How to password protect files and folders in macOS (OSX)
There are times when you want some extra protection for your documents on your Mac. Even if your computer is password protected, there may be situations when someone else has to use it and you’d prefer to limit their access to your personal files like budget spreadsheets and personal journals. Some of us may also need to pass documents to through an untrusted medium such as the internet.
In all of these cases, adding password protection to your documents and folders will help secure them. All of the major office suites support this to some degree and we’ll focus on the following in this article.
- Protecting files and folders using an encrypted disk image
- Export to PDF with password
Password protect macOS documents
Pages, Presentation, and Numbers are the main office applications for macOS. Sierra 10.12.1 comes with Pages 6.0.5, Keynote 7.0.5 and Numbers 4.0.5 as of time of writing. All of those versions offer password protection in the same way. Selecting the
Set Password… option in the File menu opens up a dialogue box to set a password and, optionally, add it to the macOS keychain.
If you check the
Remember this password in my keychain option, then users of your computer will not be prompted for the password when opening the document. It’s probably not suitable if you want to prevent casual users of your computer from accessing the document. But, if the document is stolen or found elsewhere it could not be opened without the password.
When a Pages document is not password protected, the contents of it are readable in any text editor. When it is password protected, the contents become unreadable. This suggests that adding a password to a document performs some level of encryption on the document beyond just adding a password. Both types of documents are opened in this screenshot. Note how the unprotected document in the right pane is readable.
The icon for a password protected document changes to contain a lock icon. This makes it very obvious which documents are password protected on your system. Security is comprised of layers and while obscuring which files are protected is not a deep security measure by itself, it doesn’t help. It would be better from a security standpoint if macOS did not leak this information by the use of different icons.
Whereas an unprotected document icon looks like this.
Change the password on macOS documents
To change or remove the password on a document you will first need to successfully open the document. Select the File menu and note that the
Set Password option is now
Selecting that option will open the change or remove password dialogue box. You’ll need to enter the current password successfully in order to remove or change the password. This is a security measure to ensure that someone who comes across an unattended computer with a document open can’t simply remove or change the password.
Create an encrypted disk image in macOS
There’s an easy to do this and a hard way to do this. The macOS system has the built-in ability to create disk images which can optionally be encrypted. That’s the hard way. The easier way is to use a third-party application such as Hider2 (free trial available here).
Using Hider2 to create an encrypted disk image
Hider2 from MacPaw software provides a software
vault into which you can drag files. The vault is encrypted so files dragged into it are protected with AES 256-bit encryption. Files that are encrypted are no longer shown in a normal Finder window; they are
not visible in Hider2 parlance. Files need to restored to their original location before they can be viewed or edited. This is done by toggling the Visible switch to the right of the filename in the Hider2 window.
Hider2 will automatically create a vault on your Mac, as well as on any removable media that you drag into it. That allows you to create portable encrypted storage to take with you.
The main advantages to Hider2 over the built-in disk utility images are:
- Deleted file security: When files are dragged into Hider2 they are securely deleted from their original location. With a standard macOS disk image you need to remember to delete the source file and it normally just goes to your Trash.
- Ease of use: It’s not terribly hard to create an encrypted macOS disk image, but it’s much easier with Hider2. Less technical users may find Hider2 easier for daily use.
- Auto-lock: Hider2 can be set to automatically lock the vault after a set period of time. A macOS disk image needs to be manually
ejectedto make it unreadable.
Using macOS built-in Disk Uitlity to create encrypted disk images
In addition to password protecting files, macOS has the built-in ability to encrypt entire folders by use of its
disk image. There are two ways to do this: either create a new encrypted disk image from scratch or select an existing folder to encrypt. Both have their purposes and have similar steps to create.
Create a new encrypted disk image in macOS
Begin by launching the Disk Utility application and selecting
New Image and then
Blank Image from the File menu.
Select the Encryption option to show the 128-bit and 256-bit Advanced Encryption System (AES) options. The United States government considers AES strong enough to secure classified information with the 256-bit key length suitable for
top secret security. Encryption can slow down opening a file, but it has no effect after that. Unless you’re very concerned about decryption speed, there’s no reason to use the weaker key length so you should select the 256-bit option.
You will then be prompted to select a password and verify it. Note that there is no option to remember the password in your keychain in this setting. However, when you open the file and supply the password, you can then choose to remember the password at that time.
Click the Choose button to set your password and the Save button on the original Disk Utility page. This will create your new disk image in the location you specified in the Where field. After the initial creation the folder will be unlocked for you. If you don’t intend to use it right away then you should eject it, which will lock it.
To re-open the disk image, you will need to provide the password.
The folder will remain open and unencrypted until you eject it. Once it is ejected, re-opening the disk image will again require the password. Keep in mind that any files you copied into your disk image are still present in their source location. You probably want to delete the unencrypted source files.
Create an encrypted disk image from an existing folder in macOS
The steps to create an encrypted disk image from an existing folder are almost identical. Launch the Disk Utility application and select
New Image then the
Image from Folder option.
You will then be prompted to select the folder to encrypt.
From that point on, the creation process is the same.
Change the password of a disk image
Recent versions of macOS don’t seem to have the ability to change the password for a disk image in the Disk Utility application. There is a disabled menu option named
Change Password but there seems to be no way to enable it. However, there is a command line utility which that can be used instead.
Open a terminal by navigating to Launchpad and finding the Terminal application. Use the following command where YOUR_IMAGE is the name of your disk image:
hdiutil chpass YOUR_IMAGE.dmg
You will be prompted for the existing password and then your new password.
Password protect Microsoft Office documents
The Microsoft Office suite has many applications and there are varying degress of password protection support. We’ll cover the password protection of the three most common applications Word, Excel and Power Point.
A word about Microsoft Office encryption
The docx format for Microsoft Office applications is essentially a compressed set of xml files. The plain text of an unprotected Microsoft Word document is easily found unzipping the docx file. However, once a document is password protected it seems to be encrypted. The
file command in macOS shows the different types.
$ file jonistesting-protected.docx jonistesting-protected.docx: CDFV2 Encrypted
$ file jonistesting-unprotected.docx jonistesting-unprotected.docx: Microsoft Word 2007+
Further, attempts to unzip the protected file fail:
$ unzip jonistesting-protected.docx Archive: jonistesting-protected.docx End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of jonistesting-protected.docx or jonistesting-protected.docx.zip, and cannot find jonistesting-protected.docx.ZIP, period.
Whereas unzipping an unprotected file yields a number of plain text files. The plain text of the document can be retrieved from
$ unzip jonistesting-unprotected.docx Archive: jonistesting-unprotected.docx inflating: [Content_Types].xml inflating: _rels/.rels inflating: word/_rels/document.xml.rels inflating: word/document.xml inflating: word/theme/theme1.xml inflating: word/settings.xml inflating: word/fontTable.xml inflating: word/webSettings.xml inflating: docProps/app.xml inflating: docProps/core.xml inflating: word/styles.xml
The “CDFv2 Encrypted” string really means two things. The document is being identified as using the Compound Document Format (CDF) and it is encrypted. Using a text editor to open the encrypted file shows this string embedded in it “keyBits=”256″ hashSize=”64″ cipherAlgorithm=”AES””. This would seem to suggest that strong AES 256-bit encryption is being used.
Password protect a Microsoft Word document
The protection option for Microsoft Word is in the Tools menu. Select Tools then Protect Document to show the password set dialogue box.
There are some very granular settings available.
The first section of the Password Protect dialogue box is fairly easy to understand. Enter a password to open the document to prevent anyone from opening it. You can then optionally set a password to modify the document. If a person has only the first password then they will only be able to read the document and not modify it. The “Read-only recommended” checkbox only does something if you have not specified a modification password. If you check this box then people opening the document will see the following message.
They can simply click No and open the document in modification mode so it has limited value from a security standpoint. However, if you have specified a modification password then this message will not appear. Instead, they will be prompted to either supply the modification password or click the “Read Only” button which really will stop anyone from changing the document.
The Protection settings are a little less obvious. You can only select one of the following
- Tracked changes: keeps track changes on
- Comments: allow comments
- Read only: prevents people from making changes
- Forms: allows people to fill out a form in the document, but they won’t be able to change the form itself
Change the password of a Microsoft Word document
Unlike macOS applications, Microsoft Word does not require you to enter the current password to change or remove an existing password. Anyone can select the Tools -> Protect Document menu item and remove or change the passwords.
Password protect a Microsoft Excel document
There are two different concepts of protection with Microsoft Excel. On one hand it is possible to “protect” an entire workbook or individual worksheets within it from being changed but this does not prevent anyone from opening the file. Password protecting the file from being opened is a different process and there is some overlap in the settings. The differences are this:
- Protect a workbook: prevents the workbook structure from being changed. No sheets can be added, for example. It does not prevent people from changing the data in the sheet.
- Protect a sheet: can protect the sheet itself from being changed in any way.
- Password protect the file: requires a password to open the file, and optionally to also modify the contents.
To apply workbook or sheet protection, select the Tools menu and then the Protection item will allow you to select between the two options.
Password protecting the entire workbook from changes is fairly straightforward. Enter a password and you can optionally check boxes to specify protection for the structure of the document and also the window sizes.
The options to protect a specific sheet are more granular. By default, users can only select cells, but you can choose to enable further permissions by selecting the applicable checkboxes.
If a user attempts to perform a disallowed action the following message is displayed.
To require a password to open or modify the document you’ll need to use the Save Options when you save the file. The same options found in Word to provide different passwords for editing and modification, as well as recommending read-only, are available.
Change the password of a Microsoft Excel document
To change the workbook or sheet protection click the Tools menu, select Protection and then click the desired Unprotect option. You’ll be prompted to enter the password if one was applied.
To change the opening password, select the Passwords option from the File menu. You can remove or change the password in the resulting dialogue box.
Password protect a Microsoft PowerPoint document
There are only two options to protect a Microsoft PowerPoint document; protect from opening and protect from modification. Unlike the other Microsoft Office apps, the Passwords option in the File menu uses the word encrypt instead of password. A password protected PowerPoint file is an encrypted file.
$ file Presentation.pptx Presentation.pptx: CDFV2 Encrypted
Change the password of a Microsoft PowerPoint document
To change or remove the password on a Microsoft Power Point document, return to the File menu, select Passwords, and then change or remove the password.
Password protect a PDF document
All of the macOS applications–Pages, Numbers, and Keynote–allow export to PDF.
Within that export dialogue box is an option to set a password that will be required to open the PDF file.
Password protect OpenOffice documents
OpenOffice also stores documents in a compressed file and unzipping it reveals the contents. The plain text of an unprotected Text document is stored in
context.xml. Once password protected, the main file can still be unzipped but the content.xml file is no longer readable.
Password protect an OpenOffice Text document
The settings to password protect an OpenOffice Text document are contained in the save dialogue. Select the File menu and then the Save option. Check the
Save with password option.
You’ll be prompted to set a password on the next page. You can set separate passwords for opening and modifying by selecting the
More Options button.
Change the password on an OpenOffice Text document
To change the password of an OpenOffice Text document you’ll need to access the
Save As… File menu option. Ensure the
Save with password checkbox is enabled and click the Save button. This will display the password set dialogue box in which you can change the password. If you wish to remove the password, uncheck the
Save with password option before clicking the Save button.
Password protect an OpenOffice Spreadsheet document
The Tools menu of OpenOffice Spreadsheet contains two options to protect either just the current sheet or the entire document.
There are a few selectable options when protecting a specific sheet, but when protecting the whole document there is just an all-or-nothing to require a password to open the document.
The options to protect the workbook from opening at all are the same as described in the OpenOffice Text section. Those settings are contained in the Save menu.
Change the password on an OpenOffice Spreadsheet document
Changing the password on an OpenOffice Spreadsheet uses the same process as changing the password on an OpenOffice Text document.
Password protect an OpenOffice Presentation document
Protecting an OpenOffice Presentation document is very similar to protecting an OpenOffice Text document. Checking the
Save with password option in the File Save dialogue will open up a dialogue window to set a password. Presentation only supports one level of password to open the file. There is no separate password to allow editing.
Change the password on an OpenOffice Presentation document
Re-saving the document with the
Save with password option checked will show the set password dialogue each time. You can change or remove the password from that screen at that time.