Good encrypted disk images on Mac OS X

There are many options for those using recent versions Mac OS X to encrypt files, one of which is to create an encrypted virtual disk image which has the advantage of being portable across different computers and is simple to backup. While I am still a fan of TrueCrypt because it's disk images can be opened on multiple OSs (subject for a future post), for Mac specific files I find using hdiutil is the easiest way to go and generally has better performance.

Why not use Disk

While you can use Disk to create encrypted disk images, for some reason Apple refuses to allow you to paste passphrases. I'm sorry, but I don't consider manually typing 256 character pseudo-random gibberish passphrases with punctuation, letters and numbers to be very practical! If anything by not allowing people to paste passwords Apple are discouraging people from using really solid passphrases.

Create a good passphrase

I like to copy a huge long list of high quality pseudo-random passwords from GRC's Perfect Passwords page into a text file, then use one of them along with a phrase I have memorised for the final passphrase. That way, even if someone gets a hold of that file, they can't derive my passphrase from its contents. Goes by the security philosophy of something I have, and something I know.

Create the disk image

Fire up your then enter the following:

hdiutil create -size 10g -type SPARSE -fs HFS+J 
-encryption AES-256 -stdinpass -volName LABEL-NAME 
-size 10g
Potential maximum file size in gigabytes
-type SPARSE
Dynamically expand the image as you fill it
-fs HFS+J
The initial filesystem, Mac HFS+ Journaled in this case
-encryption AES-256
Far stronger of two encryption options.
AES-128 may be faster on slower hardware, but is obviously less secure
Require passwords to be entered in standard input
Name you choose that will appear in the Finder and /Volumes
Name you want for your disk image file


If you view your Home folder you'll see your new disk image. Problem is, like I said with Disk above if you double click you can't paste your passphrase in.

To access, just fire up and use the attach keyword. When it prompts you for your passphrase, you can paste your string of high quality pseudo-random gibberish then enter the part you remembered:

hdiutil attach -stdinpass FILE-NAME.sparseimage

You unmount the disk image in the same way you eject USB keys and optical discs in the Finder.

Other tips

If you create disk images that are smaller than 4.5GiB, you can burn your encrypted image to a DVD which makes it a cinch to backup! Also with this level of encryption the easiest way for people to access to your data is social engineering attacks: don't let yourself down by using a crappy password and obviously don't share it with anyone except perhaps your cat. No wait, cats are too smart.