Understanding encryption using Disk Utility

Question

Level 1

11 points

Understanding encryption using Disk Utility

Using Disk Utility, I created an encrypted disk image, into which I have copied files I would like to secure. This works well, but I am trying to understand how things work, so that I can control exposure. Fundamentally, the question is when are files exposed, and when not. Clearly, when a password has been entered, the file is visible and available. But is it being decoded (ie is the underlying file is always encrypted)? If I make a copy of a file (after password entered), is this copy encrypted? If I make a back-up using Time Machine, are the back-up files (of encrypted files) encrypted?

Mac OS X (10.7.2)

Posted on Feb 2, 2012 2:10 PM

Reply

Answer 1

Best reply

Tony T1

Level 6

10,232 points

Feb 2, 2012 2:15 PM in response to guy toronto

See: http://en.wikipedia.org/wiki/OTFE

Reply

Answer 2

Pondini

Level 8

38,863 points

Feb 2, 2012 2:30 PM in response to guy toronto

guy toronto wrote:

. . .

But is it being decoded (ie is the underlying file is always encrypted)?

Yes.

If I make a copy of a file (after password entered), is this copy encrypted?

Depends on where you put it. If you copy it to an unencrypted volume (actual disk/partition or disk image), no.

If I make a back-up using Time Machine, are the back-up files (of encrypted files) encrypted?

No (unless the backup drive is also encrypted).

Also note the contents of the disk image will not be backed-up while its mounted.

Reply

Answer 3

guy toronto Author

Level 1

11 points

Feb 2, 2012 3:11 PM in response to Pondini

I'm confused. If the file underlying file is always encrypted (and just decoded after input of password), why would copying the file to an unencrypted voume make it unencrypted?

Also re Time Machine, you say that (encrypted) files will not be backed up while the disk is mounted. OK. But why when unmounted (ie the files are in their encrypted state), would the back-up (to an unencrypted backup drive) not be encrypted? Shouldn't it be the opposite?

Reply

Answer 4

Pondini

Level 8

38,863 points

Feb 2, 2012 3:17 PM in response to guy toronto

In both cases, because it's unencrypted "on the fly."

If you copy or back up to an encrypted volume, it will be re-encrypted.

Reply

Answer 5

guy toronto Author

Level 1

11 points

Feb 2, 2012 4:27 PM in response to Pondini

I think I get it. But just to make sure...

Supposing an encrypted file is synced on Dropbox. Are you saying that the Dropbox version of the file will be encrypted while the file on my computer is encrypted, but when I enter the password on my computer, the file on Dropbox becomes totally exposed? That's kind of spooky...

Reply

Answer 6

Tony T1

Level 6

10,232 points

Feb 2, 2012 4:33 PM in response to guy toronto

Think of it this way. The encrypted disk image that you created is always encrypted. When you click it (open it), you are asked for a password and then a Volume is mounted by decypting the disk image. The mounted volume is unencryped, and any files that you move/copy from the Volume will remain decrypted. If you maked changes to the files within the Volume, or add files to the Volume, once the Volume is Ejected, the disk image will be updated, and encrypted)

Reply

Answer 7

Pondini

Level 8

38,863 points

Feb 2, 2012 4:34 PM in response to guy toronto

I don't use Dropbox, but I think I've heard they encrypt everything. If so, then yes, those backups will be encrypted (separately).

Entering the password for the encrypted disk image on your Mac won't expose the Dropbox copies; they're entirely separate and will presumably have their own password.

Reply

Answer 8

Tony T1

Level 6

10,232 points

Feb 2, 2012 4:49 PM in response to Pondini

Wouldn't matter if Dropbox was not encrypted. The disk image (that resides on DropBox) is always encrypted. When the image is clicked and opened with a password, the disk image remains encypted. The unencrypted Volume is attached to the Mac filesystem, and only "seen" there.

Reply

Answer 9

guy toronto Author

Level 1

11 points

Feb 2, 2012 6:02 PM in response to Tony T1

Tony:

Excellent - that's what I was hoping.

Using the same logic, wouldn't the Time Machine back-up (of an encrypted disk image) also remain encrypted? Pondini seems to suggest that this is not the case.

Finally, on a slightly different note (not sure if it's better to start a new question) ... how could I get to a similar result for emails (server is iCloud)? Ideally, I would want all the emails I store on iCloud to be encrypted. Is this doable?

Thanks for all the help!

Reply

Answer 10

Tony T1

Level 6

10,232 points

Feb 3, 2012 7:26 AM in response to guy toronto

Using the same logic, wouldn't the Time Machine back-up (of an encrypted disk image) also remain encrypted? Pondini seems to suggest that this is not the case.

What I think he means is, if the Volume is backed up to Time Machine, it won't be encrypted, but a mounted Volume from a Disk Image is not backed up to Time Machine, so I'm not sure what he means. The actual Disk Image (that is backed up to TM) is always encrypted.

Finally, on a slightly different note (not sure if it's better to start a new question) ... how could I get to a similar result for emails (server is iCloud)? Ideally, I would want all the emails I store on iCloud to be encrypted. Is this doable?

Apple has stated that anything in iCloud is encrypted (iCloud: iCloud security and privacy overview), so it comes down to if you trust Apple (could they have the key to your encrypted data?)

Reply

Answer 11

guy toronto Author

Level 1

11 points

Feb 3, 2012 7:36 AM in response to Tony T1

Understood. Thanks so much for the clarification!

Reply

Answer 12

Pondini

Level 8

38,863 points

Feb 3, 2012 8:56 AM in response to Tony T1

Tony T1 wrote:

. .

What I think he means is, if the Volume is backed up to Time Machine, it won't be encrypted, but a mounted Volume from a Disk Image is not backed up to Time Machine, so I'm not sure what he means. The actual Disk Image (that is backed up to TM) is always encrypted.

Yes, sorry, what I wrote was misleading: 😟

When an encrypted volume (an actual disk partition or a disk image) is backed-up, the data is decrypted. It's only re-encrypted if the destination is encrypted. So if you use FileVault2, your backups of normal items will not be encrypted if they go to an unencrypted disk. But, they will be encrypted if they go to an encrypted disk or disk image.

The contents of a disk image are backed-up only when it's not mounted. If it's mounted, the disk image will appear in the backup, but the contents will not have changed.

Reply

Answer 13

guy toronto Author

Level 1

11 points

Feb 3, 2012 9:06 AM in response to Pondini

Thanks for the explanation. Forgive me for being technologically dense. Are you saying that in the case of an encrypted disk image, my back-up (using Time Machine) will be encrypted?

I think I'm understanding that...

- when the disk is mounted (ie data unencrypted), it will not be backed up. Back-up of data will only occur when the disk is not mounted (ie when the data is encrypted). Hence backed up data is always encrypted.

Am I getting this right?

Reply

Answer 14

Tony T1

Level 6

10,232 points

Feb 3, 2012 9:07 AM in response to Pondini

I think you're speaking about using Disk Utility to create an encrypted Volume:

...but the OP is asking about encrypted disk images

Reply

Answer 15

Pondini

Level 8

38,863 points

Feb 3, 2012 9:17 AM in response to guy toronto

guy toronto wrote:

Thanks for the explanation. Forgive me for being technologically dense. Are you saying that in the case of an encrypted disk image, my back-up (using Time Machine) will be encrypted?

Yes.

- when the disk is mounted (ie data unencrypted), it will not be backed up. Back-up of data will only occur when the disk is not mounted (ie when the data is encrypted). Hence backed up data is always encrypted.

Am I getting this right?

Yes.

Reply