How to password protect files and folders in macOS (OSX)
Published by on December 14, 2016 in Information Security

Macbook Air
There are times when you want some extra protection for your documents on your Mac. Even if your computer is password protected, there may be situations when someone else has to use it and you’d prefer to limit their access to your personal files like budget spreadsheets and personal journals. Some of us may also need to pass documents to through an untrusted medium such as the internet.

In all of these cases, adding password protection to your documents and folders will help secure them. All of the major office suites support this to some degree and we’ll focus on the following in this article.

macOS

  • Pages
  • Keynote
  • Numbers
  • Protecting files and folders using an encrypted disk image
  • Export to PDF with password

Microsoft Office

  • Word
  • PowerPoint
  • Excel

Open Office

  • Text
  • Presentation
  • Spreadsheet

Password protect macOS documents

Pages, Presentation, and Numbers are the main office applications for macOS. Sierra 10.12.1 comes with Pages 6.0.5, Keynote 7.0.5 and Numbers 4.0.5 as of time of writing. All of those versions offer password protection in the same way. Selecting the Set Password… option in the File menu opens up a dialogue box to set a password and, optionally, add it to the macOS keychain.

Keynote 7.0.5 Select Password Menu
Pages 6.0.5 Set Password Dialogue

If you check the Remember this password in my keychain option, then users of your computer will not be prompted for the password when opening the document. It’s probably not suitable if you want to prevent casual users of your computer from accessing the document. But, if the document is stolen or found elsewhere it could not be opened without the password.

When a Pages document is not password protected, the contents of it are readable in any text editor. When it is password protected, the contents become unreadable. This suggests that adding a password to a document performs some level of encryption on the document beyond just adding a password. Both types of documents are opened in this screenshot. Note how the unprotected document in the right pane is readable.

Pages 6.0.5 raw data comparison
The icon for a password protected document changes to contain a lock icon. This makes it very obvious which documents are password protected on your system. Security is comprised of layers and while obscuring which files are protected is not a deep security measure by itself, it doesn’t help. It would be better from a security standpoint if macOS did not leak this information by the use of different icons.

Pages 6.0.5 Password Protected Icon
Whereas an unprotected document icon looks like this.

Pages 6.0.5 No Password Protected Icon

Change the password on macOS documents

To change or remove the password on a document you will first need to successfully open the document. Select the File menu and note that the Set Password option is now Change Password.

Pages 6.0.5 Change Password Menu
Selecting that option will open the change or remove password dialogue box. You’ll need to enter the current password successfully in order to remove or change the password. This is a security measure to ensure that someone who comes across an unattended computer with a document open can’t simply remove or change the password.

Pages 6.0.5 Change or Remove Password Dialogue

Create an encrypted disk image in macOS

There’s an easy to do this and a hard way to do this. The macOS system has the built-in ability to create disk images which can optionally be encrypted. That’s the hard way. The easier way is to use a third-party application such as Hider2 (free trial available here).

Using Hider2 to create an encrypted disk image

Hider2 from MacPaw software provides a software vault into which you can drag files. The vault is encrypted so files dragged into it are protected with AES 256-bit encryption. Files that are encrypted are no longer shown in a normal Finder window; they are not visible in Hider2 parlance. Files need to restored to their original location before they can be viewed or edited. This is done by toggling the Visible switch to the right of the filename in the Hider2 window.

MacPaw Hider2 UI

Hider2 will automatically create a vault on your Mac, as well as on any removable media that you drag into it. That allows you to create portable encrypted storage to take with you.

The main advantages to Hider2 over the built-in disk utility images are:

  • Deleted file security: When files are dragged into Hider2 they are securely deleted from their original location. With a standard macOS disk image you need to remember to delete the source file and it normally just goes to your Trash.
  • Ease of use: It’s not terribly hard to create an encrypted macOS disk image, but it’s much easier with Hider2. Less technical users may find Hider2 easier for daily use.
  • Auto-lock: Hider2 can be set to automatically lock the vault after a set period of time. A macOS disk image needs to be manually ejected to make it unreadable.

Using macOS built-in Disk Uitlity to create encrypted disk images

In addition to password protecting files, macOS has the built-in ability to encrypt entire folders by use of its disk image. There are two ways to do this: either create a new encrypted disk image from scratch or select an existing folder to encrypt. Both have their purposes and have similar steps to create.

Create a new encrypted disk image in macOS

Begin by launching the Disk Utility application and selecting New Image and then Blank Image from the File menu.

DU make image menu item

Select the Encryption option to show the 128-bit and 256-bit Advanced Encryption System (AES) options. The United States government considers AES strong enough to secure classified information with the 256-bit key length suitable for top secret security. Encryption can slow down opening a file, but it has no effect after that. Unless you’re very concerned about decryption speed, there’s no reason to use the weaker key length so you should select the 256-bit option.

DU select encryption

You will then be prompted to select a password and verify it. Note that there is no option to remember the password in your keychain in this setting. However, when you open the file and supply the password, you can then choose to remember the password at that time.

DU select password

Click the Choose button to set your password and the Save button on the original Disk Utility page. This will create your new disk image in the location you specified in the Where field. After the initial creation the folder will be unlocked for you. If you don’t intend to use it right away then you should eject it, which will lock it.

DU eject untitled folder to protect it

To re-open the disk image, you will need to provide the password.

DU enter password

The folder will remain open and unencrypted until you eject it. Once it is ejected, re-opening the disk image will again require the password. Keep in mind that any files you copied into your disk image are still present in their source location. You probably want to delete the unencrypted source files.

Create an encrypted disk image from an existing folder in macOS

The steps to create an encrypted disk image from an existing folder are almost identical. Launch the Disk Utility application and select New Image then the Image from Folder option.

DU make image from folder menu item

You will then be prompted to select the folder to encrypt.

DU select folder for image

From that point on, the creation process is the same.

Change the password of a disk image

Recent versions of macOS don’t seem to have the ability to change the password for a disk image in the Disk Utility application. There is a disabled menu option named Change Password but there seems to be no way to enable it. However, there is a command line utility which that can be used instead.

Open a terminal by navigating to Launchpad and finding the Terminal application. Use the following command where YOUR_IMAGE is the name of your disk image:

hdiutil chpass YOUR_IMAGE.dmg

You will be prompted for the existing password and then your new password.

Password protect Microsoft Office documents

The Microsoft Office suite has many applications and there are varying degress of password protection support. We’ll cover the password protection of the three most common applications Word, Excel and Power Point.

A word about Microsoft Office encryption

The docx format for Microsoft Office applications is essentially a compressed set of xml files. The plain text of an unprotected Microsoft Word document is easily found unzipping the docx file. However, once a document is password protected it seems to be encrypted. The file command in macOS shows the different types.

$ file jonistesting-protected.docx
jonistesting-protected.docx: CDFV2 Encrypted
$ file jonistesting-unprotected.docx
jonistesting-unprotected.docx: Microsoft Word 2007+

Further, attempts to unzip the protected file fail:

$ unzip jonistesting-protected.docx
Archive:  jonistesting-protected.docx
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of jonistesting-protected.docx or jonistesting-protected.docx.zip, and cannot find jonistesting-protected.docx.ZIP, period.

Whereas unzipping an unprotected file yields a number of plain text files. The plain text of the document can be retrieved from word/document.xml:

$ unzip jonistesting-unprotected.docx
Archive:  jonistesting-unprotected.docx
  inflating: [Content_Types].xml
  inflating: _rels/.rels
  inflating: word/_rels/document.xml.rels
  inflating: word/document.xml
  inflating: word/theme/theme1.xml
  inflating: word/settings.xml
  inflating: word/fontTable.xml
  inflating: word/webSettings.xml
  inflating: docProps/app.xml
  inflating: docProps/core.xml
  inflating: word/styles.xml

The “CDFv2 Encrypted” string really means two things. The document is being identified as using the Compound Document Format (CDF) and it is encrypted. Using a text editor to open the encrypted file shows this string embedded in it “keyBits=”256″ hashSize=”64″ cipherAlgorithm=”AES””. This would seem to suggest that strong AES 256-bit encryption is being used.

Password protect a Microsoft Word document

The protection option for Microsoft Word is in the Tools menu. Select Tools then Protect Document to show the password set dialogue box.

MS Word set password menu

There are some very granular settings available.

MS Word set password

The first section of the Password Protect dialogue box is fairly easy to understand. Enter a password to open the document to prevent anyone from opening it. You can then optionally set a password to modify the document. If a person has only the first password then they will only be able to read the document and not modify it. The “Read-only recommended” checkbox only does something if you have not specified a modification password. If you check this box then people opening the document will see the following message.

MS Word readonly prompt

They can simply click No and open the document in modification mode so it has limited value from a security standpoint. However, if you have specified a modification password then this message will not appear. Instead, they will be prompted to either supply the modification password or click the “Read Only” button which really will stop anyone from changing the document.

MS Word enter password readonly

The Protection settings are a little less obvious. You can only select one of the following

  • Tracked changes: keeps track changes on
  • Comments: allow comments
  • Read only: prevents people from making changes
  • Forms: allows people to fill out a form in the document, but they won’t be able to change the form itself

Change the password of a Microsoft Word document

Unlike macOS applications, Microsoft Word does not require you to enter the current password to change or remove an existing password. Anyone can select the Tools -> Protect Document menu item and remove or change the passwords.

Password protect a Microsoft Excel document

There are two different concepts of protection with Microsoft Excel. On one hand it is possible to “protect” an entire workbook or individual worksheets within it from being changed but this does not prevent anyone from opening the file. Password protecting the file from being opened is a different process and there is some overlap in the settings. The differences are this:

  • Protect a workbook: prevents the workbook structure from being changed. No sheets can be added, for example. It does not prevent people from changing the data in the sheet.
  • Protect a sheet: can protect the sheet itself from being changed in any way.
  • Password protect the file: requires a password to open the file, and optionally to also modify the contents.

To apply workbook or sheet protection, select the Tools menu and then the Protection item will allow you to select between the two options.

MS Excel password menu
Password protecting the entire workbook from changes is fairly straightforward. Enter a password and you can optionally check boxes to specify protection for the structure of the document and also the window sizes.

MS Excel set password protect workbook
The options to protect a specific sheet are more granular. By default, users can only select cells, but you can choose to enable further permissions by selecting the applicable checkboxes.

MS Excel set password protect sheet
If a user attempts to perform a disallowed action the following message is displayed.

MS Excel edit protected worksheet message
To require a password to open or modify the document you’ll need to use the Save Options when you save the file. The same options found in Word to provide different passwords for editing and modification, as well as recommending read-only, are available.

MS Excel protect from opening

Change the password of a Microsoft Excel document

To change the workbook or sheet protection click the Tools menu, select Protection and then click the desired Unprotect option. You’ll be prompted to enter the password if one was applied.

MS Excel change sheet password
To change the opening password, select the Passwords option from the File menu. You can remove or change the password in the resulting dialogue box.

Password protect a Microsoft PowerPoint document

There are only two options to protect a Microsoft PowerPoint document; protect from opening and protect from modification. Unlike the other Microsoft Office apps, the Passwords option in the File menu uses the word encrypt instead of password. A password protected PowerPoint file is an encrypted file.

$ file Presentation.pptx
Presentation.pptx: CDFV2 Encrypted

Change the password of a Microsoft PowerPoint document

To change or remove the password on a Microsoft Power Point document, return to the File menu, select Passwords, and then change or remove the password.

MS PowerPoint change password

Password protect a PDF document

All of the macOS applications–Pages, Numbers, and Keynote–allow export to PDF.

Keynote 7.0.5 export to PDF

Within that export dialogue box is an option to set a password that will be required to open the PDF file.

Numbers PDF set password

Password protect OpenOffice documents

OpenOffice also stores documents in a compressed file and unzipping it reveals the contents. The plain text of an unprotected Text document is stored in context.xml. Once password protected, the main file can still be unzipped but the content.xml file is no longer readable.

Password protect an OpenOffice Text document

The settings to password protect an OpenOffice Text document are contained in the save dialogue. Select the File menu and then the Save option. Check the Save with password option.

OO password checkbox

You’ll be prompted to set a password on the next page. You can set separate passwords for opening and modifying by selecting the More Options button.

OO set password

Change the password on an OpenOffice Text document

To change the password of an OpenOffice Text document you’ll need to access the Save As… File menu option. Ensure the Save with password checkbox is enabled and click the Save button. This will display the password set dialogue box in which you can change the password. If you wish to remove the password, uncheck the Save with password option before clicking the Save button.

Password protect an OpenOffice Spreadsheet document

The Tools menu of OpenOffice Spreadsheet contains two options to protect either just the current sheet or the entire document.
OO Sheet protect sheet or workbook

There are a few selectable options when protecting a specific sheet, but when protecting the whole document there is just an all-or-nothing to require a password to open the document.

OO Sheet set sheet password
OO Sheet set workbook password

The options to protect the workbook from opening at all are the same as described in the OpenOffice Text section. Those settings are contained in the Save menu.

Change the password on an OpenOffice Spreadsheet document

Changing the password on an OpenOffice Spreadsheet uses the same process as changing the password on an OpenOffice Text document.

Password protect an OpenOffice Presentation document

Protecting an OpenOffice Presentation document is very similar to protecting an OpenOffice Text document. Checking the Save with password option in the File Save dialogue will open up a dialogue window to set a password. Presentation only supports one level of password to open the file. There is no separate password to allow editing.

OO Presentation set password

Change the password on an OpenOffice Presentation document

Re-saving the document with the Save with password option checked will show the set password dialogue each time. You can change or remove the password from that screen at that time.

Leave a Reply

Your email address will not be published. Required fields are marked *