You can use a sparse bundle which will expand when the contents increases in size.
Enable advanced image options in Disk Utility.
defaults write com.apple.DiskUtility advanced-image-options 1
Open Disk Utility and select File → New → Disk Image from Folder… or press ⌘N.
Select the folder that you want to encrypt and press Image.
Choose sparsebundle as the Image Format, and choose the level of encryption you require.
Choose a password to encrypt the image and click OK.
If, after removing some files from the sparse bundle, you wish to decrease its size, you can compact it:
hdiutil compact /path/to/folder.sparsebundle
As it turns out, I found the answers to most of this not long after I asked the question. The command-line fdesetup
program offers some additional options.
Removing Disk Password
Run sudo fdesetup list -extended
and look for the UUID labeled "Disk Passphrase". Then run sudo fdesetup remove -uuid <UUID>
to remove it.
This can be used to remove the disk password that was created via Disk Utility, leaving only user login passwords for unlocking the disk.
Removing User from FileVault
Run sudo fdesetup list
(-extended
isn't needed) to see what users are authorized to unlock the disk, then use sudo fdesetup remove -user <USER>
or sudo fdesetup remove -uuid <UUID>
.
This can be used to de-authorize users so that only the disk password can be used.
Adding Recovery Key
Run sudo fdesetup changerecovery -personal
. This will prompt for a password (anything that's currently enabled to unlock the disk), then display the new recovery key. (Write it down!)
Removing Recovery Key
Run sudo fdesetup removerecovery -personal
. As above, this will prompt for a password.
Adding Disk Password
I couldn't find a way to do this in-place — sudo diskutil cs passwd
seems like it ought to work, but it requires there to be an "old" disk password already.
However, you can turn off FileVault using the preferences window (which decrypts the disk), then use sudo diskutil cs encryptLV <UUID>
to re-encrypt it with a disk password. This is slow, since it has to decrypt and re-encrypt all the data, but it works.
Best Answer
One possible way to do this without resorting to the command line is to create a resizable encrypted volume through Disk Utility. It acts as a folder that is decrypted during the mounting process. It supports APFS and AES 128/256.
To create a new blank encrypted folder:
Disk util > new image > new blank image > set Format: APFS > choose encryption scheme > set Image Format: read/write > OK.
To encrypt an existing folder:
Disk util > new image > new image from folder > APFS > choose encryption scheme > set Image Format: read/write > OK.
This will create the encrypted folder as a .dmg that is decrypted when you mount it. Once mounted it acts just as a normal folder.