DiskUtility, available exclusively on macOS machines, is optimized to create encrypted spaces on both your computer and external storage devices.
This piece is a part of a series of guides about encryption for media makers; take a look at the full collection. We recommend you review our introduction to encryption piece for pro-tips and a technical glossary before proceeding with the step-by-step instructions below.
macOS users can use Disk Utility to wipe and encrypt external storage devices, and create encrypted disk images on a computer’s local file system. You can find Disk Utility in a Spotlight search, or in the Finder application via Applications > Utilities.
Let’s imagine that we are starting work on a feature-length documentary film. We will be capturing footage for the next couple of years for the project. Some of this footage contains first person interviews with sensitive sources. We want to take extreme care to make multiple copies, or backups, of this integral footage. Likewise, we want to protect our source with added technical safeguards placed on the backup hard drives.
During every stage of a film project, there remains unused footage, cuts, and other material that requires safekeeping. For some film teams, the risk of confiscation of storage devices is extremely likely while shooting in the field. When we encrypt storage media, we are protecting the data it will hold, erecting barriers that make it difficult and costly for unwanted third parties to access.
Open up Disk Utility and insert the external storage device you want to format for encryption.
We’ll be starting this example with a 32GB SanDisk Ultra USB drive, formatted with an unencrypted partition named Untitled 2.
The drive in this example has already been formatted with a GUID Partition Map scheme, a prerequisite for encryption in macOS. If your storage device isn’t already formatted in this scheme, that’s okay. Just go ahead and format it from its current state to GUID Partition Map scheme and proceed.
Select the top-level device name (SanDisk Ultra… in this example) and select the Erase option at the top of the utility window. This is important. This designates that all the data on your entire device will be erased and reformatted to an encrypted state, not just a volume within it (such as demo in this example).
Name: You can name your encrypted device whatever you’d like. For this example, we’ll use the name project.
Format: Make your selection the default APFS (Case-sensitive, Encrypted).
Scheme: To encrypt devices in Disk Utility, you’ll need to use GUID Partition Map.
When you’ve finished configuring your formatting options to your specifications, click Erase.
You’ll be asked to enter your encryption passphrase. Use a long, unique passphrase for this step. Make sure you memorize it, write it down in a secure physical location, or store it in your password manager tool for safekeeping.
Once formatting is complete, you’ll see your encrypted volume name on the left hand navigation of your Disk Utility window.
Now let’s unmount — or disconnect — our storage device. Re-insert it, and go through the workflow for decrypting and adding files to the device.
Open up a Finder window and insert your encrypted storage device. You’ll be prompted to enter your passphrase before you can read and make changes to its contents.
With your device decrypted and mounted, we’ll copy over a folder containing raw master footage for long-term backup storage. Once you’re done, go ahead and unmount the volume by hitting the eject icon on the left side of your Finder window.
You might simply want to create a password-protected container you can throw onto a cloud service before travel. In some cases, you might need to restrict local access to a set of files on a shared computer. These types of cases present the perfect opportunity to incorporate encrypted file containers into your data protection workflow.
It might sound like overkill to create an encrypted image within your hard disk (assuming the hard disk is already fully encrypted, which it should be), but there are some novel ways a media maker might want to leverage this utility.
Let’s say you want to move a set of files on your desktop to an encrypted disk image for safekeeping. First, open up Disk Utility and navigate to File > New Image > Blank Image...
Depending on how you plan to use the disk image, your configuration may differ slightly from what's one used in this example.
Size: The default image size in Disk Utility is 100MB. We bumped it up to 5GB. You can designate any size you’d like so long as your computer has the space for it. You can always resize the image at any time through the top navigation in Disk Utility, under Images > Resize...
Format: The best format for handling files on the newest versions of macOS is APFS (Case-sensitive). Assuming you won’t be taking this disk image between operating systems, you can stick with the default.
Encryption: Opt for the strongest encryption option, 256-bit AES encryption. Don’t forget to use a strong passphrase to lock your data down. Memorize your passphrase or note it in a secure space so that you don’t lose access to your data.
Partition: You can keep the default, Single partition - GUID Partition Map.
Image Format: Stick with read/write disk image so that you can easily add to and modify the contents of your disk image from anywhere.
Double check that you’ve recorded your encryption passphrase somewhere secure, and go ahead and click Save.
From a Finder window, you should now see your new disk image, named projectbackup.dmg in this example. Double click on it to mount it. You’ll be prompted to enter your encryption passphrase, keeping the Remember my password in my keychain option unchecked.
Once you’ve mounted your disk image, you’ll notice a new volume, Untitled, available under the Devices menu on the left hand of your Finder window. This is where you’ll add and modify the files on your disk image. When you're done, you can unmount it and encrypt its contents by hitting the eject icon in your Finder window.