1 2 3 Previous Next 41 Replies Latest reply: Jan 13, 2013 2:57 PM by Pondini
guy toronto Level 1 Level 1 (0 points)

Using Disk Utility, I created an encrypted disk image, into which I have copied files I would like to secure. This works well, but I am trying to understand how things work, so that I can control exposure. Fundamentally, the question is when are files exposed, and when not. Clearly, when a password has been entered, the file is visible and available. But is it being decoded (ie is the underlying file is always encrypted)? If I make a copy of a file (after password entered), is this copy encrypted? If I make a back-up using Time Machine, are the back-up files (of encrypted files) encrypted?


Mac OS X (10.7.2)
  • 2. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    guy toronto wrote:

    . . .

    But is it being decoded (ie is the underlying file is always encrypted)?

    Yes.

     

    If I make a copy of a file (after password entered), is this copy encrypted?

    Depends on where you put it.  If you copy it to an unencrypted volume (actual disk/partition or disk image), no.

     

    If I make a back-up using Time Machine, are the back-up files (of encrypted files) encrypted?

    No (unless the backup drive is also encrypted).

     

    Also note the contents of the disk image will not be backed-up while its mounted.

  • 3. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    I'm confused. If the file underlying file is always encrypted (and just decoded after input of password), why would copying the file to an unencrypted voume make it unencrypted?

     

    Also re Time Machine, you say that (encrypted) files will not be backed up while the disk is mounted. OK. But why when unmounted (ie the files are in their encrypted state), would the back-up (to an unencrypted backup drive) not be encrypted? Shouldn't it be the opposite?

  • 4. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    In both cases, because it's unencrypted "on the fly." 

     

    If you copy or back up to an encrypted volume, it will be re-encrypted.

  • 5. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    I think I get it. But just to make sure...

     

    Supposing an encrypted file is synced on Dropbox. Are you saying that the Dropbox version of the file will be encrypted while the file on my computer is encrypted, but when I enter the password on my computer, the file on Dropbox becomes totally exposed? That's kind of spooky...

  • 6. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    Think of it this way.  The encrypted disk image that you created is always encrypted.  When you click it (open it), you are asked for a password and then a Volume is mounted by decypting the disk image.  The mounted volume is unencryped, and any files that you move/copy from the Volume will remain decrypted.  If you maked changes to the files within the Volume, or add files to the Volume, once the Volume is Ejected, the disk image will be updated, and encrypted)

  • 7. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    I don't use Dropbox, but I think I've heard they encrypt everything.  If so, then yes, those backups will be encrypted (separately).

     

    Entering the password for the encrypted disk image on your Mac won't expose the Dropbox copies; they're entirely separate and will presumably have their own password.

  • 8. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    Wouldn't matter if Dropbox was not encrypted.  The disk image (that resides on DropBox) is always encrypted.  When the image is clicked and opened with a password, the disk image remains encypted.  The unencrypted Volume is attached to the Mac filesystem, and only "seen" there.

  • 9. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    Tony:

     

    Excellent - that's what I was hoping.

     

    Using the same logic, wouldn't the Time Machine back-up (of an encrypted disk image) also remain encrypted? Pondini seems to suggest that this is not the case.

     

    Finally, on a slightly different note (not sure if it's better to start a new question) ... how could I get to a similar result for emails (server is iCloud)? Ideally, I would want all the emails I store on iCloud to be encrypted. Is this doable?

     

    Thanks for all the help!

  • 10. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    Using the same logic, wouldn't the Time Machine back-up (of an encrypted disk image) also remain encrypted? Pondini seems to suggest that this is not the case.

     

    What I think he means is, if the Volume is backed up to Time Machine, it won't be encrypted, but a mounted Volume from a  Disk Image is not backed up to Time Machine, so I'm not sure what he means.  The actual Disk Image (that is backed up to TM) is always encrypted.

     

    Finally, on a slightly different note (not sure if it's better to start a new question) ... how could I get to a similar result for emails (server is iCloud)? Ideally, I would want all the emails I store on iCloud to be encrypted. Is this doable?

     

    Apple has stated that anything in iCloud is encrypted (iCloud: iCloud security and privacy overview), so it comes down to if you trust Apple (could they have the key to your encrypted data?)

  • 11. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    Understood. Thanks so much for the clarification!

  • 12. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    Tony T1 wrote:

    . .

    What I think he means is, if the Volume is backed up to Time Machine, it won't be encrypted, but a mounted Volume from a  Disk Image is not backed up to Time Machine, so I'm not sure what he means.  The actual Disk Image (that is backed up to TM) is always encrypted.

    Yes, sorry, what I wrote was misleading: 

     

    • When an encrypted volume  (an actual disk partition or a disk image) is backed-up, the data is decrypted.   It's only re-encrypted if the destination is encrypted.  So if you use FileVault2, your backups of normal items will not be encrypted if they go to an unencrypted disk.  But, they will be encrypted if they go to an encrypted disk or disk image.

     

    • The contents of a disk image are backed-up only when it's not mounted.  If it's mounted, the disk image will appear in the backup, but the contents will not have changed.
  • 13. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    Thanks for the explanation. Forgive me for being technologically dense. Are you saying that in the case of an encrypted disk image, my back-up (using Time Machine) will be encrypted?

     

    I think I'm understanding that...

     

    - when the disk is mounted (ie data unencrypted), it will not be backed up. Back-up of data will only occur when the disk is not mounted (ie when the data is encrypted). Hence backed up data is always encrypted.

     

    Am I getting this right?

  • 14. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    I think you're speaking about using Disk Utility to create an encrypted Volume:

     

         Screen Shot 2012-02-03 at 12.06.27 PM.png

     

    ...but the OP is asking about encrypted disk images

1 2 3 Previous Next