I have a portable drive that I have to leave with a client for a few days. it has some files |(about 106GB) that contain data about other clients and things that he shouldn’t have access to.
I have put all of those files into a folder. marked it as “No Access” in the Get Info panel, and then locked the folder. it now shows up with a padlock.
But on mounting the drive on 2 different macs, the padlock appears to mean nothing.
I can open the folder and view the files within.
I don’t think I am doing anything wrong but…….?
I can’t transfer his particular files to his machine as his internal HD is not big enough.
Please don’t tell me to tell him to get an external of his own. I’ve tried many times and it’s like talking to ……. (it’s my son-in-law).
The “Locked” checkbox makes it read-only. It does not prevent access.
If you need to restrict access, the best way is to create an encrypted disk image on the drive, mount it, and move the files into it. Then nobody will be able to access the contents without the password.
Can you buy a device for him and copy the files there? How large are his files (you only mentioned the size of other-customer data). You can get a 128 GB thumb drive for under $20. Smaller drives for even less. That’s a lot safer than giving him your own storage device, which might get damaged, lost or stolen.
If the data is less than 8 GB and if he has a DVD drive, I’d suggest burning his data to a DVD and deliver that.
I agree with @shamino that the easiest (and safest) thing to do in this case would be to get an inexpensive thumb drive and put the files there. That way there is no risk of compromising files for your other clients. That’s important! You just need to make sure it has a connector that will work with his computer, i.e., USB-A or USB-C.
If that’s not practical, you can create an encrypted disk image as described in an earlier post, or you can encrypt individual files and folders using an encryption app.
For example, Encrypto is free and has a simple drag-and-drop interface. Just drag and drop a folder or a file onto the app icon or into the app window, give it a password, and choose a location to save the encrypted result. To decrypt the resulting file, just double-click on it and enter the password.
For more options, you can use a tool like Keka, which lets you choose from a range of encryption and compression formats.
If there is enough space…just create an encrypted disk image on the drive, copy the files there…dismounted and remount the image to verify they’re there nd delete the originals…reversing the process when you get the drive back. Frankly I would not give a drive with client info on it to anybody…tell SIL to buy an external or he doesn’t get whatever he wants/needs.
I also would never give anyone a disk containing other client information in any format, especially if it’s unencrypted. Too much can go wrong - from data leakage to data loss. plain text or encrypted. Your other clients may not be comfortable with what you’re doing as well. Then there the whole issue of data confidentiality compliance (GDPR comes to mind if you’re in the EU).
Setting “No access” permissions on files will be defeated if the volume is mounted on another Mac with “ignore permissions on this volume” enabled. The file permissions you set will be ignored. The file lock setting will not - but that does allow reading the file as others have noted. And there’s nothing that would keep the other Mac from removing the lock.
This is a good explanation of how Lock and settings in Sharing and Permissions differ, at least as of the date of the article, written by a familiar name…
The Mac does have an encryption utility. It is called Archive Utility. It is a front end to Unix/Darwin commands zip, compress, aa (Apple Archive), and probably some others. You can access it through Spotlight. I used it years ago, but not prepared now to say how to use it.
To be a bit nit-picky, neither of these encrypt files per-se. They create an encrypted archive or disk image.
Both of these accomplish the desired end result of encrypting a file. But the file is being encapsulated into another blob - the original file is still in plaintext.
I’d thought I’d read that the APFS design supports encryption of individual files. This isn’t the same as the ability to encrypt a whole disk/volume. This capability would allow individual files to be encrypted in an APFS file system - and you’d have to specify a key to read/write the file otherwise the contents are gibberish. I don’t know if this capability has been implemented or if Apple has released a public API to enable its use.
But, as far as I know, Apple has never released a utility to actually use this feature. If it’s being used at all today, it is strictly internal to macOS.
