Some forms of encrypted storage still don’t work properly

Encrypted storage is essential for privacy and security, and on the face of it macOS offers the user several robust options, including

FileVault,
APFS (Encrypted) volumes,
encrypted disk images,
encrypted sparse bundles,
Apple Encrypted Archives.

No doubt you can think of a few others. But not all of these work as well as you might expect. In particular, encrypted sparse bundles suffer a serious bug that prevents you from changing their password, and Apple Encrypted Archives don’t allow use of a memorable password at all. This article looks at those.

Encrypted sparse bundles

Until Ventura 13.2.1, encrypted sparse bundles seem to have worked as advertised. Although Disk Utility has never offered an easy way to change their passwords, that could be accomplished interactively using hdiutl in Terminal. A command of the form
hdiutil chpass sparsebundle
where sparsebundle is the path to the sparse bundle, starts this process. The user is first prompted at the command line to enter the current password, then the new password twice, thus
hdiutil chpass /Users/hoakley/Documents/0test1.sparsebundle Enter password to access "0test1.sparsebundle": Enter a new password to secure "0test1.sparsebundle": Re-enter new password:

This stopped working by Ventura 13.3.1, since when hdiutil still goes through the same sequence but the password remains unchanged. As there’s no other means of changing a sparse bundle’s password, this severely limits the usefulness of encrypted sparse bundles. The only workaround seems to be to make the change using 13.2.1 running in a VM. Without that, no encrypted sparse bundle can now have its password changed.

Fortunately, this only applies to sparse bundles, and not disk images, and in some uses there are alternatives: for example, if you’re using an encrypted sparse bundle on network storage, you could perhaps replace that with an unencrypted sparse bundle on an encrypted file system. Unfortunately, as you can’t remove encryption from an existing sparse bundle, that’s of no help if you’re storing Time Machine backups in that encrypted sparse bundle, as there’s no way to copy APFS Time Machine backups between volumes.

Signs of a fix coming in the first release of Sonoma aren’t promising. According to those who have tested this in its beta releases, the bug currently remains unfixed there, as well as in Ventura 13.5.2. Given the impact of this on many users, it’s deeply disappointing that this still hasn’t been addressed.

Apple Encrypted Archives

Archive Utility is one of the unsung heroes of macOS, although for many it’s just a convenient way to unzip files. With the arrival of Apple Archive format, it now offers efficient compression that performs particularly well on Apple silicon Macs. Although access is most extensive through its command tool aa, whose man page provides its only documentation, Archive Utility offers Apple Encrypted Archive as a supported option.

This provides a raw and unhelpful interface that makes it unattractive at present. When asked to compress an item in Apple Encrypted Archive format, the app prompts the user for what it claims is a password. Instead what it’s actually doing is informing the user of their randomly generated key required to decrypt that archive. As that’s a long number such as
65764-61713-62440-77407-11836-81743
it’s not memorable, and either has to be stored in the keychain, or recorded elsewhere.

archiveutil

When stored in a keychain, that isn’t readily identifiable, and can’t be copied or transferred to another Mac. If that archive is to be accessible on another Mac, or from a backup, the user has to manually store a copy of that key. As there’s no way to change that key in any way, let alone substitute a password of the user’s choice, the only way for a user to retain access to the items in that encrypted archive is to keep a copy of the key with it. That surely defeats the whole purpose of encryption.

If this option is going to be exposed to the user in a GUI, Archive Utility needs to provide a better method of gaining access to its encryption key that can be protected by a more memorable and portable password. Use of Apple Encrypted Archives also needs to be properly documented.

Summary

As of Ventura 13.5.2, and probably in the first release of Sonoma, two of those five robust options for encrypting files and folders aren’t sufficiently functional for normal use. The bug in changing passwords for sparse bundles needs to be fixed, and shortcomings in passwords for Apple Encrypted Archive need to be addressed in Archive Utility.

18Comments

Add yours

1

Enzo Vincenzo on September 9, 2023 at 7:32 am

I hope you will always report anything to Apple using Feedback Assistant…
I also think Apple should provide you with a prime channel to hear your suggestions.
The very fact of not being able to avoid these errors, in fact, puts Apple in a position of mental inferiority.
It is not possible, in fact, that the richest IT company in the world is incapable of solving such simple problems…
They probably don’t realize it and for them you are like Steve Jobs: an attentive and demanding person who does not tolerate mediocrity and reports any nonsense so that it can be corrected immediately.

LikeLiked by 1 person
- 2
  
  hoakley on September 9, 2023 at 8:36 am
  
  Thank you.
  The password problem has been reported on Feedback by several people.
  Howard.
  
  LikeLiked by 1 person
3

Jason Sewell on September 9, 2023 at 8:29 am

The big advantage of encrypted sparse bundles for me is that when making a backup of the bundle to an external drive or to cloud storage, only the bands that have changed need to be copied. This is a huge time saver.

Although the fact that you can’t change the password is annoying, it’s not enough for me to stop using them for the above reason. If I need to change the password for now, I just create a new encrypted sparse bundle and copy files over.

LikeLiked by 1 person
- 4
  
  hoakley on September 9, 2023 at 9:20 am
  
  Thank you.
  Unfortunately, that isn’t a luxury available to those using them for Time Machine backups to APFS, who are currently trapped.
  Howard.
  
  LikeLike
5

aONe on September 9, 2023 at 9:02 am

This reminds me of an issue within ditto that also appeared in Ventura and is not fixed in Sonoma (at least I’ve reported it):

https://sourceforge.net/p/sevenzip/discussion/45798/thread/f7a98aa652

Didn’t knew the Archive Utility can create Apple Archive files. I prefer my own implementation though 😛

LikeLiked by 1 person
- 6
  
  hoakley on September 9, 2023 at 9:18 am
  
  Thank you. We all prefer your own implementation, thank you.
  Howard.
  
  LikeLike
- 7
  
  moulickaggarwal on September 19, 2023 at 10:47 am
  
  Thank you for making Keka ❤️
  
  LikeLiked by 2 people
8

Jeff Johnson on September 9, 2023 at 9:27 am

“The only workaround seems to be to make the change using 13.2.1 running in a VM.”

Or any earlier version of macOS. My Mac mini has multiple boot volumes, so that’s been my workaround for the hdiutil chpass issue.

LikeLiked by 1 person
- 9
  
  hoakley on September 9, 2023 at 9:29 am
  
  Thank you, Jeff. I wouldn’t recommend multiple boot volumes on an Apple silicon Mac just to work around this bug, though!
  Howard.
  
  LikeLike
  - 10
    
    Jeff Johnson on September 9, 2023 at 9:33 am
    
    It has multiple boot volumes for development and testing purposes. My point was just that any old version will do.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on September 9, 2023 at 6:48 pm
      
      Thank you, Jeff – yes, I agree, although for a VM on Apple silicon, the more recent the better.
      Howard.
      
      LikeLike
12

Udo Thiel on September 9, 2023 at 10:28 am

I just tried aa and it allowed me to use my own password, albeit only with a minimum length.

How do I activate the GUI version?

LikeLiked by 1 person
- 13
  
  hoakley on September 9, 2023 at 10:42 am
  
  The app is in CoreServices/Applications.
  Howard
  
  LikeLike
  - 14
    
    Udo Thiel on September 9, 2023 at 10:49 am
    
    Thanks, found it! It’s probably only useful for extraction. But there is a Framework, https://developer.apple.com/documentation/applearchive, so in theory we could roll our own. Perhaps someone already has. I agree though that the GUI version is rather strange.
    
    LikeLiked by 1 person
    - 15
      
      hoakley on September 9, 2023 at 6:47 pm
      
      I’ve been using Apple Archive in my free Cormorant, aimed primarily for use with AirDrop, but don’t offer the encrypted version. If you want the very best compression app on the planet, then you’ll want Keka, which has excellent support for Apple Archive, and is also available for iOS.
      Howard.
      
      LikeLike
16

prehensileblog on September 9, 2023 at 6:32 pm

I use GPG, too.

LikeLiked by 1 person
- 17
  
  hoakley on September 9, 2023 at 7:00 pm
  
  Thank you. There are plenty of third-party options, but these are main ones built into macOS. When they work properly, they cater for most needs, and seems robust and protective.
  Howard.
  
  LikeLike
18

Michael Tsai - Blog - Ventura File Encryption Problems on September 11, 2023 at 7:06 pm

[…] Howard Oakley: […]

LikeLike