You have several options you can use with Core Data. But none of these methods will protect your data when the software is running and the decryption key is “live”.

The first option is to use an encrypted disk image to store your database file. This is not necessary on iOS, all the files are encrypted by default, but you can configure some of the encryption aspects for tighter security setups (googling NSFileProtectionKey). On OS X, the equivalent technology is FileVault, but it will not be active most of the time, so you shouldn’t count on it. So yes, a disk image, mounted when your software is launched and the correct password supplied, unmounted when the software quits. You may want to protect your disk image against an app crash using a helper process watching the main application and unmounting the image if the app crash or quits without unmounting it properly.

The second option is to write a NSValueTransformer to encrypt every sensitive attributes in your entities. The protection is at the attribute level here. It may be good enough, or not, and it impacts how the fetch requests work.

The third option is to write your own persistent store (by subclassing NSAtomicStore). This is not without consequences tho, that solution must be evaluated carefully.

Besides that, do not forget the basis of course: keychain, key-stretching function like PBKDF2, password salt, stuff like that.