Encrypted DMG Files in OS X

Vincent Danen

March 25, 2008

Making an encrypted DMG file (a mountable filesystem that most software for the Mac is distributed with) is extremely simple. The ability to mount these filesystems comes with the OS, using the Disk Copy application. There are many ways of creating an encrypted DMG file in OS X; one is to use the bundled Disk Copy tool and the other is to use the shareware program DropDMG. Depending upon your needs, one or the other may be better suited for you. Both tools offer AES128 encryption for encrypting the DMG file.


The first tool we'll look at that can do this is DropDMG. Obviously, DropDMG has many other uses as well, but it is well suited for this task. DropDMG is shareware, and costs $10USD to register, although it can be used unregistered for evaluation.

We'll illustrate using DropDMG to create a DMG file that stores GPG and SSH data. Typically, you will have ~/.gnupg and ~/.ssh directories to store the data for each respective application.

First create a staging area:

$ mkdir ~/Documents/encrypted
$ cp -av ~/.gnupg ~/Documents/encrypted/gpg
$ cp -av ~/.ssh ~/Documents/encrypted/ssh

After you've installed DropDMG, start up the application and go into the Preferences. The screenshot below shows the Preferences pane for DropDMG. The important things to note are in the Image Format section: Setting the type to Read-write and that it is Encrypted. Other than that, you can pretty much configure it however you like.

Now, open the Finder and drag the encrypted folder (from the Documents folder) onto the DropDMG application icon. This will tell DropDMG to create an image based on the contents of the encrypted folder. You'll have to provide a passphrase to access the data when you mount it. Keep in mind, the important thing is to make a DMG file that is read/write; if you make it read-only (or use compression on it), you will be unable to add new keys to your keychain, make modifications to your ssh known_hosts file, etc.

Mount the DMG file (we'll call it encrypted.dmg). Enter your passphrase. An icon representing the filesystem should appear on your desktop. If you enter the terminal and execute df, you should see the fileystem mounted as /Volumes/encrypted. Go to your home directory and execute the following:

$ mv ~/.gnupg ~/.gnupg-bk
$ mv ~/.ssh ~/.ssh-bk
$ ln -s /Volumes/encrypted/gpg ~/.gnupg
$ ln -s /Volumes/encrypted/ssh ~/.ssh

Now you can only use your data if the DMG file is mounted. The DMG can be stored on removeable media as well. The nice thing is if using a laptop and putting it to sleep, upon waking the laptop you'll be asked to enter your passphrase. Enter the wrong passphrase and the DMG is forcefully dismounted.

Once you are convinced that the DMG file is working properly for you, remove your backup directories.

On a final note, you will be able to add the passphrase for your encrypted DMG to your keychain in OS X. Do not do this! Adding the passphrase to your keychain removes that added layer of defense that doing this in the first place would achieve (unless you properly manage your keychain).

Disk Copy

Disk Copy works quite similarly. It is bundled with OS X so there is no associated cost with using it. It also offers AES128 encryption. For those who will only be creating encrypted DMG files and don't require the extra features of DropDMG, Disk Copy is your best bet. The basic premise is the same, although the options for Disk Copy are slightly different. Create your staging directory as above (~/Documents/encrypted) and fire up Disk Copy, which lives in /Applications/Utilities. You will have a little drop box that you can drag the encrypted folder onto.

Once you have done this, you will be asked for a location to save the DMG file, an Image format to use (select Read/Write), and the Encryption to use (AES128). At this point, Disk Copy will ask you to provide a passphrase to unlock the DMG file and then will create the DMG.

One problem with creating encrypted DMG files this way is that they are created with a set size, and if you run out of room on the DMG, what do you do? Create a new DMG file? Fortunately, Disk Copy will allow you to resize a DMG file, provided it is not mounted. When you first create the DMG with Disk Copy, it will select an arbitary size for the resulting file. If this is too little, you can increase the size by opening Disk Copy, choosing the File menu and then Resize. Select the DMG file you wish to resize, give it your preferred size, and then do the resize.

There is one unfortunate caveat to this. When you resize a DMG, it creates extra space in the DMG, but does not resize the partition, so you'll have free space available that you can partition, similar to a hard drive. This may or may not be what you want.