macOS Quick Lock

Bringing the simplistic style of Quick Look's file browsing to encryption.

This tool removes all of the complication of encrypting and decrypting files. Simply right click on a file you'd like to encrypt, select Quick Actions > Quick Lock and follow the prompts. To decrypt, just double click on the file.

Here's a quick demo:

Installation

Open Terminal.app and enter the following commands:

$ git clone https://github.com/alichtman/macOS-quick-lock.git
$ cd macOS-quick-lock
$ ./install.sh

You will see a prompt like this. Click Install:

After, you will see this prompt asking to allow a Quick Action to interact with files on your computer through Finder, which will let you to encrypt and decrypt files by right-clicking on them. Without this permission, nothing will work, so I'd recommend clicking OK.

If you'd like to add a keyboard shortcut, go to Preferences > Keyboard > Shortcuts > Services.

This script also installs the Quick Lock.app. You can set this app as the default app for .encrypted files, which means you'll be able to double-click on files with that extension and be prompted for a decryption password. You can set this up the first time you double-click on a .encrypted file, or by right-clicking on a .encrypted file, selecting Get Info and changing the default app in the Open With: section.

Usage Notes

• This script can encrypt any file or directory. It uses AES-256 in CTR mode.

• After files are encrypted, they will have an extension like .aef99d86babcf82102fa.encrypted. This extension holds a SHA1 hash of the decrypted file which is used to verify the decryption password you enter is correct. If you alter this extension, decryption will fail because the file hashes won't match. You'll still be able to decrypt your file on the command line with $ openssl enc -d -aes-256-ctr -in ENCRYPTED_FILE -out DECRYPTED_FILE, though.

Configuration

There are two options you can configure in the file ~/.quick-lock.plist. This file is automatically created when you run the install script.

• deleteEncryptedFileAfterDecryption
  • Default: False.
  • Set this to True if you'd like to automatically remove the encrypted versions of successfully decrypted files.
• encryptedFileExtension
  • Default: .encrypted.
  • Change this if you'd like to set a non-default extension for encrypted files. Note that encrypted files with an extension differing from the extension in the config file will not decrypt successfully.

Technical Details

This script uses openssl's implementation of the AES 256 encryption algorithm in Counter (CTR) mode, as is recommended in Professor Rogaway's Evaluation of Some Blockcipher Modes of Operation. This algorithm is part of the NSA's Commercial National Security Algorithm Suite and is approved to protect up to TOP SECRET documents.

This script uses the openssl -salt option. This makes Rainbow Table attacks impractical, however, it also means that if you encrypt a file and forget the password -- that's game. Nobody can recover that file. Back up your passphrases!