Can you change the password on a sparsebundle?

[Robert Peirce]

Mine are protected by passwords. I made the mistake of putting them in
my keychain which made them available to anybody with my login. I fixed
that. Now I want to change the password to something more secure but I
can't find any way to do that short of creating a new sparsebundle.

[Jolly Roger]

Try this: Open the disk image in Disk Utility, select the image in the
list on the left side of the window, then choose File > Change Password
from the menu bar.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[Robert Peirce]

On 5/16/16 2:11 PM, Jolly Roger wrote:
> On 2016-05-16, Robert Peirce <b...@peirce-family.com> wrote:
>> Mine are protected by passwords. I made the mistake of putting them in
>> my keychain which made them available to anybody with my login. I fixed
>> that. Now I want to change the password to something more secure but I
>> can't find any way to do that short of creating a new sparsebundle.
>
> Try this: Open the disk image in Disk Utility, select the image in the
> list on the left side of the window, then choose File > Change Password
> from the menu bar.
>

I had already tried this. Disk Utility doesn't see the sparsebundle
unless it is already opened. If open change password is grayed out.

[Doc O'Leary]

For your reference, records indicate that

I doubt there’s an “easy” way to do that, since you do essentially have
to re-encrypt all the data with a new password. If you’re comfortable at
the command line, you should be able to use “hdiutil” with the “convert”
option to make a small script to simplify it a bit.

--
"Also . . . I can kill you with my brain."
River Tam, Trash, Firefly

[Jolly Roger]

You can't change the password if the disk image is mounted. Eject the dusk
image. Then drag the disk image file into the left side of the Disk Utility
window and it should appear in the list. Then change the password.

[Jolly Roger]

Doc O'Leary <drol...@2015usenet1.subsume.com> wrote:
>
> I doubt there’s an “easy” way to do that, since you do essentially have
> to re-encrypt all the data with a new password.

There is an easy way to do it. See my reply.

> If you’re comfortable at
> the command line, you should be able to use “hdiutil” with the “convert”
> option to make a small script to simplify it a bit.

You can use hdiutil to do it; but it's not necessary since the feature is
built into Disk Utility.

[Robert Peirce]

On 5/17/16 12:20 PM, Jolly Roger wrote:
> Robert Peirce <b...@peirce-family.com> wrote:
>> On 5/16/16 2:11 PM, Jolly Roger wrote:
>>>
>>> Try this: Open the disk image in Disk Utility, select the image in the
>>> list on the left side of the window, then choose File > Change Password
>>> from the menu bar.
>>
>> I had already tried this. Disk Utility doesn't see the sparsebundle
>> unless it is already opened. If open change password is grayed out.
>
> You can't change the password if the disk image is mounted. Eject the dusk
> image. Then drag the disk image file into the left side of the Disk Utility
> window and it should appear in the list. Then change the password.
>

Does not drag. I think sparsebundles must be different from straight
disk images but I can't imagine why.

I am afraid I may need to create a new sparsebundle with a new password
and drag the contents of the old to the new.

[Jolly Roger]

On 2016-05-17, Robert Peirce <b...@peirce-family.com> wrote:
> On 5/17/16 12:20 PM, Jolly Roger wrote:
>> Robert Peirce <b...@peirce-family.com> wrote:
>>> On 5/16/16 2:11 PM, Jolly Roger wrote:
>>>>
>>>> Try this: Open the disk image in Disk Utility, select the image in the
>>>> list on the left side of the window, then choose File > Change Password
>>>> from the menu bar.
>>>
>>> I had already tried this. Disk Utility doesn't see the sparsebundle
>>> unless it is already opened. If open change password is grayed out.
>>
>> You can't change the password if the disk image is mounted. Eject the dusk
>> image. Then drag the disk image file into the left side of the Disk Utility
>> window and it should appear in the list. Then change the password.
>>
> Does not drag. I think sparsebundles must be different from straight
> disk images but I can't imagine why.

Yes I see that now. Same here.

> I am afraid I may need to create a new sparsebundle with a new password
> and drag the contents of the old to the new.

Have you tried using hdiutil yet?

hdiutil chpass /path/to/unmounted/sparsebundle

[Neill Massello]

Robert Peirce <b...@peirce-family.com> wrote:

> Does not drag. I think sparsebundles must be different from straight
> disk images but I can't imagine why.

Try "Open Disk Image" in the File menu. Drag and drop appears to be one
of those old timey things that was left behind in El Cap's new and
improved version of Disk Utility.

[David Empson]

Doc O'Leary <drol...@2015usenet1.subsume.com> wrote:

> For your reference, records indicate that
> Robert Peirce <b...@peirce-family.com> wrote:
>
> > Mine are protected by passwords. I made the mistake of putting them in
> > my keychain which made them available to anybody with my login. I fixed
> > that. Now I want to change the password to something more secure but I
> > can't find any way to do that short of creating a new sparsebundle.
>
> I doubt there's an "easy" way to do that, since you do essentially have
> to re-encrypt all the data with a new password.

No, that isn't necessary. The content of encrypted disk images are
encrypted using AES, with a randomly generated 128-bit or 256-bit key
(by default). The 128-bit key is stored in the disk image, encrypted
using the password. If you change the password, the key is decrypted
(using the old password) then encrypted again (using the new password)
and written back to the disk image. The data portion of the disk image
is not modified.

FileVault 2 operates on the same principle.

At least in the case of FileVault 2, there can be multiple passwords,
each of which accesses its own encrypted copy of the key.

--
David Empson
dem...@actrix.gen.nz

[Robert Peirce]

On 5/17/16 3:17 PM, Jolly Roger wrote:
> Have you tried using hdiutil yet?
>
> hdiutil chpass /path/to/unmounted/sparsebundle
>

Just tried it and it works. The output is pretty verbose but the result
was correct. I was afraid to try it on an actual sparsebundle so I made
a copy and tried it on that. Worked well.

Thanks.

[Jolly Roger]

On 2016-05-17, Neill Massello <nmas...@yahoo.com> wrote:
> Robert Peirce <b...@peirce-family.com> wrote:
>
>> Does not drag. I think sparsebundles must be different from straight
>> disk images but I can't imagine why.
>
> Try "Open Disk Image" in the File menu.

That *mounts* the disk image. And as soon as you eject it, it disappears
from the Disk Utility side bar. It appears Disk Utility (at least in
recent OS X versions) does not support working with sparse bundle disk
images.

> Drag and drop appears to be one of those old timey things that was
> left behind in El Cap's new and improved version of Disk Utility.

It's a rewritten version that is missing lots of functionality available
in previous versions. There's a whole lot you can do from the command
line that isn't possible in Disk Utility too. Hopefully Apple will add
at least some of those features in the future.

[Jolly Roger]

On 2016-05-17, Robert Peirce <b...@peirce-family.com> wrote:

Good to hear. I figured that would still work as expected.

> Thanks.

Welcome!

[Neill Massello]

Jolly Roger <jolly...@pobox.com> wrote:

> That *mounts* the disk image.

So it does, but the mounted volume does not appear in Finder, which
makes this all even curiouser.

[Doc O'Leary]

For your reference, records indicate that

dem...@actrix.gen.nz (David Empson) wrote:

> No, that isn't necessary. The content of encrypted disk images are
> encrypted using AES, with a randomly generated 128-bit or 256-bit key
> (by default). The 128-bit key is stored in the disk image, encrypted
> using the password. If you change the password, the key is decrypted
> (using the old password) then encrypted again (using the new password)
> and written back to the disk image. The data portion of the disk image
> is not modified.

Thanks for that info. I knew a two-step process like that was used for
things like “m of n” secret sharing, but I didn’t realize it had become
essentially standard practice for some encryption software. Nifty!

[David Empson]

Doc O'Leary <drol...@2015usenet1.subsume.com> wrote:

Consider the extreme case of the original implementation of FileVault,
which used an encrypted sparse bundle (or similar) for the user's home
folder, protected with the user's password.

If the password was directly used to encrypt potentially gigabytes of
home folder, it would take a long time to re-encrypt the entire thing if
the user wanted to change their password.

With the password only being used to encrypt the random key, changing
password is a fast operation.

--
David Empson
dem...@actrix.gen.nz

[mjdav...@gmail.com]

I'm running El Capitan. This is the process I used:

Make sure the disk image is not mounted.
Open a Finder window and navigate to where the sparsebundle is located. Leave the window open.
Launch Terminal. At the command prompt, type "hdiutil chpass " (single space after each word).
Leaving Terminal open, switch to the Finder window where the sparsebundle is, and drag the sparsebundle on to the Terminal window and place it at the end of the text you type.
Press enter on the keyboard.
You should then be asked for the current sparsebundle password. Type it in, press enter, and wait. It might take anywhere up to 30 seconds before you see anything happening.
Terminal will then ask for a new password. Type it in, press enter.
You will be asked to confirm the password. Type it in again, press enter.
You should then be returned to the Terminal command prompt.
Quit Terminal, and you should then find that your new password will unlock the sparsebundle.

MD