How to Encrypt Your Video Library on Mac Without Using the Cloud
Encrypting videos on a Mac used to mean one of two things: zip a folder with a password (weak), or create a FileVault-protected disk image that you mount every time you want to watch something (awkward). Neither feels great.
In 2026 there are better options. This guide covers three — a quick DIY approach using tools already on your Mac, a general-purpose vault (Cryptomator), and a purpose-built media library (shooff). Each has real tradeoffs worth understanding before you pick.
Why local encryption at all?
Three reasons people ask:
- Threat model: casual. You share a household, your Mac is sometimes used by others, and you want certain videos not to show up in Finder or Quick Look previews.
- Threat model: practical. If your laptop is lost or stolen, the content of your video library shouldn't be recoverable from the drive — even with FileVault compromised.
- Threat model: serious. You're a journalist, lawyer, or medical professional handling sensitive video (source material, depositions, patient recordings). The content has real legal weight.
The right tool depends on which of these describes you. All three are legitimate.
Approach 1: Encrypted DMG via Disk Utility (free, built-in)
macOS ships with a tool called Disk Utility that can create encrypted disk image files. They behave like any mountable volume, protected by a password.
How to create one
- Open Disk Utility (Spotlight → "Disk Utility").
- Menu: File → New Image → Blank Image.
- Set a name, pick a size (make it bigger than your current library — DMGs don't auto-grow well).
- Format: APFS. Encryption: 256-bit AES encryption. Partitions: Single partition. Image Format: sparse disk image or sparse bundle disk image.
- Set a strong password. Do not tell Keychain to remember it — the point of a vault is that the password lives in your head.
- Save the DMG somewhere safe. Move all your videos into it. Unmount when done.
Pros
- Free, uses only macOS built-in tools
- Native AES-256 encryption
- Works on external drives
- No extra software to maintain
Cons
- You must mount the DMG every time you want to watch something
- If you forget to unmount, the contents are as exposed as any folder
- Quick Look previews + recently-opened in apps leak filenames
- Sparse bundles fragment on heavy write workloads; sparse images get huge fast
- Decrypted files are materialized on disk — other apps can copy them out while mounted
If you have a small library (under 20 GB), rarely add to it, and only need casual privacy. For anything larger or more active, the mount-unmount dance becomes annoying fast.
Approach 2: Cryptomator (free, cross-platform vault)
Cryptomator is an open-source encryption tool that creates vaults — folders where each file inside is individually AES-256 encrypted, along with filenames.
How to set one up
- Download Cryptomator from its official site. (Free on desktop; paid on mobile.)
- Launch and click Add Vault → Create New Vault.
- Pick a location (local folder, not iCloud, if you want strictly local).
- Set a strong password.
- Save the recovery key somewhere offline. Really.
- Click the vault to unlock it. A virtual drive appears in Finder. Drop your videos into it.
Pros
- Free, open source, regularly audited
- Per-file encryption (not a single blob)
- Encrypts filenames, not just content
- Works over cloud sync if you later want that (iCloud, Dropbox, etc.)
- Cross-platform (Mac, Windows, Linux, mobile paid)
Cons
- Still requires unlocking before videos are accessible
- Video seek latency: scrubbing a long video does random-access reads through the FUSE-like layer, which is noticeably slower than a plain drive
- Not media-aware (no thumbnails, no resume, no player integration)
- Decrypted stream cached to memory — other apps can read the files while vault is open
Excellent general-purpose vault. If you have mixed content (docs, photos, videos) and want one consistent encryption story, Cryptomator is my top free recommendation.
Approach 3: shooff (purpose-built media vault)
Full disclosure: shooff is our tool. The reason we built it was that approaches 1 and 2 are both "encrypted folder" solutions, and for a media library specifically you really want an "encrypted library." Different thing.
With shooff, each video becomes a single .evid file — a small metadata header plus AES-256-CTR encrypted body. The key is derived from your password via PBKDF2 with 200,000 iterations. Videos play directly from the encrypted file through a custom evid:// protocol — nothing ever gets written to disk as a decrypted temp file.
How to use it
- Download shooff from shooff.my (has a free tier).
- On first launch, set a password. This is the key to your whole library — choose carefully, store it in a password manager.
- Either download videos directly inside shooff (built-in browser, click to save) or drag existing MP4 files into the Library. They get encrypted on import.
- Click any item to play. The player decrypts on the fly.
- Auto-lock after inactivity (configurable) — re-enter password to unlock.
Pros
- Decrypt-on-play — no temp files, no mount
- Seek is fast — CTR mode allows random access without decrypting the whole file
- Library features built in (folders, ratings, bookmarks, subtitles, resume)
- Auto-lock timer, screen lock shortcut (Cmd+L)
- Works on external drives naturally — nothing to mount
- Integrated downloader + comic reader + streaming server
Cons
- Proprietary
.evidformat — only shooff can open these files - Free tier has a file count limit (total across videos and comics)
- Apple Silicon only
A comparison you can actually act on
| Encrypted DMG | Cryptomator | shooff | |
|---|---|---|---|
| Cost | Free | Free (desktop) | Free tier / $10-30 one-time |
| Setup time | 5 min | 10 min | 2 min |
| Mount/unlock required? | Yes, DMG mount | Yes, vault unlock | Yes, password on open |
| Video seek speed | Fast (native FS) | Slower (FUSE-ish) | Fast (CTR mode) |
| Writes plaintext to disk? | While mounted | Cached in memory | Never |
| Filenames hidden? | Only when unmounted | Always (encrypted) | Always (opaque .evid) |
| Cross-platform? | macOS only | Mac/Win/Linux | macOS only |
| Library features | Finder only | Finder only | Built-in |
| Best for | Small, static libraries | Mixed content vault | Active media library |
A few things to remember regardless of which you pick
- Password hygiene. Use a password manager (1Password, Bitwarden, macOS Keychain). Use a different password for the vault than for your Apple ID. Print it and store the paper in a safe if that's your style — there's no recovery without it.
- Back up encrypted files. The encrypted files are safe to back up to any cloud (iCloud Drive, Backblaze, a NAS). Your password stays on your Mac. No service needs to see your library.
- FileVault still matters. Turn on macOS FileVault as a separate layer. If your Mac is stolen while logged out, FileVault prevents anyone from reading the drive at all. Video encryption is belt and suspenders.
- Lock the screen. The best video encryption doesn't help if you walk away from an unlocked screen with the vault open. Set a short screen-lock timer.
Frequently asked
Does FileVault encrypt my videos already?
FileVault encrypts your entire drive while your Mac is off or logged out. Once you're logged in, everything on the drive is transparently readable to any process running as you. That's fine for whole-disk protection against loss/theft, but it doesn't protect against apps or other users of the same account. Vault-level encryption (DMG, Cryptomator, shooff) adds a layer on top.
Is AES-256 overkill?
In practical terms, AES-128 is secure for all current threat models — AES-256 adds a larger margin against future cryptanalysis. Both are fine. All three solutions in this guide use AES-256.
What happens if I forget my password?
With an encrypted DMG, you lose the contents — Apple has no recovery. With Cryptomator, you can use the recovery key if you saved it. With shooff, you lose the library unless you've backed up the password. None of these tools have a password reset you can use without knowing the password. That's the point.
Can someone forensically recover my videos if they image my drive?
Not without the password. All three approaches use real encryption — a drive image gets them an encrypted blob that would take astronomical compute to brute force if you chose a strong password.
Is it possible to share an encrypted video with someone?
With a DMG: give them the DMG + password. With Cryptomator: give them access to the vault + password + install Cryptomator. With shooff: the .evid format is proprietary and locked to your password, so sharing requires exporting the video first. For one-off sharing, a tool like Encrypto (from MacPaw) is a better fit — individual files, password per file.
Do I need extra hardware like a YubiKey?
Not for these approaches. YubiKeys and other hardware keys are great for authentication (logging in, 2FA) but don't integrate with these vault tools natively. If your threat model demands hardware-backed encryption, look at VeraCrypt with hardware tokens or enterprise-grade solutions.