APFS folder encryption

apfsencryptionhigh sierra

From the feature list APFS supports per-file encryption. Hence by extension it should be possible to setup an encrypted folder (or at least just the files within that folder) with a password that is different than the user login password. Similarly, it should be possible to encrypt users' home directories with their own respective keys, and render them inaccessible to one another despite whatever their file permission says (similar to what Windows' NTFS able to do since the previous century).

The question is that how to do that from a user's point of view? I've yet to see any UI in the Finder that can do this in macOS High Sierra. Is there a way in the command-line to enable this?

Best Answer

One possible way to do this without resorting to the command line is to create a resizable encrypted volume through Disk Utility. It acts as a folder that is decrypted during the mounting process. It supports APFS and AES 128/256.

To create a new blank encrypted folder:

Disk util > new image > new blank image > set Format: APFS > choose encryption scheme > set Image Format: read/write > OK.

To encrypt an existing folder:

Disk util > new image > new image from folder > APFS > choose encryption scheme > set Image Format: read/write > OK.

This will create the encrypted folder as a .dmg that is decrypted when you mount it. Once mounted it acts just as a normal folder.

Related Solutions

MacOS – Encrypt folder on Mac without dmg file so that the contents can expand in size

You can use a sparse bundle which will expand when the contents increases in size.

Enable advanced image options in Disk Utility.

defaults write com.apple.DiskUtility advanced-image-options 1

Open Disk Utility and select File → New → Disk Image from Folder… or press ⌘N.
Select the folder that you want to encrypt and press Image.
Choose sparsebundle as the Image Format, and choose the level of encryption you require.
Choose a password to encrypt the image and click OK.

If, after removing some files from the sparse bundle, you wish to decrease its size, you can compact it:

hdiutil compact /path/to/folder.sparsebundle

MacOS – Convert between FileVault 2 and Disk Utility encryption

As it turns out, I found the answers to most of this not long after I asked the question. The command-line fdesetup program offers some additional options.

Removing Disk Password

Run sudo fdesetup list -extended and look for the UUID labeled "Disk Passphrase". Then run sudo fdesetup remove -uuid <UUID> to remove it.

This can be used to remove the disk password that was created via Disk Utility, leaving only user login passwords for unlocking the disk.

Removing User from FileVault

Run sudo fdesetup list (-extended isn't needed) to see what users are authorized to unlock the disk, then use sudo fdesetup remove -user <USER> or sudo fdesetup remove -uuid <UUID>.

This can be used to de-authorize users so that only the disk password can be used.

Adding Recovery Key

Run sudo fdesetup changerecovery -personal. This will prompt for a password (anything that's currently enabled to unlock the disk), then display the new recovery key. (Write it down!)

Removing Recovery Key

Run sudo fdesetup removerecovery -personal. As above, this will prompt for a password.

Adding Disk Password

I couldn't find a way to do this in-place — sudo diskutil cs passwd seems like it ought to work, but it requires there to be an "old" disk password already.

However, you can turn off FileVault using the preferences window (which decrypts the disk), then use sudo diskutil cs encryptLV <UUID> to re-encrypt it with a disk password. This is slow, since it has to decrypt and re-encrypt all the data, but it works.