Encrypt your homedir on your mac without FileVault

I used FileVault for about a month and I found it really degraded the overall experience of using my mac. Basically using filevault caused a huge slowdown in performance. In addition I quickly found the repeated prompting to compact the filevault every time I shutdown annoying especially as this process took nearly 20mins each time it was all too easy to get into the habit of skipping it.

This isn't to say FileVault is a dead duck, I have a colleague who has used it for 18months on a powerbook and has never had a problem, but that could simply be a difference to using FileVault on PPC vs Intel architecture.

My solution is to selectively encrypt only the files that I need to be encrypted (in my case) from my home directory into an encrypted disk image. The way I do this is to alias/symlink the files/directories that are sensitive into the encrypted disk. That way you can still access all of your information via the links in your home directory but the real files sit safe and snug inside the encrypted disk image.

This approach will also work for things like mail too, so you can move your mail inside of the encrypted disk image and link it to it's current location so that mail's protected.

An alias is a special link created by finder that points to a specific file. However if the file the the alias points to moves around, the alias will continue to work. Where symlinks are different is that they are created at the unix os level. So if you are shell scripting, carrying out a task via bash, or using software that doesn't grok aliases, the symlink should always work. However the downside is that symlink will only ever point to one specific path.

For the purposes of linking into your encrypted file I would recommend always trying an alias first. If you find that the software you are using has issues with accessing files via the alias then try a symlink instead. E.g: ln -s /path/to/adir thesymlink Will create a symlink to /path/to/adir called thesymlink in the current directory.

Points to consider.

  1. Don't store the password to the encrypted drive in your login keychain. This defeats the purpose very quickly.
  2. Do backup regularly. If the encrypted drive was to become corrupt you will need to restore it.

Creating a encrypted image using disk utility

Open disk Utility. Click "new image". Then in the options select the following:

Select custom and then set the max size of your disk
Select AES-128
Sparse image (this will grow as you add files rather than taking up all of the space in one go)

Next set your password and un-tick "Remember password (add to Keychain)"

Now to mount the encrypted drive just double-click the drive and enter the password. Now move the files you want to be encrypted into the mounted images and alias them back to where you want to normally access them from.


I use a piece of software called Knox which is essentially the missing interface to creating and managing disk images. One could argue it's expensive given that it doesn't do that much more than wrap the image creation process. However, personally I find it useful for providing quick access to my encrypted drives and also adds some extra features such as backups and spotlight control per disk image. I would say it's well worth a look if you are regularly using encrypted images but if not, it's probably not worth shelling out for.

comments powered by Disqus