In last week's column, I explained the use and benefit (and some of the drawbacks) of turning on full-disk encryption (FDE) with Apple's built-in FileVault 2.
Readers had a few questions — I answered some in the article's comments section, and I'll expand here too. Then I'll provide a longer explanation of encrypting individual files, not entire drives.
FileVault 2 clarifications
FileVault 2 encrypts data at the hard drive level. Programs that run on your Mac see the data as if it has no encryption. This lets you back up drives while you're logged in, even if the system is locked. But the files copied to Dropbox, an online backup service, a local drive, or a Time Machine destination are unencrypted, although you can layer encryption on all of those options.
Time Machine and other local drives can be encrypted using the same technology as FileVault 2, as noted in the original article, by selecting the drive and choosing Encrypt Drive Name.
You can change your FileVault 2 recovery key if you've lost it, as one reader believes he did, so long as you still have the password for any account with the privilege to start up the computer. It's tedious: You have to disable FileVault 2, which decrypts the entire drive, and then enable it again. Give yourself a couple of days and a steady supply of AC power.
Some readers believe that FileVault 2 dramatically slows down OS X. Benchmarks, my own experience, and other readers' testimony would indicate otherwise. For newer computers (2012 or later for all models, and some released in 2010 and 2011), and with an SSD on most models, performance is only slightly impaired and only when you're engaged in disk-heavy operations.
And now on to Disk Utility!
How to use Disk Utility to encrypt files
FileVault 2 affects your whole disk, and has some scary elements, chiefly that your files are completely unrecoverable if you ever forget your password and lose your disk Recovery Key. But you can choose, instead or in addition, to create a virtual disk that encrypts everything inside of it.
Not long ago, there were multiple options for encrypting files and folders on a Mac. TrueCrypt, a mostly anonymous free and open-source encryption tool, abruptly stopped development in May 2014. Years ago, PGP offered Mac tools for file encryption, but not for folder or virtual disk access. (GPGTools has a Mac version that primarily helps with managing encryption with email.)
That leaves Disk Utility, our hoary friend that handles repairing permissions on disks, but can also manage and create disk images. If you're not a software developer, you may have never needed to make a disk image, which is just a flat file (or OS X package for one subtype) that preserves the file and folder placement and hierarchy, file permissions, and other data just as if it the data were stored on a physical internal or removable disk. (DropDMG is a $24 utility that puts a sensible interface on top of OS X's disk image commands, including encryption, while offering management options, too.)
Sign up for CIO Asia eNewsletters.