Easy folder encryption in Mac OSX

I have some SSH keys sitting on my MacBook Pro and I decided that it’s probably a good idea to store them in such a way that if someone ever got access to my machine they wouldn’t be able to copy or use them. This solution doesn’t just apply to ssh keys, it’s for any folder that you want to encrypt, but still have easy access to. The folder could even be a git project that you want to keep secure when you’re not working on it.

I’m running Yosemite which comes with Apple’s filevault disk encryption stuff, but I’ve had a couple of issues with it so I’m not using it, even if you are this method allows you to move the folder around separately (USB, Dropbox, etc) and protects you if you forgot to lock your screen.

The idea is to have an encrypted disk image (dmg) sitting on your file system somewhere, and then a command line alias to mount the image to a specific directory with one command (with autocomplete and everything), and then another alias to unmount (and therefore re-secure) the image when you’re done.

The setup is two fold:

1. Create an encrypted image of the folder. You can use Disk Utility to create a new image from an existing folder and then choose your encryption option, or you can choose to create a new blank encrypted image which you can add files to afterwards. Either way the setup is pretty intuitive, and if not there’s always google

2. Add some bash aliases to make the process seamless. I’m a terminal kind of guy, there’s always one open so for me that’s the easiest option for shortcutting the mounting process. My .bash_profile includes the following (I called the image “vault”):

alias mount-vault='hdiutil attach ${vault_root}.dmg -mountpoint ${vault_root}'
alias unmount-vault='hdiutil detach ${vault_root}'

And that’s it! Running “mount-vault” will prompt you for the password to decrypt the image and then mount the image as a folder with the same name, right next to itself in the directory structure. Once I’m done I run “unmount-vault” and it’s all locked up again. Simples

N.B. One caveat is that the “detach” action of hdiutil only accepts a mountpoint (instead of a device) on OS X 10.4 (Tiger) and above, I doubt that’s really an issue for anyone but just thought I’d mention it


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s