While it’s popular among third-party password managers to offer support for secure storage of files and other data beyond standard secrets like passwords, keys and certificates, macOS keychains are more limited. They can store secure notes, but those are currently only accessible in file-based keychains, and there’s no facility for larger files or arbitrary content. This article lists some of the other options provided by macOS, each of which is free, secure, and doesn’t rely on any external service, even iCloud. Because of the architectural differences between Intel Macs without a T2 chip and more recent models, I limit coverage to Intel Macs with T2 chips and Apple silicon Macs, with their Secure Enclave.
FileVault
We tend to overlook the importance of FileVault, but when enabled it provides excellent protection to the entire contents of the Data volume, normally including everything in your Home folder. However, it doesn’t cover volumes on external storage, unless they’re Data volumes in another boot volume group with FileVault enabled there. On internal storage, FileVault comes at absolutely no cost, as your password isn’t used to encrypt the volume, but controls access to the Volume Encryption Key (VEK) used for that purpose. For internal SSDs, this is performed through the Secure Enclave, thus practically impossible to hack or circumvent.
Apple provides full details in its Platform Security Guide, with a detailed account of the Secure Enclave across Apple’s different chips.
APFS Encrypted volumes
When you format a volume using APFS (Encrypted), it isn’t the same as FileVault, but the whole of the volume including all its file data and the file system itself is encrypted using software, giving it excellent protection. As APFS volumes share free space with other volumes in the same container, adding an encrypted volume incurs little overhead, but lets you store files securely on the same disk as unencrypted data (in regular APFS volumes). If you want several stores with different passwords, then this is a good solution particularly when you want the encrypted volumes mounted all the time that the disk is in use.
Encrypted disk images
In the last couple of years, the behaviour of disk images in macOS has changed significantly when they’re stored on APFS volumes. Previously, the type of disk image that performed best in terms of space required was the sparse bundle, which grows in size to accommodate more data on demand, and can be compacted to take less space on disk when possible.
Now, as long as they’re stored on an APFS volume, the traditional read-write UDIF disk image is automatically converted to sparse file* format, and its free space is compacted each time it’s mounted, making it more space-efficient than sparse bundles. If you want an encrypted store that will only be mounted occasionally, and has its own password, an encrypted read-write UDIF disk image with internal APFS (or HFS+) format is now the better option, provided that it remains on APFS volumes.
At present, there’s also a bug in changing the password of encrypted sparse bundles, but not disk images, that makes them an unwise option until that has been fixed.
While Disk Utility makes perfectly good read-write UDIF disk images, if you’re intending to use them much I thoroughly recommend C-Command’s DropDMG.
Encrypted archives
Apple’s Archive Utility, bundled in macOS but hidden away in /System/Library/CoreServices/Applications, can create Apple Encrypted Archives, compressed efficiently, and protected using an encryption key. Although this might appear attractive, it’s incompletely implemented at present in macOS Ventura, where there’s no option other than using the key supplied by the app, which must be saved to the keychain and can’t readily be accessed by the user. If Apple completes this feature, it could prove useful in future macOS.
Locked Notes
Recent versions of Apple’s Notes app support locked notes, which can be stored either locally or in iCloud. Notes aren’t saved as documents, but stored in databases; if you like using them, they’re a convenient and reliable way of securing snippets of information.
Encrypted documents
Although APFS can encrypt individual files, that requires the use of hardware encryption, and isn’t currently documented or exposed to the user. Specific document formats such as PDF have their own support for securing or locking documents. Although some work well, and across platforms, their security isn’t always guaranteed and you’re normally better off using one of the solutions provided by macOS.
Recommended methods
- FileVault, all users, whole Data volume
- APFS Encrypted volumes, robustly encrypted and of variable size
- Encrypted read-write UDIF disk images, efficient use of space on APFS
- Locked Notes, accessible snippets stored locally or shared in iCloud.
* sparse files and bundles are completely different. A sparse file normally contains significant amounts of empty space; to make their storage more efficient, APFS uses a format that doesn’t use any disk space for that empty data, but only stores the real data in the file. A sparse bundle is a folder in which a disk image is spread across many ‘band’ files; this too economises on the space required, but works in a completely different way.