olivia_headshot_new

Digital Security Trainer

Last updated

toolkit-encryption-DU

Before following the step-by-step instructions in this guide, check out our general introduction to encryption for media makers for pro-tips and a technical glossary.

Looking for our guide to encrypting external storage devices and containers on VeraCrypt? You can find it here.

What is Disk Utility? How can I use it?

macOS users can use Disk Utility to wipe and encrypt external storage devices, and create encrypted disk images on a computer’s local file system. You can find Disk Utility in a Spotlight search, or in the Finder application via Applications > Utilities.

So you want to protect the data on your external hard drive, and other storage devices…

Let’s imagine that we are starting work on a feature-length documentary film. We will be capturing footage for the next couple of years for the project. Some of this footage contains first person interviews with sensitive sources. We want to take extreme care to make multiple copies, or backups, of this integral footage. Likewise, we want to protect our source with added technical safeguards placed on the backup hard drives.

Your solution? Creating encrypted external storage for medium- to long-term storage

During every stage of a film project, there remains unused footage, cuts, and other material that require safekeeping. For some film teams, the risk of confiscation of storage devices is extremely likely while shooting in the field. When we encrypt storage media, we are protecting the data it will hold, erecting barriers that make it difficult and costly for unwanted third parties to access.

Encrypting external storage devices on Disk Utility

Step-by-step workflow:

Open up Disk Utility and insert the external storage device you want to format for encryption.

We’ll be starting this example with a 32GB SanDisk Ultra USB drive, formatted with an unencrypted partition that we’ve named demo.

The drive in this example has already been formatted with a GUID Partition Map scheme, a prerequisite for encryption in macOS. If your storage device isn’t preformatted in this scheme, that’s okay. Just go ahead and format it from its current state to GUID Partition Map scheme and proceed.

Select the top-level device name (SanDisk Ultra… in this example) and select the Erase option at the top of the utility window. This is important. This designates that all the data on your entire device will be erased and reformatted to an encrypted state, not just a volume within it (such as demo in this example).

DU_EB_1.png

That will bring you to the formatting options you see above: NameFormat, and Scheme

Name: You can name your encrypted device whatever you’d like. For this example, we’ll use the name encryptedbackup.

Format: Make your selection the default Mac OS Extended (Journaled, Encrypted).

Scheme: To encrypt devices in Disk Utility, you’ll need to use GUID Partition Map.

When you’ve finished configuring your formatting options to your specifications, click Erase.

You’ll be asked to enter your encryption passphrase. Use a long, unique passphrase for this step. Make sure you memorize it, write it down in a secure physical location, or store it in your password manager tool for safekeeping.

Once formatting is complete, you’ll see your encrypted volume name on the left hand navigation of your Disk Utility window.

Now let’s unmount — or disconnect — our storage device. Re-insert it, and go through the workflow for decrypting and adding files to the device.

DU_EB_2.gif

Once you’ve mounted your encrypted volume, you can begin adding files to your storage device.

Open up a Finder window and insert your encrypted storage device. You’ll be prompted to enter your passphrase before you can read and make changes to its contents.

With your device decrypted and mounted, we’ll copy over a folder containing raw master footage for long-term backup storage. Once you’re done, go ahead and unmount the volume by hitting the eject icon on the left side of your Finder window.

So you want to create a secure space for sensitive files on your computer…

You might simply want to create an encrypted container you can throw onto a cloud service before travel. You might need to restrict local access to a set of files on a shared computer. You might want to compartmentalize project assets on your work device. You might want to take precautionary steps against data leakage during a superficial search of your unlocked device.

Your solution? Encrypting containers on your computer to safeguard files.

It might sound like overkill to create an encrypted image within your hard disk (assuming the hard disk is already fully encrypted, which it should be), but there are some novel ways a media maker might want to leverage this utility.

Creating encrypted disk images on Disk Utility

Step-by-step workflow:

DU_DI_1.pngLet’s say you want to move a set of files on your desktop to an encrypted disk image for safekeeping. First, open up Disk Utility and navigate to File > New Image > Blank Image...

DU_DI_2.gif

Now, you’re given options to configure your disk image before the encryption takes place.

Depending on how you plan to use the disk image, your configuration may differ slightly from what's one used in this example.

Size: The default image size in Disk Utility is 100MB. We bumped it up to 5GB. You can designate any size you’d like so long as your computer has the space for it. You can always resize the image at any time through the top navigation in Disk Utility, under Images > Resize...

Format: The best format for handling files on a macOS is Mac OS Extended. Assuming you won’t be taking this disk image to another operating system like Windows or Linux, you should stick with the default. Want a solution to share across multiple operating systems? Review the options in our VeraCrypt guide.

Encryption: Opt for the strongest encryption option, 256-bit AES encryption. Don’t forget to use a strong passphrase to lock your data down. Memorize your passphrase or note it in a secure space so that you don’t lose access to your data.

Partition: You can keep the default, Single partition - GUID Partition Map.

Image Format: Stick with read/write disk image so that you can easily add to and modify the contents of your disk image from anywhere.

Double check that you’ve recorded your encryption passphrase somewhere secure, and go ahead and click Save.

DU_DI_2.gif

Adding files to your encrypted disk image is easy with this workflow.

From a Finder window, you should now see your new disk image, named project.dmg in this example. Double click on it to mount it. You’ll be prompted to enter your encryption passphrase, keeping the Remember my password in my keychain option unchecked.

Once you’ve mounted your disk image, you’ll notice a new volume, Untitled, available under the Devices menu on the left hand of your Finder window. This is where you’ll  add and modify the files on your disk image. When you're done, you can unmount it and encrypt its contents by hitting the eject icon in your Finder window.


Photo by Marco Verch. CC BY 2.0.