Thanks, reassuring. I chatted with Microsoft Support on this a couple of years ago but the person at the other end didn’t understand the question.
Other people have suggested sparse images/bundles and GNUPG.
I use both. I have encrypted sparse bundle disk images stored in Dropbox. They are accessible to all my Macs. I’ve been doing it for years and I have never had a single problem.
I am careful to not open the same disk image on two Macs at the same time. I don’t know that that would cause corruption. I just don’t want to take any chances. Also, I keep reminding myself that Dropbox is just a folder so TimeMachine is backing it up as well. Worst case would be rolling back a version.
Some time back I got involved with a GitHub project and needed to start signing commits with GNUPG. While a YubiKey wasn’t essential, it seemed like as good a way as any of going about it. I followed Dr Duh’s excellent YubiKey Guide to set it up.
Although the GitHub focus was on digital signatures, it’s still GNUPG so encryption and decryption come along for the ride. You don’t get folder-level encryption with GPG, you have to zip (or tar) the folder first and then encrypt the result.
Encryption doesn’t need anything more than the command plus the availability of your public key. No password,no YubiKey, no PIN, no nothing. That means it’s really easy to automate things. I haven’t done it myself but there’s no reason why you couldn’t set up a LaunchAgent to watch a particular folder, and automatically encrypt anything added to the folder that wasn’t already encrypted.
Decryption is a different kettle of fish. To decrypt something, the physical YubiKey has to be in the USB slot and you have to know the YubiKey’s PIN to unlock it and you have to physically touch the YubiKey. If anyone steals your YubiKey and doesn’t know the PIN, they get 3 guesses and then the YubiKey is bricked until you unblock or re-provision.
The only caveat I’ll place on all of this is that I’m still a High Sierra, Mojave and Catalina person so I can’t say whether any of this works on Big Sur. I hate being constantly nagged-forward on Cupertino’s annual “what can we do this year to punish our users for their loyalty” so, mostly, I Just Say No.
I decided to create a new encrypted sparsebundle disk image and found Disk Utility did not present the interface that I remembered. Among other things, now APFS is the default; in the past I have used Mac OS Extended (Journaled). Does it matter?
As long as I’m here, please confirm that I should select GUID Partition Map. Thanks.
If you plan on opening the image on computers running macOS versions prior to 10.13 (High Sierra) or on non-Mac platforms (e.g. Windows or Linux), then you will definitely not want to use APFS. For these platforms, HFS+ (“Mac OS Extended”) will more easily transport/preserve a file’s metadata), while FAT or exFAT will be usable by non-Mac operating systems without add-on software.
An APFS image will support APFS-specific features like snapshots. But, just like with an external drive, this comes at a cost. Older versions of macOS can’t access it and it will have bad performance on hard drives.
In my case, I use HFS+ images because I travel with a pretty old Mac (a 2011 Air running macOS 10.12, Sierra), so I clearly need to use a format that it can use.
1 Like
Thanks, @Shamino. At present, I do not see opening the image on non-Mac computers, so I’ll ignore FAT and ex-FAT. Also, I expect to open the file only on Mac computers running Mojave or Big Sur, so it sounds like APFS would be reasonable. Still, there is an outside chance I would use something older than High Sierra, so I’ll stick with Mac OS Extended for this iteration. Thanks again.
Any problem having HFS+ images in an APFS drive?
I can’t imagine why it would be. As far as the containing file system is concerned, a disk image is just a file (possibly a sparse file). And when the image is mounted, the OS should treat it like it would a separate storage device.
Not for me. I have encrypted sparse file images for my financial records for each year that are HFS+ (except for 2020 and 2021, which are APFS) going back to 2007 and they open fine on my High Sierra, Mojave, and Big Sur Macs.
The only thing that bugs me about these images is that Apple doesn’t natively support them in iPadOS. I’m not quite sure why Apple hasn’t supported opening/mounting images in iOS/iPadOS yet. (There is a great third-party app called Disk Decipher that can open these disk images. They may be read-only but that’s fine for now.)
That’s fantastic, it never even occurred to me that disk images would be accessible on i(Pad)OS!
1 Like