Well, I want to use Time Machine, and I want to have some encrypted files. Moreover, I want Time Machine to archive those files, and naturally I want them archived in their encrypted form.
But, after a little checking, FileVault did not look like a good option. First of all, File Vault encrypts far too much stuff. Conceptually, the Home folder should contain ALL of a user's data, and there's no reason to encrypt, for instance, all of my application's preference settings that are contained in ~/Library. I just checked, and I have 21,542 files inside of ~, and only one of them actually needs to be encrypted right now.
Second, FileVault sucks with TimeMachine. It only encrypts your home directory while you are in the process of logging out, and only if you have the TimeMachine volume already mounted (i.e., it doesn't automagically mount a network share like it does on a normal hourly backup).
Finally, you don't get to use the galaxy interface to do per-file archival restores when you want to look at a sparsebundle (which is what FileVault turns your ~/ into). You have to manually browse to the .sparsebundle that TimeMachine creates, open it in finder, browse to the .sparsebundle that FileVault creates, double click it, mount it, and find your file there. Then you have to manually copy it and delete the old copy. It's just a big hassle that defeats the Apple-ness of the whole archive and restore process.
Here is a way to avoid most of these issues , while retaining secure hourly archives of all of your files, including the encrypted ones.
Step 1. Create an encrypted sparsebundle in your ~ directory. Mine is secure.sparsebundle. From the point of view of backing up, a problem with disk images is that they are just one file, and differential backups only skip unchanged data on a per-file basis. Whenever the disk image file changes, TimeMachine has to back up the entire new disk image. But .sparsebundles solve this problem, by chopping the image into smaller stripes, or "bands", of data. When you change a file on an encrypted sparsebundle, only the band or bands which contain the file will change, and Time Machine only needs to back up those bands (I think these bands are by default 8mbs wide with no way to change them).
So, create the image in Disk Utility. Chose a secure password and add it to the keychain.
Now, you can double click this file to mount a secure volume in /Volumes/secure. Anything you put in there is encrypted. Because you keychained your password, you will not be asked for it when you mount the disk image. It is very important to remember this password. Files that must be encrypted are naturally also files that are very important to you. Let's make this explicit one more time: if you were to lose your password, you would not be able to open this disk image and your data would be irrevocably GONE FOREVER. No ifs, ands, or buts. No one can help you. And this, after all, is the whole point of encrypting your data: no one can get at it without the password. Because no one can reliably memorize secure passwords anymore, you should chose a secure password, write it down on a slip of paper, and keep that slip of paper in your wallet or a safe. Don't listen to the ones who tell you not to write it down. If you are memorizing your password, that means you chose an insecure password.
Step 2. Automatically mount your secure volume on login. My encrypted file is a plaintext list of all my credentials for websites, etc. Every time I register a new account, or need to login to an infrequently used website, I need to grep the list. I don't want to have to manually mount the volume whenver this happens. I automatically mount mine on login by adding the .sparsebundle file to my login items in Accounts Preference Pane.
Step 3. There is no step 3. Time Machine skips everything in /Volumes/ by default, so it won't backup the plaintext of your encrypted disk image. Meanwhile, it will backup the sparsebundle in ~, even if that volume is mounted.
But, after a little checking, FileVault did not look like a good option. First of all, File Vault encrypts far too much stuff. Conceptually, the Home folder should contain ALL of a user's data, and there's no reason to encrypt, for instance, all of my application's preference settings that are contained in ~/Library. I just checked, and I have 21,542 files inside of ~, and only one of them actually needs to be encrypted right now.
Second, FileVault sucks with TimeMachine. It only encrypts your home directory while you are in the process of logging out, and only if you have the TimeMachine volume already mounted (i.e., it doesn't automagically mount a network share like it does on a normal hourly backup).
Finally, you don't get to use the galaxy interface to do per-file archival restores when you want to look at a sparsebundle (which is what FileVault turns your ~/ into). You have to manually browse to the .sparsebundle that TimeMachine creates, open it in finder, browse to the .sparsebundle that FileVault creates, double click it, mount it, and find your file there. Then you have to manually copy it and delete the old copy. It's just a big hassle that defeats the Apple-ness of the whole archive and restore process.
Here is a way to avoid most of these issues , while retaining secure hourly archives of all of your files, including the encrypted ones.
Step 1. Create an encrypted sparsebundle in your ~ directory. Mine is secure.sparsebundle. From the point of view of backing up, a problem with disk images is that they are just one file, and differential backups only skip unchanged data on a per-file basis. Whenever the disk image file changes, TimeMachine has to back up the entire new disk image. But .sparsebundles solve this problem, by chopping the image into smaller stripes, or "bands", of data. When you change a file on an encrypted sparsebundle, only the band or bands which contain the file will change, and Time Machine only needs to back up those bands (I think these bands are by default 8mbs wide with no way to change them).
So, create the image in Disk Utility. Chose a secure password and add it to the keychain.
Now, you can double click this file to mount a secure volume in /Volumes/secure. Anything you put in there is encrypted. Because you keychained your password, you will not be asked for it when you mount the disk image. It is very important to remember this password. Files that must be encrypted are naturally also files that are very important to you. Let's make this explicit one more time: if you were to lose your password, you would not be able to open this disk image and your data would be irrevocably GONE FOREVER. No ifs, ands, or buts. No one can help you. And this, after all, is the whole point of encrypting your data: no one can get at it without the password. Because no one can reliably memorize secure passwords anymore, you should chose a secure password, write it down on a slip of paper, and keep that slip of paper in your wallet or a safe. Don't listen to the ones who tell you not to write it down. If you are memorizing your password, that means you chose an insecure password.
Step 2. Automatically mount your secure volume on login. My encrypted file is a plaintext list of all my credentials for websites, etc. Every time I register a new account, or need to login to an infrequently used website, I need to grep the list. I don't want to have to manually mount the volume whenver this happens. I automatically mount mine on login by adding the .sparsebundle file to my login items in Accounts Preference Pane.
Step 3. There is no step 3. Time Machine skips everything in /Volumes/ by default, so it won't backup the plaintext of your encrypted disk image. Meanwhile, it will backup the sparsebundle in ~, even if that volume is mounted.
