How To + Recommended

How to Encrypt and Password Protect Files on Your Mac

Posted on November 3rd, 2016 by

How to Encrypt Files on Mac

Using encryption and password protection where you can is typically a good idea, and macOS provides you with a number of ways to implement it. Best of all, no additional software is required to encrypt files on your Mac, it's all built-in to the operating system that we know and love.

Due in large part to the amount of images in this article, I have implemented a "click to expand" option for step-by-step instructions on using various encryption and password protection features on your Mac. This way, if you already know how to do something you can just continue reading; but if you need help, all the details are there for you.

I have split the contents up into five categories:

  1. Encrypt System Data
  2. Encrypt External Drives
  3. Encrypt Documents and Files
  4. Encrypt Backups
  5. Encrypt Distributed Files

Encrypt System Data

Securing the Mac itself is the best way to prevent unauthorized access to your data.

Using FileVault to Encrypt Your Startup Drive

Using FileVault you can encrypt the contents of your entire startup drive. It is important to use a strong password to secure your user account. A simple password ("1234," or "password1," etc.) is easy to guess and will allow anyone to log in, thus bypassing the FileVault protection.

To enable FileVault, click here and follow these steps:

  1. From the Apple menu, select System Preferences.
  2. Go to the Security & Privacy pane.
  3. Select the FileVault tab.
  4. Click the lock to make changes and click the "Turn On FileVault..." button.
    sierra-filevault-1
    You will be asked to choose a preferred method to unlock your disk if you ever lose your account password.
    sierra-filevault-2
    The iCloud option will simply use your iCloud account details (no Internet connection required, these details are securely stored on your Mac). The recovery key option will present you with a 24 character string you will need to save. I prefer the recovery key method, but of course, the choice is yours. If you select the iCloud option, you will be prompted to restart your Mac and the encryption process will begin. However, if you select recovery key an additional window will show with that key.
    sierra-filevault-3
  5. As the warning states, store this key in a safe place. Then click Continue.
    sierra-filevault-4
  6. Restart your Mac and the encryption process will begin. You can use your Mac as you always would. You may notice a slight performance drop until the encryption process is completed. To see the status, just navigate back to System Preferences > Security & Privacy > FileVault and you'll see a progress bar and time estimate. It is recommended that you not put your Mac to sleep or power it off until the process has completed.

Activating a Screensaver Password

FileVault protects your data at rest, meaning if the Mac is off, sleeping or you are logged out, a password is required to get access. Once you are logged in the data is accessible to you or anyone else that can sit at your Mac while you're not looking. To prevent this, a sleep and screensaver password must be used. I will also show you how you can quickly activate your screensaver without a single click.

To enable the sleep and screensaver password, click here and follow these steps:

  1. From the Apple menu, select System Preferences.
  2. Go to the Security & Privacy pane.
  3. Select the General tab.
    sierra-screensaver-password-1
  4. Click the lock to make changes and check the "Require password — after sleep or screen saver begins" box. The dropdown menu offers you options as to how fast the password protection should kick in.
    sierra-screensaver-password-2
  5. Additionally, you can set a hot corner that will activate your screen saver when your mouse pointer reaches a specified corner of your display. To do this, go back one step in System Preferences and select Desktop & Screen Saver. At the bottom of that window you'll find the "Hot Corners..." button.
    sierra-hot-corner-1
    Once clicked, you can set an action for each of your display's corners — just make one of them "Start Screen Saver." Now all you have to do is throw your mouse pointer in the specified corner and the screensaver will kick in immediately. If you need to get away from your Mac in a hurry, this is a very fast way to secure it (depending on how much time you set in the previously mentioned dropdown menu).
    sierra-hot-corner-2

Setting a Firmware Password

To prevent unauthorized users from booting your Mac off another startup drive or the recovery partition, a firmware password can be set. Once set, when you start your Mac from your normal startup disk, you see the normal login window where you enter your user account password. If you try to start up from another drive, or from OS X Recovery, your Mac pauses startup and displays a lock icon with a password field instead.

To set a firmware password, click here and follow these steps:

  1. Restart your Mac and hold down Command+R as soon as the screen turns black.
    Your Mac will now boot from recovery. This may take longer than usual but just keep holding down the keys until you see a progress bar.
  2. Once booted, you should see the Utilities window.
    sierra-firmware-password-1
  3. Select "Utilities" from the menu bar and then click "Firmware Password Utility."
    sierra-firmware-password-2
  4. When the Firmware Password Utility opens, there's really only one option and that is to turn it on.
    sierra-firmware-password-3
  5. Enter a password and click "Set Password."
    sierra-firmware-password-4
  6. That's all there is to it. Do not forget this password. Now quit the Utility and restart your Mac.
    sierra-firmware-password-5
    Next time you, or someone else, attempts to boot the Mac from another startup disk, the following screen will show:sierra-firmware-password-6

Encrypt External Drives

FileVault takes care of your startup drive, but what if you have other drives? Multiple internal drives, partitions on a single drive, external drives or thumb drives are not protected by FileVault, so if you want to encrypt those you have to manually do it.

Encrypting Drives and Partitions (Option 1)

You can encrypt partitions*, internal drives*, external drives* or partitions on an external drive* (*as long as it is not your startup disk, FileVault has to handle that one). If any of these are exiting volumes with data on it, the way to encrypt them without losing data is pretty straightforward.

To encrypt a drive or partition using the Finder, click here and follow these steps:

  1. Anything can happen from a sudden drive failure to a power outage so always make sure you have a current backup.
  2. Right-click on the drive icon on your desktop.
  3. Select "Encrypt [DriveName]." (In this case, I used my Photos drive as an example.)
    sierra-encrypt-partition-or-drive-1
  4. Set a strong password and a password hint. The password hint is required, so you cannot leave it blank. If you think you need a hint, set one that only makes sense to you. As you will need to enter the password after every restart or every time you connect the drive, chances of forgetting that password are slim so a hint may not be needed. If you don't think you'll forget the password, set a hint that makes no sense at all and will only confuse an unauthorized person.
    sierra-encrypt-partition-or-drive-2
  5. Click "Encrypt Disk" and let it work for you in the background. You can check the status by right-clicking on the drive icon again, it will either say "Encrypting" or "Decrypt."

Encrypting Drives and Partitions (Option 2)

You can also encrypt drives or partitions through Disk Utility, but it will require you to erase them in the process. For new or empty hard drives or drives that still ned to be partitioned, Disk Utility is a good option since you're likely already using it anyway to handle the partitioning.

To encrypt a drive or partition using Disk Utility, click here and follow these steps:

  1. Open Disk Utility. This can be found through Spotlight or in your Applications > Utilities folder.
  2. Select the drive or partition you want to encrypt. (In this example an external hard drive is used. This is a good time to make sure no important data is at risk. Click the "Erase" button.)
    sierra-encrypt-partition-or-drive-3
  3. Name the drive and click on the dropdown menu "Format." Select the option as shown in the image below "Mac OS Extended (Journaled, Encrypted)."
    sierra-encrypt-partition-or-drive-5
  4. Set a strong password and a hint if you need one. Click "Choose" when done and the drive or partition will be erased and encrypted.
    sierra-encrypt-partition-or-drive-6

You can verify the encryption is in place by clicking that same drive again in Disk Utility. It will now show the encryption as shown in the image below.
sierra-encrypt-partition-or-drive-7
Going forward, every time you restart your Mac or mount the drive, the following window will appear:

sierra-encrypt-partition-or-drive-8
I do not recommend saving the password in your keychain as it will defeat the purpose of encrypting it in most scenarios.

Encrypting Disk Images

You can create encrypted disk images as well. Look at these as folders with their own encryption. Even if the hard drive the data is on is already encrypted, some want an additional layer of security for certain files or folders.

To create an encrypted disk image using Disk Utility, click here and follow these steps:

  1. Open Disk Utility.
  2. From the File menu, select "New Image." (This example will use "Blank Image...")
    sierra-disk-image-1
  3. The following window will open:
    sierra-disk-image-2
    Depending on your needs, this can be set up in different ways. I'll stick with the scenario that fits the most common uses.
  4. There is a specific order in which this has to be configured:
    sierra-disk-image-3

    1. The Save As file name is what will show up in the save location (2)
    2. Depending on the size of the disk image, select a save location with enough space
    3. The Name is what will show on your Desktop once the disk image is opened
    4. For Image Format, select "sparse disk image." There is a reason for this, which I will get to in a moment.
    5. Select the maximum size the disk image will become. Right now you may only have 300 MB of files to store in the disk image but how much data do you think the disk image will hold a year or two years from now? Don't worry too much about this, if it turns out the disk image is too small you can always create a new one and just copy the data over. In my example, I set it to 10 GB.
    6. Here you set the encryption level. There are two encryption options.
      sierra-disk-image-4
      If your hard drive is already encrypted or if you'll be working on large files stored on the disk image, I recommend using 128-bit encryption. If the files are incredibly important/secret and you want the best encryption you can get, select 256-bit encryption. Do keep in mind that copying large files or a large number of files simultaneously to/from the disk image will be slower. Working on files directly off the disk image may not be possible due to the speed limitation. Click "Save" when everything is set up and the disk image will be created.
  5. Select the disk image you just created and press Command+i or right click on it and select "Get Info."
    sierra-disk-image-5
    The reason I recommend using the "sparse disk image" now becomes clear. I set the disk image to be 10 GB, but it's not even 50 MB on my drive. This is because the Sparse Disk Image format grows in size only if needed and will top out at the preset 10 GB, so it will use a fraction of the size you set at first and it may take you years to get to the preset size. If you find you need a bigger disk image down the road, just create a new one and copy the data over.If you want to encrypt an already existing folder, go back to step 2 and select "Image From Folder." Otherwise, move to step 6.
    sierra-disk-image-6
  6. Select the folder you want to encrypt, set a name, encryption strength and image format (read/write if you want to make changes to the contents later on).
    sierra-disk-image-7
    Keep in mind that the created disk image will not be able to store more files than what's already there. This makes the "Image From Folder" method a good one for long term storage of files you're done with. If you need to frequently access the contents or add to it, a sparse disk image is a better way to go.

Encrypt Documents and Files

Data has to leave your Mac, and for any number of reasons. It's safe on your Mac, but what if you need to email or message a document or file to someone? There are several ways to password protect your documents and files, most of them with the same end result. I will cover said ways so you can decide which one suits your needs or workflow best.

Password Protecting through the Preview App

The Preview app is incredibly versatile and often underestimated. One of the things it can do for you is encrypt files. In this example I'll use an image of my cats, but it's more likely your image will contain some kind of sensitive information.

To password protect a file using Preview, click here and follow these steps:

  1. Open the image in Preview.
  2. From the File menu, select "Export as PDF..."
    export-as-pdf
  3. In the window that drops down, rename your file extension to .pdf and click the "Show Details" button at the bottom.
  4. You'll see an option to  enable encryption and set a password.
  5. Once a password is set and the file is saved, when you open the pdf it will prompt for a password.

The above steps will work for any image or document that Preview can open.

Password Protecting an Existing PDF

You may already have a PDF that you would now like to add a password protection to. This can also be done using the Preview app.

To password protect an existing PDF file using Preview, click here and follow these steps:

  1. Open the PDF in Preview.
  2. Click the "File" menu and now hold down your Command key. The "Duplicate" option will change in to "Save As," click that.
    sierra-password-protect-existing-pdf-1
  3. Give the file a name (or keep the same name) and click the "Encrypt" box.
    sierra-password-protect-existing-pdf-2
  4. Enter a password and save the file. You can now delete the original.

Instead of using "Save As," you can also use the "Export as PDF" option from the File menu, mentioned before. The encrypt setting will show once the "Show Details" button is clicked. The end result will be the same.

Password Protecting through Print Options

This works for almost any file, image or document, and from most applications that support the macOS print options. It can be an image through the Preview app, a website through Safari or a TextEdit document. Keep in mind that this method will always result in a PDF file so you lose the ability to edit. It is, however, ideal for quickly protecting a file if it has to be sent to someone.

To password protect a file using Print Options, click here and follow these steps:

  1. From the File menu in the application you are using (you can test this right now using your browser), select "Print."
  2. Ignore the settings that are displayed in the print window and click the "PDF" button in the bottom left of the window. Select "Save as PDF" from the menu that pops up.
    sierra-print-as-pdf-1
  3. The window that opens may look somewhat familiar at this point. Click the "Security Options" button.
    sierra-print-as-pdf-2
  4. A password window will appear with more options than we've come across before. You can set a password that's required to open the file, but you can also limit someone's ability to copy and print (must be a different password than the main password). Click OK, and then save the file.
    sierra-print-as-pdf-3

As you can see there are several routes here to the same destination. Your needs may vary slightly, so pick what works for you in that moment.

Password Protecting iWork documents (pages, numbers, keynote)

If you are creating a new document in Pages, Numbers or Keynote (we're sticking with the free, built-in apps here) there is no need to save your document as a PDF; open it in Preview and password protect it from there. You can password protect the actual document and keep it as an editable file.

To password protect your Pages, Numbers or Keynote document, click here and follow these steps:

  1. With your document open (in any of the iWork applications), go to the File menu. One of the last options will be "Set Password."
    sierra-iwork-password-protection-1
  2. Set a password and you're done, it's that simple!
    sierra-iwork-password-protection-2
  3. Another way to password protect your iWork file is by using the "Share" menu. Select "Send a Copy" and choose any service that list displays.
    sierra-iwork-password-protection-3
  4. A window will open that, amongst other things, will let you set a password.
    sierra-iwork-password-protection-4
    You can also select a file type. These options differ slightly depending on the application you're using but most of them will offer a password protection option.

Creating a Password Protected .zip Archive

If, for whatever reason, you cannot password protect the file itself, then the file needs to be compatible with another operating system or any of several scenarios; wrapping the file, files or a whole folder in a .zip archive can come in handy. Any file, whether it's an image, document or video, can be archived. Size is not an issue either but will depend on what you're doing with the archive once it's created. If you're sending it through email, you may be limited to 20MB (unless you use iCloud's Mail Drop or a mail host that's not stuck in 1995).

Creating a password protected archive is convenient if you need to send a handful of files quickly, securely and if it needs to be compatible. So if you're sending this to a Windows user, he or she can open it. If you plan on creating large archives for storage or to transport on a flash drive, I recommend using the above mentioned encrypted disk image instead. Creating a password protected zip is unfortunately not as easy as the above mentioned methods, it will require the use of the command line.

To create a password protected .zip archive, click here and follow these steps:

Archiving a Single File

  1. Open the Terminal app which can be found in your Applications folder inside the Utilities folder, or through a Spotlight search.
    When the Terminal opens you will see a default string of text like this:

    Mac-Pro:~ jay$

    This is your Mac's name, directory location and your account username. It will be there before every command you enter.

  2. In this example I have a file on my desktop "Kitties.JPG" that I want to put in a password protected .zip file. So in Terminal I'd type the following:
    zip -ej 
  3. "zip -ej " (including the space at the end) will tell the Terminal you want to create a zip archive (zip) with encryption (e) and no file paths included (j). Now you have to tell it where to save the zip file and what name it must get. Easiest here is to just use your desktop which can be entered as "~/Desktop". When done, it should look something like this (add a space after the file extension):
    zip -ej ~/Desktop/file.zip 
  4. Now Terminal needs to know what file has to end up being archived. The simplest way to do this is to drag the file you want to encrypt into the Terminal window. The result should look something like this:
    zip -ej ~/Desktop/file.zip ~/Desktop/Kitties.JPG
  5. Now hit enter and Terminal will prompt you for a password. This will be the password required to open the .zip file. Terminal will not show any cursor movements while you are typing the password. Hit enter and you will be asked to verify the password by typing it again. Hit enter a third time and Terminal will create the zip archive. For my example, when Terminal was done, I saw this:
    Mac-Pro:~ jay$ zip -ej ~/Desktop/file.zip ~/Desktop/Kitties.JPG
    Enter password:
    Verify password:
      adding: Kitties.JPG (deflated 6%)
    Mac-Pro:~ jay$
  6. In my case this created "file.zip" on my desktop. Attempting to open it will result in a password prompt as intended.
    sierra-password-protect-zip-1

    You'll notice the Archive Utility that automatically opens when a .zip archive is clicked, reveals the name of the file within the .zip. A security flaw in my opinion so if you don't want to give away what kind of information may be contained in the file, give it a generic name before zipping it.

Archiving a Folder

  1. Open the Terminal app.
  2. In this example I have a folder on my desktop "Kitties" that I want to put in a password protected .zip file.
  3. The command to archive a folder is different and requires us to specify the location of the .zip file before we give the command. If you want to save the created archive to the desktop, type the following:
    cd desktop
    

    Your prompt will now look something like this:

    Mac-Pro:desktop jay$ 
    

    You'll notice that the "~" has been replaced by "desktop." The ~ signifies your home directory and is selected by default. We just gave the change directory (cd) command and pointed Terminal straight o the desktop. To archive a folder I have found that typing out the directory path like we did before does not always work so specifying the save directory prior to giving the zip command is far more reliable.

  4. The command to archive a folder is also slightly different:
    zip -er 
    

    As with archiving a single file, "zip" tells Terminal what kind of archive to create and the (e) in -er tells it to encrypt the file. In this case the (r) means recursive which tells Terminal to grab all the folder contents.

  5. Since we're already pointed at the desktop, specifying the saved file name does not require any path information, In my case I am saving it as "files.zip" so I end up with:
    zip -er files.zip 
  6. The folder containing all my kitty photos is also located on my desktop so all I have to add is the folder name.
    zip -er files.zip Kitties
  7. After entering and verifying the password I end up with this:
    Mac-Pro:~ jay$ zip -er Files.zip Kitties
    Enter password:
    Verify password:
      adding: Kitties/ (stored 0%)
      adding: Kitties/Even more kitties.JPG (deflated 6%)
      adding: Kitties/Insane amount of kitties.JPG (deflated 6%)
      adding: Kitties/Kitties everywhere.JPG (deflated 6%)
      adding: Kitties/Kitties take over the world.JPG (deflated 6%)
      adding: Kitties/Kitties.JPG (deflated 6%)
      adding: Kitties/More kitties.JPG (deflated 6%)
      adding: Kitties/Thats a lot of kitties.JPG (deflated 6%)
    Mac-Pro:~ jay$

Encrypt Backups

Your Mac may be set up like Fort Knox, but your backups are done on an external drive or server. If your backups are not encrypted an unauthorized user doesn't need to go through all the trouble of accessing your Mac, they can take your backups instead. Luckily, Apple makes it very easy to encrypt your Time Machine backups. There are two ways to go about this, I will cover both. In this example, I will walk through the first time setup of Time Machine.

To set up an encrypted Time Machine backup, click here and follow these steps:

How to Back up to an External Drive or External Drive Partition

  1. Using the Time Machine menu bar icon or the System Preferences, open the Time Machine preferences; click the lock to make changes if needed, and then click "Select Backup Disk."
    sierra-encrypted-time-machine-backups-1
  2. Select an external hard drive or external hard drive partition to use as a backup destination. Make sure to click the "Encrypt backups" box.
    sierra-encrypted-time-machine-backups-2
  3. Set a strong password and a hint. (Choosing a password hint is mandatory.)
    sierra-encrypted-time-machine-backups-3
    Once the "Encrypt Disk" button is clicked, Time Machine will start the encryption process. A progress bar will be shown as the drive or partition is prepared, then the backup will start while the encryption runs in the background. The encryption is done live just like FileVault does so any existing files will remain in place and be encrypted as well.
    sierra-encrypted-time-machine-backups-4
  4. The backup data will be stored in a "backup.backupdb" folder that you can open and browse just like it would on an unencrypted drive. It correctly assumes that since the drive or partition itself is encrypted there is no need to wrap the backups in an encrypted disk image.

How to Back up to a Server or Time Capsule

The process for backing up to a server or Time Capsule is mostly the same as backing up to an external drive or external drive partition. Follow these steps to backup data to a server or Time Capsule:

  1. Start in the Time Machine preferences and select your server or Time Capsule backup destination, then click "Use Disk."
  2. You will be presented with a name & password request (for server shares) or a password only request (Time Capsule).
  3. Once authenticated you will be prompted to set a password to encrypt the backup with. In this case no hint is required.
    sierra-encrypted-time-machine-backups-7
  4. That's it. Your backup will start momentarily. Because the backup is stored on a network volume it is not stored as a "backup.backupdb" folder but an encrypted Sparse Bundle Image instead.
    sierra-encrypted-time-machine-backups-8

Encrypt Distributed Files

iMessage Encryption

If you need to send a file to someone, see if they use iMessage. iMessage uses end-to-end encryption, so only you and the recipient can see the file, not even Apple can see it. iMessage can handle pretty large files too so sending a disk image or large .zip archive should not be a problem.

AirDrop Encryption

For sharing files between two or more Macs that occupy the same space (office, Starbucks, etc.), AirDrop is a great solution. As long as your Mac is within 30 feet of another Mac, you can use AirDrop to wirelessly send files. No existing Wi-Fi network required, so this will work even in the middle of a park. The sender and recipient Mac create a network between them which is encrypted and secured by firewall, so it's a secure connection even if other Macs are within range and have AirDrop enabled.

There you have it, all the built-in ways macOS lets you use encryption and password protection without spending a dime!

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →
  • Righteous Isthelord

    Do you know how many people post this information, yet fail to give clear instructions? It is truly amazing how clueless some people are – all that work for useless information that ends up confusing and frustrating people. You are not this at all. You are outstanding! While I am somewhat skilled with the terminal and computers in general, your instructions could be followed by my mom (no offence to mom, but she is not a tech head). Thank you! Thank you for taking to the time, and having the skills, to create useful and usable online content!!!!

  • Rio Jennison

    Fantastic post! Many invaluble things explained extremely clearly. Thank you!

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}