hoakley June 28, 2023 Macs, Technology

From party trick to file protection: sparse files have their uses

APFS may not seem the right tool for performing party tricks on your Mac, but the combination of clone and sparse files can make for some nerdy fun. This article looks at how those tricks can turn into something more useful, and secure sensitive data more efficiently.

Sparse file trick

For the basic trick, you’ll need my little app Sparsity, which creates (otherwise useless) sparse files, and a small partition/container of around 100 GB with a single APFS volume inside it. In that volume, make yourself a 10 GB sparse file, and duplicate it many times until it appears to overflow the size of the container. This works because the sparse files don’t occupy the space expected by their 10 GB size, and their clones occupy even less space on disk.

Disk image trick

Delete those, and try something a little more sophisticated. This time, create an empty 10 GB UDIF Read/Write disk image in that container using DropDMG or Disk Utility, then unmount that disk image. At this stage it still takes 10 GB of disk space. Double-click it to mount it, confirm that it’s empty, and unmount it again. Use the Finder’s Get Info to confirm that it now takes just a few MB of disk space, although its size remains nominally 10 GB. That’s because APFS has changed it into a sparse file, so all its empty space has vanished. You can now duplicate that disk image many times without losing much free space in the container, just as you did with the previous sparse file.

Encrypted disk images

multidmg1

Now let’s turn that trick into something useful, something we were promised over six years ago, when studying Apple’s initial documentation for APFS. I wrote then that APFS “has encryption designed into it from the outset. It therefore allows you to choose from several options for each volume within an APFS container. These range from no encryption at all, to multi-key encryption with different files/folders protected by different keys, even a separate key for metadata.”

Unless I have somehow missed it, we still seem to be waiting for this multi-key encryption with different files/folders protected by different keys. In the meantime, I here suggest an alternative that’s just as flexible and efficient, using disk images.

Empty that APFS volume again, and this time create an encrypted 50 GB UDIF Read/Write disk image in it, using a password you can remember, or later add to your keychain if you prefer. Perform the same unmount-mount-unmount sequence to shrink it down to a small sparse file. Then create another two of those, each with a different memorable password. You’ll now have three encrypted disk images taking next to no space in that one volume.

multidmg2

In the absence of the promised “multi-key encryption with different files/folders protected by different keys” in APFS, the only obvious option is to add an APFS encrypted volume for each collection of files you want encrypted separately. That’s clumsy in two respects:

Default behaviour at startup, or when that disk is connected, is to mount all volumes, thus prompting for each password whether or not you want that encrypted volume mounted.
Although encrypted volumes can be backed up by Time Machine, their backups won’t then be protected by separate passwords, only the password for the whole encrypted backup.

Your three encrypted disk images now behave almost like encrypted APFS volumes, except that:

you only need mount them when you want to access that particular set of encrypted files;
each can grow to the maximum size set for that disk image, provided that their total size remains within that of the container;
when each is mounted, it is trimmed, and free space eliminated from the disk space required to store the files in that image;
each can be backed up by Time Machine to unencrypted backup storage, while retaining their individual password protection;
each can be backed up using third-party utilities to unencrypted APFS or networked storage, while retaining their individual password protection.

Note that this only applies to disk images using HFS+ or APFS format internally, as other file systems won’t be trimmed on mounting.

Of course, you could also do this using encrypted sparse bundles if you prefer. To maintain their size efficiency, though, you need to periodically compact them manually, as APFS neither trims them during mounting, nor does it save them in sparse format. Now that plain disk images are stored as sparse files, as of macOS Monterey, most of the advantages of sparse bundles have been lost. Finally, it’s worth noting that at present you can’t change the password on an encrypted sparse bundle, but you can on an encrypted disk image, although Apple will hopefully get round to fixing that bug in the near future.

Summary

To protect collections of files using encryption, your first choice now should be an APFS or HFS+ format encrypted read/write disk image.
As they’re stored as sparse files, set their size to the maximum you’re likely to want, as they will grow and shrink as needed.
To compact a read/write disk image, mount and unmount it, so that its free space will be trimmed.
You can safely back up an encrypted disk image to unencrypted storage, as it will retain its individual password.
Some party tricks can be useful after all.

13Comments

Add yours

1

Ralf on June 28, 2023 at 11:25 am

There is a possibility to encrypt a volume on a server (Synology). Isn’t it better to create a sparse file on the volume and encrypt it and leave the volume unencrypted?

LikeLiked by 1 person
- 2
  
  hoakley on June 28, 2023 at 1:10 pm
  
  This is very complicated.
  Ordinarily, if you’re backing up to a Time Machine backup stored in APFS format inside a sparse bundle on your NAS, then the sparse file format should be preserved.
  However, if you copy any sparse file from your Mac to a share on a NAS, it will explode to full size, as the APFS sparse file format is specific to the APFS file system. That happens when the file is copied from the Mac, so the whole size of that file is transferred over the network.
  If you want to store sensitive files on a NAS, the best solution is probably to create an encrypted share there, and use that.
  Howard.
  
  LikeLike
  - 3
    
    Ralf on June 28, 2023 at 1:27 pm
    
    Thank you, Howard.
    That was just a thought because it works well with CarbonCopyCloner.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on June 28, 2023 at 6:31 pm
      
      Yes, the snag is that when copied to a file system other than APFS, there’s no sparse file format available, so the disk image expands to its full size. Time Machine works around that by writing into the virtual APFS inside the sparse bundle storing its backups.
      Howard.
      
      LikeLike
5

Thiago on July 6, 2023 at 10:13 pm

Thanks a lot for the amazing articles!

I have 4 external RAID 1 drives (from 4TB to 20TB) and I was really disappointed that the latest macOS do not allow HFS+ encryption anymore. Actually the last drive I bought was to merge 2 of the oldest drives, so I don’t have many drives on my table and I can retire those non-USB-C things. I am struggling to set it up to merge the old drives because encryption is crucial to me and I don’t know the best option. I don’t find many articles about large drives like mine.

That’s how I ended up on your website actually.

I am considering a few options:

1. formatting it with APFS (encryption) and using it normally — but apparently this will become really bad with time, especially when I deal with lots of code projects with small files like .git, node_modules, etc, but also large files like videos.

2. formatting it with HFS+ and using an encrypted disk image — this seems to make sense for mechanical drives, but then I ran into several dilemmas:

a) how to choose the best options for disk images? Should I use sparse bundle disk image, sparse disk image or read/write disk image? I am afraid a 20TB disk image can generate too many bundles and increase the risk of failure.

b) is it better to create one image with 20TB or try to use several smaller ones in case the disk image fails (reduce blast radius)? It can get hard to manage mounting so many disk images every time I attach the RAID.

c) if I have one big disk image formatted with APFS saved on a drive formatted as HFS+ does it mean I have the same problem of using APFS on mechanical drives as if I had formatted the drive using APFS? Or because it’s a disk image the penalty is gone?
I could create HFS+ (image) on HFS+ (drive) to be able to encrypt my data, but because APFS has normalisation (some of my files contains emojis, asian characters and latin language accents that rsync keeps showing as diff-ing on consecutive runs even though they clearly are the same files / the emojis and asian characters that show as an square on HFS+ look normal on Finder when I use APFS and rsync does recognise they are equal).

I know these are a lot of questions but I would really appreciate any advice.

Many thanks in advance!

LikeLiked by 1 person
- 6
  
  hoakley on July 7, 2023 at 7:44 am
  
  I’m afraid that whatever you do with hard disks is going to be a compromise and have weaknesses. If you’re changing files on them actively, then APFS is a bad choice, but as HFS+ lacks some of the important features of APFS, HFS+ isn’t a good choice either.
  Although I believe that disk images can work OK at very large sizes, they weren’t designed to do that. The thought of a single UDIF R/W image, or vast numbers of band files in a sparse bundle, fills me with dread as to how long they would last before failing.
  Maybe someone else here with experience of similar systems can make better suggestions. I’m afraid mine would be to move to SSD arrays and APFS encrypted, but that’s going to be very costly.
  Howard.
  
  LikeLike
  - 7
    
    Thiago on July 9, 2023 at 3:05 pm
    
    Thanks! I appreciate your opinion!
    
    LikeLiked by 1 person
8

Mike on July 12, 2023 at 10:31 pm

Great article!

If my goal is to compartmentalize ~100GB of files on an external SSD (already APFS encrypted) do I need to:

1) create a separate APFS encrypted volume first and then the empty APFS encrypted disk image?

2) what do you suggest for the disk image **partitions** and **image format** options?

Thanks for your content 🙂

LikeLiked by 1 person
- 9
  
  hoakley on July 13, 2023 at 6:12 am
  
  Thank you.
  It used to be taught that encrypting twice was bad practice, and in some circumstances could make it easier to crack the encryption. I don’t know whether that still holds, but it’s surely not necessary here.
  I’d add a plain, unencrypted APFS volume to that external SSD, and on that create a 150-200 GB read/write encrypted disk image using APFS. After that’s created, I’d unmount the disk image, then mount it again, then unmount it, and check that its on-disk space had fallen as expected for a sparse file. You can then mount it and load it up with your files ready for use.
  Howard.
  
  LikeLike
10

Mike on July 13, 2023 at 11:16 am

Thanks for your quick reply 🙂

Can you explain the reason for creating a dedicated APFS volume for the encrypted disk image? What benefit(s) does the volume provide versus creating the disk image on the existing single volume?

LikeLiked by 1 person
- 11
  
  hoakley on July 13, 2023 at 11:53 am
  
  There’s no point in storing encrypted disk images on an encrypted volume – it doesn’t add any security benefit, just overhead performing double encryption/decryption. As APFS volumes share free space and impose almost no overhead, you may as well store your encrypted disk image(s) on unencrypted APFS.
  Howard.
  
  LikeLike
12

Mike on July 13, 2023 at 2:33 pm

Go it! I understood the double encryption just wasn’t sure if the disk image(s) would not shrink if not stored on a dedicated volume.

Thanks for clarifying!

LikeLiked by 1 person
- 13
  
  hoakley on July 13, 2023 at 9:03 pm
  
  The way macOS converts these disk images to sparse files is truly magical: all you have to do is mount the image, leave it a few second, and unmount it again. That’s sufficient for all the unused space in the image to be compacted, and the file rewritten as an efficient sparse file. So long as the file system inside the disk image is APFS or HFS+, it appears simple and robust.
  Howard.
  
  LikeLike

·Comments are closed.

Sparse file trick

Disk image trick

Encrypted disk images

Summary

Share this:

Related