For a while now I had been using encrypted disk images, as recommended by Apple to store encrypted files. But the minimum disk image size is 10 megabytes, which is awfully large to store a 4K text file. Also, if I want to look at the file I have to mount the disk image, go to the file in the finder, open it and then eventually close it and eject the disk image. What a pain. I knew there had to be a better way.
The better was is to use openssl. I believe it’s available on all platforms and comes pre-installed on all Unix like platforms. I can sort of see why Apple doesn’t talk about this because there are a ton a options and figuring out which is the best or what they even mean is difficult. Even just getting started is hard. So without covering the myriad of functionality openssl has, here is how to encrypt and decrypt files.
To encrypt a file:
openssl enc -aes256 -salt -in myfile.txt -out myfile.cryptYou will receive a prompt for a password that will later be used when you decrypt the file. This is what the parameters mean:
- enc
- openssl has all sorts of sub-commands and “enc” is the one that specifies you want to encrypt (or decrypt) data.
- -aes256
- openssl supports tons of different encryption schemes and even allows you to write your own. For our purposes 256-bit AES is a good choice although you’re free to investigate the others.
- -salt
-
The documentation says to always use this, but is worded in such a way that you don’t know if it’s the default. Just to amuse you, here is what the docs say for the opposite option, -nosalt:
This is the default for compatibility with previous versions of OpenSSL and SSLeay.
That is just phrased weird, kind of making it sound like it’s only the default in some cases? Instead of “for” do they mean “to provide”? Very odd. The output would indicate that -nosalt is not the default. Just put -salt in to be safe.
To decrypt the file:
openssl enc -d -aes256 -in myfile.cryptHere that addition of the -d option is what makes openssl decide to decrypt the file. -salt only needs to be used for encryption. The command as written will send the output to standard output, but you can use the -out parameter if you wish. For my purposes, that would just be one more file I’d need to delete so if I don’t need to change it I’d rather not created it.
Important Notes
Once you start encrypting files, things get a little overwhelmingly crazy. Especially if you have Time Machine running. You don’t want to go decrypting those files into files in backed up folders. For this reason I have a /tmp file in my home directory that I have told Time Machine specifically not to back up. For now, Time Machine does not back up the trash so you don’t have to worry as much about what happens between you deleting the file and emptying the trash.
This is a problem for encrypted disk images to some extent as well, but not quite as much. Time Machine is not a friend to decrypted data, no matter where it comes from.
Secondly, although openssl is amazingly complex it is equally amazingly unhelpful. Just so you know, the man page for the sub command enc is retreived at man enc. Bizarre, I know. Also, there’s no –help option, however if you just pretend there is you will often get what you want. It usually responds to options it doesn’t know with a help page.
And finally, like me, you will want to create small scripts to make this faster and so you will remember what encryption algorithm you used. I have named mine enc:
#!/bin/bash
openssl enc -aes256 -salt -in "$1" -out "$1.crypt"and dec:
#!/bin/bash
openssl enc -d -aes256 -in "$1"
Submit a Comment