Industry guru Dave Taylor answers free tech support questions about a wide variety of business and technical topics, including blogging, Google AdSense, MySpace, Sony PSP, Apple iPod, Mp3 players, management, Linux, SEO, Mac OS X, Facebook, Twitter, LinkedIn and Microsoft Windows.

Still befuddled? Get immediate live tech support with SupportSpace!

How can I secure / encrypt folders on my Mac's USB flash drive?

Dave, I've recently bought a little USB flash drive and am finding it is a great way to transport files between my office and home. And it's tiny! However, my only concern is that if I lose it, someone else can easily get access to all of my stuff by plugging it into their own computer. What can I do to minimize this? Encrypt or secure the data? Or...?

Dave's Answer:

I too just bought one of these wonderful little drives and am using it as a keychain. Amazing. 512MB in something no bigger than a pack of gum.

However, I too have the same concerns about losing the drive, and here's what I've been thinking about: first, since I'm using it as a Mac drive, odds are that if were found, it'd be plugged into a PC, which, since I've formatted it as a Mac drive, means that the computer will promptly ask if they want to format it for use, which means all of my data was just wiped out without them ever seeing it.

However, they might have a Mac, or they might be curious and plug it into a Mac so that isn't really any sort of solution to the problem...

The official Apple way to solve this is to use FileVault, which offers 128-bit Advanced Encryption Standard. What I haven't figured out, though, is whether FileVault lets me encrypt a folder and its contents, or whether it's only for, as the Apple help material says, "encrypting the information in your home folder."

A better strategy is to go to VersionTracker and search for 'encryption', where you'll find lots of choices, including notably PuzzlePalace (from Brian Hill, the author of the popular MacJanitor program), and Encryptor from one of my favorite shareware groups, SubRosaSoft. Both of these will set you back a few dollars, but it's a good cause.

Another solution is to use an application like Stuffit Standard or Deluxe to create an archive that has a password. Easy to do, and you might well already have Stuffit on your computer.

If you don't want to spend any money on shareware, there's another way to work with these external drives that's perhaps a bit more involved, but effective, highly secure, and easy once you figure it out...

Open up Terminal (Applications-*gt;Utilities->Terminal) and create a tar archive of the files and folders you want to transfer. In this instance, I'm going to archive and encrypt the contents of a folder called "HTML for Dummies":

$ tar cf html.tgz ./HTML\ for\ Dummies/
$ ls -l html.tgz
-rw-r--r--  1 taylor  staff  2662400 28 Nov 09:25 html.tgz

The end result is that I now have a file called "html.tgz" that's a compressed tar archive, containing a copy of all the files and folders within the original HTML directory. It's still not encrypted, however, and to accomplish that, we're going to rely on the powerful encryption utilities included with the SSL library that's built-in to Mac OS X.

These SSL utilities are accessed via the rather confusing openssl function, like this:

$ openssl des3 -salt -in html.tgz -out html.tgz.des3
enter des-ede3-cbc encryption password:
Verifying - enter des-ede3-cbc encryption password:
$ ls -l html*
-rw-r--r--  1 taylor  staff  2662400 28 Nov 09:25 html.tgz
-rw-r--r--  1 taylor  staff  2662424 28 Nov 09:26 html.tgz.des3

Now there's a new tar archive, one that's actually encrypted using the powerful DES3 cipher. Still with me? Let's just confirm that this new archive file doesn't actually work with tar (which it shouldn't, since it's encrypted):

$ tar tzf *des3

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error exit delayed from previous errors

Good! That's the file that I'd copy across to my flash drive, knowing that it's safely encrypted from prying eyes, yet quite easily to decrypt and restore on my other computer:

$ openssl des3 -d -salt -in html.tgz.des3 -out html.tgz
enter des-ede3-cbc decryption password:
$ tar xf html.tgz
$

That's all there is to it.

If this appeals to you, then it could be a very useful shell script to write, one that would let you have a folder on your Desktop called, say, BackAndForth, where everything therein would be automatically archived with tar, encrypted with openssl, and then copied onto the flash drive, all with a single typed command.

However, given that this wouldn't be too difficult, I am surprised that there aren't any nice sync utilities designed specifically for flash drives and Mac OS X. If you know of one, please do add a link and I'll check it out!

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Simpy.

Categorized: Mac OS X Help (Article 3783)
Tagged:
Previous: How do I write a full-screen bash shell script?
Next: How can I use Javascript and CSS to display the date?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

Here's good news! It turns out that the USB flash drive I bought is the Lexar JumpDrive Secure, and according to my friend Derrick Story at O'Reilly, it comes with some very useful software that lets me easily create an encrypted partition on the drive. Derrick's article is at http://www.macdevcenter.com/pub/a/mac/2004/08/20/secure_flash.html if you'd like to read it.

That doesn't address synchronization issues, but it does address the security concern that every flash drive owner should be thinking about.

Posted by: Dave Taylor at November 28, 2004 11:55 PM

The technique I prefer is to store an encrypted disk image on the USB flash drive.

To create it, either (GUI) use the DiskUtility, Images menu. or (Terminal) use the hdiutil command. See help/man respectively for more details.

All FileVault does is create a sparce, encrypted disk image of your home directory, auto-mount it when logged in, dismount it when logged out, plus a few other automatic details.

/John

Posted by: John Wenn at November 29, 2004 6:33 AM

My problem is that I need an encryption solution that works with both my Mac and my PC at the office. I would like a volume on the USB Drive that contains all my files I want to keep safe, then I have a small linux virtual machine on it also that I use that I wish I could secure. Any ideas for these? Thanks

Posted by: Tim at December 1, 2004 11:10 AM

Using an encrypted tar archive or ZIP file would certainly be portable across platforms. In terms of finding a platform neutral encrypted file system, I'm not sure that exists...

Posted by: Dave Taylor at December 1, 2004 4:12 PM

For a cross-platform encryption tool, check out Pretty Good Privacy (PGP). I haven't tried it yet, but when this question has come up recently in other forums, that seems to be the best solution.

See http://www.pgpi.org/

(Of course, one could argue that putting these files on your Windows system is a bigger security risk than having your files unencrypted on the flash drive in your pocket....) heh heh heh

Posted by: David E. Frank at December 2, 2004 8:49 PM

Try ChronoSync to sync between you hard drive and a flash drive.

http://www.econtechnologies.com/

I use it to do just what you're looing for: hard drive to Flash drive

Works great!

Posted by: Dustin Macdonald at March 7, 2007 3:58 PM

Some thoughts--

1. Dave suggests using tar and then gzip to consolidate your files into one file, and compress that file. A problem with this technique is that, if one is using Panther or earlier, resource data will be deleted. So, if you are using Panther or earlier, use “ditto” instead.

There’s a nice applescript for encrypting data using openssl, available here:
http://scriptbuilders.net/files/encryptlet1.1.4.html

2. For cross-platform encryption, I would suggest GPG, which is available as a command-line application with a graphical installer for both Mac OS X and Windows XP. Here are some links for that:
http://www.gnupg.org/download/#auto-ref-2
http://macgpg.sourceforge.net/

If you are using OS X 10.3 or earlier, I recommend that you get Developer Tools and compile GPG yourself, so you can get the newest copy. As before, you should use ditto before gpg-encrypting your data.

Posted by: Alex at November 8, 2007 1:10 PM

Dave, does this work for Music players?

Posted by: Julius at January 20, 2008 10:19 PM

I have a lot to say, but ...

I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!