Of and in ' a to was is ) ( for as on by he with 's that at from his it an were are which this also be has or: had first one their its new after but who not they have –; her she ' two been other when there all% during into school time may years more most only over city some world would where later up such used many can state about national out known university united then made. Mountain Lion allows one to encrypt any disk by right-clicking on the disk in the Finder and selecting Encrypt from the contextual menu. Is there anyway to check on the progress of this encryption process? Macos external-disk encryption filevault.
This guide will demonstrate the steps required to encrypt and decrypt files using OpenSSL on Mac OS X. The working assumption is that by demonstrating how to encrypt a file with your own public key, you'll also be able to encrypt a file you plan to send to somebody else using their private key, though you may wish to use this approach to keep archived data safe from prying eyes.
Too Long, Didn't Read
Assuming you've already done the setup described later in this document, that id_rsa.pub.pcks8 is the public key you want to use, that id_rsa is the private key the recipient will use, and secret.txt is the data you want to transmit…
Encrypting
Decrypting
Using Passwords
OpenSSL makes it easy to encrypt/decrypt files using a passphrase. Unfortunately, pass phrases are usually 'terrible' and difficult to manage and distribute securely.
To Encrypt a File
You can add -base64 if you expect the context of the text may be subject to being 'visible' to people (e.g., you're printing the message on a pbulic forum). If you do, you'll need to add it to the decoding step as well. You can choose from several cypers but aes-256-cbc is reasonably fast, strong, and widely supported. Base64 will increase the size of the encrypted file by approximately 30%
To Decrypt a File
You will need to provide the same password used to encrypt the file. All that changes between the encrypt and decrypt phases is the input/output file and the addition of the -d flag. If you pass an incorrect password or cypher then an error will be displayed.
Encrypting Files Using your RSA keys
RSA encryption can only work with very short sections of data (e.g. an SHA1 hash of a file, or a password) and cannot be used to encrypt a large file. The solution is to generate a strong random password, use that password to encrypt the file with AES-256 in CBC mode (as above), then encrypt that password with a public RSA key. The encrypted password will only decrypt with a matching public key, and the encrypted file will require the unique password encrypted in the by the RSA key.
Replace OpenSSL
The copy of OpenSSL bundled with Mac OS X has several issues. Mac OS X 10.7 and earlier are not PCI compliant. It is best to replace it. See here for details: http://www.dctrwatson.com/2013/07/how-to-update-openssh-on-mac-os-x/
Generate Your Private/Public Key-pair
By default your private key will be stored in
- ~/.ssh/id_rsa : This is your private key and it must be kept secret
- ~/.ssh/id_rsa.pub : This is your public key, you can share it (for example) with servers as an authorized key for your account.You can change the location of where you store your keys, but this location is typical. Typically you want to ensure the private key is chmod 600, andd the public key is chmod 644.
Generate a PKCS8 Version of Your Public Key
The default format of id_rsa.pub isn't particularly friendly. If you are going to public your key (for example) on your website so that other people can verify the authorship of files attributed to you then you'll want to distribute it in another format. I find it useful to keep a copy in my .ssh folder so I don't have to re-generate it, but you can store it anywhere you like.
Generate a One-Time-Use Password to Encrypt the File
The passwords used to encrypt files should be reasonably long 32+ characters, random, and never used twice. To do this we'll generate a random password which we will use to encrypt the file.
This will generate 192 bytes of random data which we will use as a key. If you think a person may need to view the contents of the key (e.g., they're going to display it on a terminal or copy/paste it between computers) then you should consider base-64 encoding it, however:
- The password will become approximately 30% longer (and there is a limit to the length of data we can RSA-encrypt using your public key
- The password will be 'padded' with '=' characters if it's not a multiple of 4 bytes.
A Note on Long Passwords
There is a limit to the maximum length of a message that can be encrypted using RSA public key encryption. If you want to use very long keys then you'll have to split it into several short messages, encrypt them independently, and then concatinate them into a single long string. Decrypting the password will require reversing the technique: splitting the file into smaller chuncks, decrypting them independently, and then concatinating those into the original password key file.
Encrypt the File Using the Generated Key
Now that you have a good random password, you can use that to AES encrypt a file as seen in the 'with passwords' section
Decrypting the file works the same way as the 'with passwords' section, except you'll have to pass the key.
Encrypt the Key Used to Encrypt the File
We used fast symetric encryption with a very strong password to encrypt the file to avoid limitations in how we can use asymetric encryption. Finally, we'll use asymetric encryption to encrypt the password. This solves the problem of 'how do I safely transmit the password for the encrypted file' problem. You can encrypt is using the recipients public key and they can decode it using their private key. Encrypt the password using a public key:
The recipient can decode the password using a matching private key:
Package the Encrypted File and Key
There are a number of ways to do this step, but typically you'll want just a single file you can send to the recipent to make transfer less of a pain. I'd recommend just making a tarball and delivering it through normal methods (email, sftp, dropbox, whatever). Though a secure method of exchange is obviously preferable, if you have to make the data public it should still be resistent to attempts to recover the information.
The file can be extracted in the usual way:
The Diasporic Crypt Mac Os Sierra
You may want to securely delete the unecrypted keyfile as the recipient will be able to decode it using their private key and you already have the unencrypted data.
The Diasporic Crypt Mac Os 7
Turn on and set up FileVault
FileVault 2 is available in OS X Lion or later. When FileVault is turned on, your Mac always requires that you log in with your account password.
- Choose Apple menu () > System Preferences, then click Security & Privacy.
- Click the FileVault tab.
- Click , then enter an administrator name and password.
- Click Turn On FileVault.
If other users have accounts on your Mac, you might see a message that each user must type in their password before they will be able to unlock the disk. For each user, click the Enable User button and enter the user's password. User accounts that you add after turning on FileVault are automatically enabled.
Choose how you want to be able to unlock your disk and reset your password, in case you ever forget your password:
- If you're using OS X Yosemite or later, you can choose to use your iCloud account to unlock your disk and reset your password.*
- If you're using OS X Mavericks, you can choose to store a FileVault recovery key with Apple by providing the questions and answers to three security questions. Choose answers that you're sure to remember.*
- If you don't want to use iCloud FileVault recovery, you can create a local recovery key. Keep the letters and numbers of the key somewhere safe—other than on your encrypted startup disk.
If you lose both your account password and your FileVault recovery key, you won't be able to log in to your Mac or access the data on your startup disk.
Encryption occurs in the background as you use your Mac, and only while your Mac is awake and plugged in to AC power. You can check progress in the FileVault section of Security & Privacy preferences. Any new files that you create are automatically encrypted as they are saved to your startup disk.
When FileVault setup is complete and you restart your Mac, you will use your account password to unlock your disk and allow your Mac to finish starting up. FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.
Reset your password or change your FileVault recovery key
If you forget your account password or it doesn't work, you might be able to reset your password.
If you want to change the recovery key used to encrypt your startup disk, turn off FileVault in Security & Privacy preferences. You can then turn it on again to generate a new key and disable all older keys.
Turn off FileVault
If you no longer want to encrypt your startup disk, you can turn off FileVault:
- Choose Apple menu > System Preferences, then click Security & Privacy.
- Click the FileVault tab.
- Click , then enter an administrator name and password.
- Click Turn Off FileVault.
Decryption occurs in the background as you use your Mac, and only while your Mac is awake and plugged in to AC power. You can check progress in the FileVault section of Security & Privacy preferences.
Learn more
- Learn how to create and deploy a FileVault recovery key for Mac computers in your company, school, or other institution.
- If you're using FileVault in Mac OS X Snow Leopard, you can upgrade to FileVault 2 by upgrading to OS X Lion or later. After upgrading OS X, open FileVault preferences and follow the onscreen instructions to upgrade FileVault.
- RAID partitions or non-standard Boot Camp partitions on the startup drive might prevent OS X from installing a local Recovery System. Without a Recovery System, FileVault won't encrypt your startup drive. Learn more.
* If you store your recovery key with Apple or your iCloud account, there's no guarantee that Apple will be able to give you the key if you lose or forget it. Not all languages and regions are serviced by AppleCare or iCloud, and not all AppleCare-serviced regions offer support in every language. If you set up your Mac for a language that AppleCare doesn't support, then turn on FileVault and store your key with Apple (OS X Mavericks only), your security questions and answers could be in a language that AppleCare doesn't support.