volume does show as “Format: APFS (Encrypted)” in Finder. However, independently of whether the disk image itself is encrypted or not, if I eject the disk image and try to mount it again, I get an error saying “no mountable file system”. This does not happen when I choose unencrypted APFS or HFS+ while erasing. So apparently – at least as of 10.13.6 – there are bugs preventing disk images containing encrypted APFS volumes from even being mounted, although generally it is apparently quite possible to use encrypted APFS within unencrypted disk images. (If – apart from the mounting problem – that might bring some practical advantage over the encrypted disk images with unencrypted APFS volumes that Disk Utility produces, I do not know… Neither do I know whether Apple neglected to implement disk images with encryption via the APFS filesystem for lack of practical advantage or whether they just couldn’t be bothered to put in the work…)
    
    LikeLiked by 1 person
12

Sebastian on November 22, 2019 at 1:14 pm

“These are very workable methods of protecting limited amounts of data.”

Indeed they are. As I said, I’ve been using them myself for close to a decade.

I have no evidence one way or the other if encryption of APFS disk images is implemented via APFS’s intrinsic encryption capability. It may well be. (It’d better be! After all, a disk image is itself just another type of volume.) But there is an important difference between “being a feature of the new file system” and “being a new feature”. A general capability to encrypt individual files and folders was what Apple claimed for APFS. That would be a new feature. But that feature does not exist as of now. What exists is a feature that has already been there for half an eternity, possibly based on a newer (and possibly better) implementation. But from the user’s point of view, it still works in exactly the same way as it always did. It’s still cumbersome to set up and not exactly straightforward to use and maintain either. It might be faster now than it was for HFS+ disk images (don’t know, didn’t test), but for the typical use case of small files like PDFs, spreadsheets, or similar documents, I doubt the difference is noticeable in actual use — most of the time you will spend much more time typing in the encryption password than waiting for some file on the disk image to be written to or read from. A different case might be backing up to an encrypted disk image (which Carbon Copy Cloner supports, mainly for backups to networked volumes); that used to incur a hefty speed penalty versus unencrypted disk images, and it might be faster now, but again, I didn’t test and don’t know.

Anyway, my point is that what you’re describing is a feature of HFS+ volumes just as much as it is a feature of APFS volumes. That doesn’t make it more or less useful with either file system, it just makes it not new for APFS. 😉

As for extended attributes, I’m not knowledgeable enough to say if that is indeed the reason Apple is not offering more. But then it shouldn’t have promised more. 😉 Again, from the user’s point of view, being able to encrypt individual files and folders directly in the Finder would entail a significant usability improvement for certain use cases (not only through removal of the usability hurdles described above, but also through making this capability easily accessible right where users expect to actually deal with their files). If that’s not possible, so be it, but then everything is basically just as it was with HFS+.

Then again, Apple is employing siginficant file system gymnastics for Catalina’s read-only System volume so that it appears as still just one volume in the Finder. They’re making that work such that the user gets the best of both worlds (protected system, seamless accessibility in the Finder). I’d find it hard to believe they couldn’t do something similar with single-file encryption — that there is no possible solution for that which incorporated extended attributes. The question is much more likely to be whether they find it important enough to devote much work to it.

LikeLiked by 1 person
13

Finish of Decade Musings: How Expertise Has Robbed and Twisted Us - Techi Blog on November 23, 2019 at 1:57 am

[…] Firm has printed as good tutorial on how (and why) to create encrypted sparse bundles in APFS. “ encrypt recordsdata and folders in APFS.” Bookmark this […]

LikeLike
14

End of Decade Musings: How Technology Has Robbed and Twisted Us – NoobZone on November 23, 2019 at 2:26 am

[…] Firm has revealed as good tutorial on how (and why) to create encrypted sparse bundles in APFS. “How to encrypt files and folders in APFS.” Bookmark this […]

LikeLike
15

End of Decade Musings: How Technology Has Robbed and Twisted Us - Sparkblog on November 23, 2019 at 2:30 am

[…] has published as nice tutorial on how (and why) to create encrypted sparse bundles in APFS. “How to encrypt files and folders in APFS.” Bookmark this […]

LikeLike
16

End of Decade Musings: How Technology Has Robbed and Twisted Us – Warta Saya on November 23, 2019 at 2:31 am

[…] Firm has revealed as good tutorial on how (and why) to create encrypted sparse bundles in APFS. “How to encrypt files and folders in APFS.” Bookmark this […]

LikeLike
17

Recent Links (weekly) | Symesposium on November 24, 2019 at 7:33 am

[…] How to encrypt files and folders in APFS – The Eclectic Light Company […]

LikeLike
18

pleticha on March 26, 2020 at 7:48 pm

“You may then notice an old bug which was first reported in Mojave: the progress circles next to copied files persist in an incomplete state even though the copies have been made successfully.”
this appears resolved at least in 10.15.4 progress circles complete

LikeLiked by 1 person
- 19
  
  hoakley on March 26, 2020 at 8:02 pm
  
  Thank you – yes, this bug was fixed some time ago, although I have once caught it recurring, which may just have been one of those funny Finder moments.
  Howard.
  
  LikeLike
20

Valdo on May 29, 2020 at 8:58 am

How to open such folder in iOS/iPadOS? Seems that no app/extension available?!

LikeLiked by 1 person
- 21
  
  hoakley on May 29, 2020 at 9:10 am
  
  As far as I know, without jailbreaking the device, you can’t mount any disk image in either iOS or iPadOS.
  Howard.
  
  LikeLike
22

Valdo on May 29, 2020 at 10:17 am

Thank you Howard, I was afraid of that!

Is there any other solution to encrypt some private files placed in iCloud with own key and to have access to them from Mac AND from iPhone/iPad?

I tried GPG Tools, its working fine on Mac and has the advantage that it is possible to encrypt just the text within a file (this works also in Apple Notes) and is not necessary to encrypt the whole file, but again, no counterpart on iOS devices….

LikeLiked by 1 person
- 23
  
  hoakley on May 29, 2020 at 12:31 pm
  
  I’ve just tried this out using encrypted Zip archives, which works but isn’t too convenient in iOS. I tried using WinZip on iOS, but iZip Pro (which I bought by mistake!) seemed easier to use, and coped with the encryption just fine.
  I’ve put a tweet out to see if anyone has a better suggestion, and will get back if and when someone does.
  Howard.
  
  LikeLike
- 24
  
  hoakley on May 29, 2020 at 1:19 pm
  
  OK: if you are happy keeping the documents in iCloud, then you can use either Cryptomator or Boxcryptor, which store files in their ‘vaults’ in iCloud and other services. Cryptomator is probably the better and cheaper of the two, as the Mac app is free and you’d only pay for the iOS app. However, there doesn’t seem to be any (easy) way for either of them to store their vaults locally, they’re cloud only, unless (perhaps) you pay for a Boxcryptor account.
  Otherwise encrypted Zip seems the best answer.
  Howard.
  
  LikeLike
25

Valdo on May 29, 2020 at 3:05 pm

Thanks Howard,
I’m talking about iCloud because it’s so nice integrated in Files and Finder.

I read about Cryptomator but this needs Fuse and so it is very clumsy on Mac.
The Boxcryptor requests sign up with password…
The issue with zippers is that those create unzipped (and uncrypted) files.
When those files are deleted they stays for 30 days on icloud.com
There are some other options but as these are subscription based, are out of my reach.
Actually the PGP Tools is the most handy way to go (on Mac) as through Services you can encrypt even a part of the text in a file.

LikeLiked by 1 person