Encrypting files keeps sensitive data like personal details, finances, and passwords safe from attackers by making them unreadable to unauthorized users. Encryption also safeguards data in case of device loss or theft, preventing malicious actors from accessing or misusing the information even if the drive is removed.
Encrypting and securing sensitive files on macOS can be done using built-in tools.
Using FileVault for full disk encryption on macOS
FileVault is Apple’s built-in full-disk encryption (FDE) feature designed to protect your data by encrypting the entire startup disk. It encrypts the entire disk with XTS-AES-128 encryption and a 256-bit key. Enabling FileVault adds an extra layer of security by requiring your login password to decrypt and access your data. If your Mac has Apple silicon or an Apple T2 Security Chip, your data is automatically encrypted. Otherwise, you must do it manually.
How to enable FileVault on macOS
1. Open System Settings:
- Click the Apple Menu () in the top-left corner.
- Select System Settings.
- Go to Privacy & Security → FileVault.
2. Turn on FileVault:
- Click Turn On FileVault.
- You’ll be prompted to choose how to unlock your disk if you forget your password:
- Use your iCloud account (Recommended for easy recovery).
- Create a recovery key (Write this down and store it safely).
3. Restart your Mac:
- After enabling FileVault, your Mac will begin encrypting your disk in the background.
- Depending on the amount of data, this process may take several hours.
- You can continue using your Mac while encryption is in progress.
How to check FileVault status
To verify if FileVault is enabled, open System Settings → Privacy & Security → FileVault. It will show whether encryption is on or off.
How to disable FileVault
If you no longer need encryption, go to System Settings → Privacy & Security → FileVault and click Turn Off FileVault. Enter your administrator password, and macOS will decrypt your disk, which may take some time.
Things to keep in mind
- Performance impact: Minimal on modern Macs (with SSDs), but may slow older Macs with HDDs.
- Password is crucial: If you forget your password and lose your recovery key, you cannot access your data.
- Not ideal for shared computers: If multiple people use the Mac, they’ll need to enter a password on startup before logging into their accounts.
Encrypting individual files and folders with Disk Utility
One of the easiest ways to encrypt sensitive files on macOS is by creating an encrypted disk image (.dmg) using Disk Utility. This method provides a password-protected, secure container where you can store sensitive files. This method allows you to store files in an encrypted disk image.
Steps:
1. Open Disk Utility (Command + Space → type Disk Utility).
2. Click File → New Image → Image from Folder.
3. Select the folder you want to encrypt and click Choose.
4. Under Encryption, select 128-bit AES (stronger) or 256-bit AES (more secure but slower).
5. Set a password (do not forget it, as there is no recovery option!).
6. Choose Read/Write to allow adding/removing files later or Read-Only for fixed content.
7. Click Save to create the .dmg file.
macOS offers two encryption options: AES-128 is faster and provides strong security, making it ideal for quick access and moderate protection. AES-256 is more secure but slightly slower, offering better resistance against brute-force attacks. For general use, AES-128 is sufficient, but for highly sensitive data like financial records or confidential work documents, AES-256 is recommended.
To access an encrypted disk image, double-click the .dmg file and enter the password when prompted. The encrypted volume will appear in Finder as a mounted disk, allowing you to open and use files as needed. When finished, unmount the disk by dragging it to the Trash (which turns into an Eject icon) or by right-clicking the volume and selecting Eject. This ensures your files remain securely encrypted.
Tip: Always unmount the disk image when not in use, as leaving it mounted allows anyone with access to your Mac to open it without a password.
To store an encrypted disk image securely, keep backups of the .dmg file in a safe location, such as an external drive or a cloud service with end-to-end encryption. Use Time Machine for backups, but ensure FileVault is enabled for full disk encryption. Store the password in a reliable password manager to prevent loss.
When sharing an encrypted disk image, never send the .dmg file and its password in the same email or message. Use secure file transfer methods, or an encrypted USB drive. If using cloud storage, set permissions carefully and ensure the .dmg is encrypted with a strong password. Always share passwords separately through a secure channel.
Tip: For added protection, encrypt the .dmg file with PGP (GPG Suite) or compress it into a password-protected ZIP before sharing.
Read more: