Jul
My new Macbook Pro just arrived and I’m spending a good part of the day setting her up. As I write this, I’m in the process of using Truecrypt, which is only recently available for Mac OS X, to create an encrypted partition on my mac hard drive. I’ve done this before on my Ubuntu laptop, and it has worked great. What follows is a summary of my experience with Truecrypt on the Mac and a step-by-step for you to try at home.
An encrypted partition provides you with a high amount of security, with very little inconvenience or impact on performance. Truecrypt has two ways of creating encrypted storage, a file container, or a whole partition. An encrypted file container is nice because it’s easy to move around … i.e. put on a SD card or thumb drive … for small amounts of sensitive data. For my purpose, I want to encrypt ALL my personal stuff like documents, code, tax returns and records, photos, etc., so an encrypted partition is the way to go.
Encrypting a partition is more of a seamless integration with your Macbook, too. I’ve also read reports that it’s faster to access encrypted files from a partition than file containers. Basically, the encrypted partition looks like a second hard drive in finder, once you mount it and provide your Truecrypt passphrase on bootup. It looks and acts just like any drive or folder, you can store files, run applications, create links, etc … just like any drive. Truecrypt encrypts and decrypts everything on the fly, with virtually unnoticeable overhead. If your laptop ever turns up in the hands of a bad guy or rogue customs agent, they wouldn’t be able to access any of your data
Sounds good? Read on to find out how …
I. Create a new Partition
Your Macbook comes with a pretty big hard drive (mine is 200GB), but it’s probably configured as just one big volume … that’s how most laptops are. You can use Disk Utility to resize your main “Macintosh HD” partition to allow some space for your new encrypted one.
WARNING: Disk utility is not supposed to destroy any data in this process, and it worked fine for me. However, I still recommend you back stuff up anyway, in case of a problem or failure. Disk partitions gone wrong can be disastrous to your data.
- Insert your Mac OS X install CD
- Choose the Install Mac OS X app from the CD, and click the restart button
- Your Mac will boot from the CD. After you select your language, don’t continue with the installation. Instead, look up to the menu bar and choose Disk Utility from the Utilities menu.
- Highlight your hard drive and then click over to the Partition panel
- Now you can resize your “Macintosh HD” to make room for a new partition. Click the little resize handle in the bottom right of the graphic, and drag your HD smaller. I shrank my Macintosh HD to leave about 80GB for my encrypted partition … should be enough for all my stuff.
- Now that you have some space, click the plus icon to add a new partition in the freed space. You can tweak the sizes of the two partitions to your liking, and create a name for your new one (I called mine just “Data”). Be careful not to make any other changes to Macintosh HD … we don’t want to risk data loss.
- Leave the Format setting at the default, Truecrypt will reformat the drive later anyway, and click Apply.
- Hold your breath … and you’ve just repartitioned your hard drive!
- Now exit Disk Utility, then go back to Utilities -> Startup Disk and change the boot disk back to “Macintosh HD” and reboot. If everything goes as planned, you should be back at your desktop, and a new hard drive called “Data” shows up right there next to “Macintosh HD”.
II. Install Truecrypt and Encrypt the Partition
Now we have to set up the encrypted volume. There are a few options here, and I recommend that you read and understand the TrueCrypt documentation first.
- Eject the empty “Data” drive by right-clicking on it on the desktop
- Download Truecrypt and install it. I wrote this guide using TrueCrypt 6.0a.
- Launch TrueCrypt from Applications, and click the Create Volume button
- Choose the second option, “Create a Volume within a Partition/Device”
- Select your new partition (you should be able to identify it by the size and the device, mine was on /dev/rdisk0s3)
- Now there are several options to choose. I did not need the crazy security of a hidden volume, so I went with the standard encrypted volume. I also stuck with the AES encryption default. Go through the dialogues to create your encryption keys and passphrase or keyfile.
- Next, you need to reformat the drive. This will take a while, mine took about an hour. I may have been able to get by with a “Quick Format” but I wasn’t sure, so I did the full format. Click through all the scary warning messages and get it started …
IV. Mount your Encrypted Drive
Once the formatting is done, you’re ready to start saving your encrypted files. You’ll be brought back to the main Truecrypt screen where you can now mount your new encrypted drive.
You’ll have to do this after every time you boot your computer to re-mount your encrypted partition.
- Click on the first “Slot” and click Select Device.
- Choose your encrypted partition (i.e. /dev/rdisk0s3) and OK and Click Mount
- In the Mount dialogue, click the Options button and you can change the Mount Location. To be more Mac-like, I called it ”/Volumes/Data”
- Type in your passphrase and click OK
After a couple of seconds, your new encrypted drive should pop up on your desktop and in Finder and you’re ready to go!
Why not use FileVault which comes standard with OS X?
Yo! Nice guide… BUT! TrueCrypt 4 Mac (currently speaking 17.7.2008) formats only with FAT32… which SUCKX because of the lack of support 4 1. Big Files x > 4GB 2. File Access Rights 3. several other reasons….
TureCrypt 4 windoz supports atleast NTFS!
What now?
FileFault has also it’s limitaions… my college said… i can’t remember the issues but he had some trouble with it…
FileVault doesn’t work with external volumes, for example.
Why would you need File Access Rights on an encrypted partition. Only one person is going to know the passphrase. This is not for sharing files.
Yes TrueCrypt itself will only create a FAT32 volume—but there is nothing stopping you from accessing that FAT32 volume within Disk Utility and “erasing” it to HFS+ (MacOS Extended). As long as you only erase the FAT32 volume, and not the entire disk, your encryption remains intact.
Thanks for this great guide!
Problem: I’ve set up different accounts for daily use & administrative access (as recommended). From my standard non-admin account, I can’t mount the TC volume. I’ve seen some posts indicating I should edit using visudo… tried that & still no luck.
Question 1: Is there any way to make it so I can mount the TC volume from a non-admin account?
Question 2: If not, that’s a deal-breaker for me & I’ll have to give up on TC… but how do you remove the encrypted volume on a Mac? I can find no instructions for this anywhere! The TC site has instructions for Windows, but not OSX.
Any help towards resolving either of these questions would be greatly appreciated. Thanks again! ST