HOWTO: Creating an encrypted Time Machine backup

Mr. Zorg · Feb 15, 2008, 02:55 AM

I've noticed that under 10.5.2 Time Machine now backs up my mounted FileVault volume while I'm logged in, but alas it is unencrypted this way. At least before it was only copying the encrypted sparsebundle as a whole. This underscored the need to create an encrypted backup system since I have sensitive work data that is just unacceptable to leave in the clear. I figured out how to get Time Machine to make an encrypted backup, here's how:

Set up Time Machine to backup to an AFP volume, I haven't figured out how to make it work on a local drive.
Let Time Machine start backing up, and then stop the backup. This should create a <machine_name>_<random_number>.sparseimage volume on the AFP drive.
Turn off Time Machine.
Rename the <machine_name>_<random_number>.sparseimage to old_<machine_name>_<random_number>.sparseimage.
Open Terminal, cd to your AFP volume and encrypt the image with this command: hdiutil convert -format UDSB -o <machine_name>_<random_number>.sparseimage -encryption AES-256 old_<machine_name>_<random_number>.sparseimage
When that's done, double click on the newly encrypted image, enter your password and check the remember my password box. After it mounts, eject the volume (this may take a little while).
Open up Keychain Access, and locate the <machine_name>_<random_number>.sparseimage entry in your login keychain. Right click it and choose copy.
Unlock the system keychain (requires an administrator login), right click in the right hand side and choose paste. (It will not work if the password isn't in the system keychain.) Don't forget to relock the system keychain.
Turn Time Machine back on, and tell it to backup now.
At this point it should start backing up successfully. Once it does, you can delete the old_<machine_name>_<random_number>.sparseimage file.

This worked for me, I hope it works for you too!

tuxtpenguin · Feb 21, 2008, 07:12 PM

This is interesting. I may have to try this.

Eidorian · Feb 21, 2008, 07:14 PM

I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either.

dvd · Feb 22, 2008, 01:33 AM

very cool, I've been thinking about trying this so good to hear it works!

By the way, that <random_number> is the MAC address of your computer and should therefore be basically globally unique.

dvd · Feb 22, 2008, 01:35 AM

Quote:

Originally Posted by Eidorian

I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either.

You can probably do this via a SMB mount as well. Performance may slow down the big initial backup, but the incremental/hourly backups shouldn't be large enough for the performance hit to be noticable.

MilesM · Apr 21, 2008, 02:39 PM

Just used this tip to encrypt a Time Machine backup on a shared Time Capsule and it seems to be working fine. The filenames are slightly different with Time Capsule (.sparsebundle instead of .sparseimage and user name added to beginning of filename) but it didn't seem to make any difference.

Thanks!

Miles

EDevil · May 28, 2009, 05:08 AM

Has anyone tried a full restore with an encrypted sparseimage?

Does it prompt for your username/password? Or do we have to do additional steps?

guysab · 04:25 PM

There are a few changes when creating an encrypted Time Machine backup under Snow Leopard:

The name of the sparse bundle no longer contains a <random_number> (which was in fact the Ethernet adapter address). It is now simply named <machine>.sparsebundle.
The unique machine identifier is now hidden in the sparsebundle. After you create the encrypted image, open the contents of both sparsebundles (in the Finder, right-click on the sparsebundles, "Show Package Contents") and move the file "com.apple.TimeMachine.MachineID.plist" from the old sparsebundle to the new one.
That's it. Start the Time Machine Backup and it should work.

P.S. If you created your encrypted Time Machine backup under Leopard, it will still work unchanged when you upgrade to Snow Leopard. These changes apply only if you create a new Time Machine backup under Snow Leopard. Hope this helps!

maflynn · Oct 10, 2009, 07:58 PM

I dunno, something just doesn't seem right about this. I have a backup so that I can restore my drive/data. By encrypting it, and if I then have a problem with the decryption (for what ever reason), I'm sunk. I have no backup. Seems to me, a safer approach is to store your sensitive data on an encrypted dmg. Leave everything else ok, and the TM will back up both the encrypted dmg and your data.

Maybe I'm being overly cautious, but when it rains it pours, I can easily see having something bad happen, that I need to restore my drive and then something else bad happening because I encrypted my backup...

BobZune · Oct 11, 2009, 12:36 AM

It is a hack (and is undocumented/unsupported), and EDevil's rather good question has gone unanswered for months (I'll expand on the question and ask if the OS X Install DVD recognizes the TM disk).

It may be ok under some very limited cirumstances as a redundant backup, but not something that I'd recommend relying on in a primary-use machine.

Feb 15, 2008, 02:55 AM	#1
Mr. Zorg macrumors regular Join Date: Sep 2007	HOWTO: Creating an encrypted Time Machine backup I've noticed that under 10.5.2 Time Machine now backs up my mounted FileVault volume while I'm logged in, but alas it is unencrypted this way. At least before it was only copying the encrypted sparsebundle as a whole. This underscored the need to create an encrypted backup system since I have sensitive work data that is just unacceptable to leave in the clear. I figured out how to get Time Machine to make an encrypted backup, here's how: Set up Time Machine to backup to an AFP volume, I haven't figured out how to make it work on a local drive. Let Time Machine start backing up, and then stop the backup. This should create a <machine_name>_<random_number>.sparseimage volume on the AFP drive. Turn off Time Machine. Rename the <machine_name>_<random_number>.sparseimage to old_<machine_name>_<random_number>.sparseimage. Open Terminal, cd to your AFP volume and encrypt the image with this command: hdiutil convert -format UDSB -o <machine_name>_<random_number>.sparseimage -encryption AES-256 old_<machine_name>_<random_number>.sparseimage When that's done, double click on the newly encrypted image, enter your password and check the remember my password box. After it mounts, eject the volume (this may take a little while). Open up Keychain Access, and locate the <machine_name>_<random_number>.sparseimage entry in your login keychain. Right click it and choose copy. Unlock the system keychain (requires an administrator login), right click in the right hand side and choose paste. (It will not work if the password isn't in the system keychain.) Don't forget to relock the system keychain. Turn Time Machine back on, and tell it to backup now. At this point it should start backing up successfully. Once it does, you can delete the old_<machine_name>_<random_number>.sparseimage file. This worked for me, I hope it works for you too!

Feb 21, 2008, 07:14 PM	#3
Eidorian macrumors G3 Join Date: Mar 2005 Location: Indiana	I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either. __________________ MRoogle it! hikari T7500 2.2 GHz / 4 GB / 320 GB / GMA X3100 / 10.5.8 shinobu Core i5 750 2.66 GHz / 4 GB / 640 GB / 4830 / Windows 7

Feb 22, 2008, 01:33 AM	#4
dvd macrumors regular Join Date: Oct 2007 Location: Oregon	very cool, I've been thinking about trying this so good to hear it works! By the way, that <random_number> is the MAC address of your computer and should therefore be basically globally unique. __________________ Black MacBook 2GHz Core2Duo/4GB RAM/200GB 7200RPM HD/Leopard, Black iPhone 3G 16GB, i use this

May 28, 2009, 05:08 AM	#7
EDevil macrumors newbie Join Date: Jul 2007	Full restore Has anyone tried a full restore with an encrypted sparseimage? Does it prompt for your username/password? Or do we have to do additional steps?

Oct 10, 2009, 04:23 PM	#8
guysab macrumors newbie Join Date: Oct 2009	Making it work on Snow Leopard There are a few changes when creating an encrypted Time Machine backup under Snow Leopard: The name of the sparse bundle no longer contains a <random_number> (which was in fact the Ethernet adapter address). It is now simply named <machine>.sparsebundle. The unique machine identifier is now hidden in the sparsebundle. After you create the encrypted image, open the contents of both sparsebundles (in the Finder, right-click on the sparsebundles, "Show Package Contents") and move the file "com.apple.TimeMachine.MachineID.plist" from the old sparsebundle to the new one. That's it. Start the Time Machine Backup and it should work. P.S. If you created your encrypted Time Machine backup under Leopard, it will still work unchanged when you upgrade to Snow Leopard. These changes apply only if you create a new Time Machine backup under Snow Leopard. Hope this helps! Last edited by guysab : Oct 10, 2009 at 04:25 PM. Reason: Double titles (sorry!)

Feb 21, 2008, 07:12 PM	#2
tuxtpenguin macrumors regular Join Date: May 2007 Location: TX	This is interesting. I may have to try this.

Apr 21, 2008, 02:39 PM	#6
MilesM macrumors newbie Join Date: Mar 2006	Just used this tip to encrypt a Time Machine backup on a shared Time Capsule and it seems to be working fine. The filenames are slightly different with Time Capsule (.sparsebundle instead of .sparseimage and user name added to beginning of filename) but it didn't seem to make any difference. Thanks! Miles

Oct 10, 2009, 07:58 PM	#9
maflynn Contributor Join Date: May 2009	I dunno, something just doesn't seem right about this. I have a backup so that I can restore my drive/data. By encrypting it, and if I then have a problem with the decryption (for what ever reason), I'm sunk. I have no backup. Seems to me, a safer approach is to store your sensitive data on an encrypted dmg. Leave everything else ok, and the TM will back up both the encrypted dmg and your data. Maybe I'm being overly cautious, but when it rains it pours, I can easily see having something bad happen, that I need to restore my drive and then something else bad happening because I encrypted my backup... __________________ Unibody MacBook Pro 2.53 GHz, 4GB ram, 500GB HDD; iPhone 3Gs 32GB

Oct 11, 2009, 12:36 AM	#10
BobZune macrumors 6502a Join Date: Oct 2007 Location: USA	It is a hack (and is undocumented/unsupported), and EDevil's rather good question has gone unanswered for months (I'll expand on the question and ask if the OS X Install DVD recognizes the TM disk). It may be ok under some very limited cirumstances as a redundant backup, but not something that I'd recommend relying on in a primary-use machine.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode