Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 15, 2008, 01:55 AM   #1
Mr. Zorg
macrumors regular
 
Join Date: Sep 2007
HOWTO: Creating an encrypted Time Machine backup

I've noticed that under 10.5.2 Time Machine now backs up my mounted FileVault volume while I'm logged in, but alas it is unencrypted this way. At least before it was only copying the encrypted sparsebundle as a whole. This underscored the need to create an encrypted backup system since I have sensitive work data that is just unacceptable to leave in the clear. I figured out how to get Time Machine to make an encrypted backup, here's how:
  1. Set up Time Machine to backup to an AFP volume, I haven't figured out how to make it work on a local drive.
  2. Let Time Machine start backing up, and then stop the backup. This should create a <machine_name>_<random_number>.sparseimage volume on the AFP drive.
  3. Turn off Time Machine.
  4. Rename the <machine_name>_<random_number>.sparseimage to old_<machine_name>_<random_number>.sparseimage.
  5. Open Terminal, cd to your AFP volume and encrypt the image with this command: hdiutil convert -format UDSB -o <machine_name>_<random_number>.sparseimage -encryption AES-256 old_<machine_name>_<random_number>.sparseimage
  6. When that's done, double click on the newly encrypted image, enter your password and check the remember my password box. After it mounts, eject the volume (this may take a little while).
  7. Open up Keychain Access, and locate the <machine_name>_<random_number>.sparseimage entry in your login keychain. Right click it and choose copy.
  8. Unlock the system keychain (requires an administrator login), right click in the right hand side and choose paste. (It will not work if the password isn't in the system keychain.) Don't forget to relock the system keychain.
  9. Turn Time Machine back on, and tell it to backup now.
  10. At this point it should start backing up successfully. Once it does, you can delete the old_<machine_name>_<random_number>.sparseimage file.

This worked for me, I hope it works for you too!
Mr. Zorg is offline   0 Reply With Quote
Old Feb 21, 2008, 06:12 PM   #2
tuxtpenguin
macrumors regular
 
Join Date: May 2007
Location: TX
This is interesting. I may have to try this.
tuxtpenguin is offline   0 Reply With Quote
Old Feb 21, 2008, 06:14 PM   #3
Eidorian
macrumors Penryn
 
Eidorian's Avatar
 
Join Date: Mar 2005
Location: Cuidad de México
Send a message via AIM to Eidorian
I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either.
__________________
Core i5 750 / 16 GB RAM / 500 GB SSD / HD 7950 / Windows 8.1
13" Retina MacBook Pro
Eidorian is offline   0 Reply With Quote
Old Feb 22, 2008, 12:33 AM   #4
dvd
macrumors regular
 
Join Date: Oct 2007
Location: Massachusetts
very cool, I've been thinking about trying this so good to hear it works!

By the way, that <random_number> is the MAC address of your computer and should therefore be basically globally unique.
__________________
lots of Apple toys
dvd is offline   0 Reply With Quote
Old Feb 22, 2008, 12:35 AM   #5
dvd
macrumors regular
 
Join Date: Oct 2007
Location: Massachusetts
Quote:
Originally Posted by Eidorian View Post
I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either.
You can probably do this via a SMB mount as well. Performance may slow down the big initial backup, but the incremental/hourly backups shouldn't be large enough for the performance hit to be noticable.
__________________
lots of Apple toys
dvd is offline   0 Reply With Quote
Old Apr 21, 2008, 01:39 PM   #6
MilesM
macrumors newbie
 
Join Date: Mar 2006
Just used this tip to encrypt a Time Machine backup on a shared Time Capsule and it seems to be working fine. The filenames are slightly different with Time Capsule (.sparsebundle instead of .sparseimage and user name added to beginning of filename) but it didn't seem to make any difference.

Thanks!

Miles
MilesM is offline   0 Reply With Quote
Old May 28, 2009, 04:08 AM   #7
EDevil
macrumors newbie
 
Join Date: Jul 2007
Full restore

Has anyone tried a full restore with an encrypted sparseimage?

Does it prompt for your username/password? Or do we have to do additional steps?
EDevil is offline   0 Reply With Quote
Old Oct 10, 2009, 03:23 PM   #8
guysab
macrumors newbie
 
Join Date: Oct 2009
Making it work on Snow Leopard

There are a few changes when creating an encrypted Time Machine backup under Snow Leopard:
  1. The name of the sparse bundle no longer contains a <random_number> (which was in fact the Ethernet adapter address). It is now simply named <machine>.sparsebundle.
  2. The unique machine identifier is now hidden in the sparsebundle. After you create the encrypted image, open the contents of both sparsebundles (in the Finder, right-click on the sparsebundles, "Show Package Contents") and move the file "com.apple.TimeMachine.MachineID.plist" from the old sparsebundle to the new one.
  3. That's it. Start the Time Machine Backup and it should work.
P.S. If you created your encrypted Time Machine backup under Leopard, it will still work unchanged when you upgrade to Snow Leopard. These changes apply only if you create a new Time Machine backup under Snow Leopard. Hope this helps!

Last edited by guysab; Oct 10, 2009 at 03:25 PM. Reason: Double titles (sorry!)
guysab is offline   0 Reply With Quote
Old Oct 10, 2009, 06:58 PM   #9
maflynn
Moderator
 
maflynn's Avatar
 
Join Date: May 2009
Location: Boston
I dunno, something just doesn't seem right about this. I have a backup so that I can restore my drive/data. By encrypting it, and if I then have a problem with the decryption (for what ever reason), I'm sunk. I have no backup. Seems to me, a safer approach is to store your sensitive data on an encrypted dmg. Leave everything else ok, and the TM will back up both the encrypted dmg and your data.

Maybe I'm being overly cautious, but when it rains it pours, I can easily see having something bad happen, that I need to restore my drive and then something else bad happening because I encrypted my backup...
__________________
~Mike Flynn
maflynn is offline   0 Reply With Quote
Old Oct 10, 2009, 11:36 PM   #10
BobZune
macrumors 6502a
 
Join Date: Oct 2007
Location: USA
It is a hack (and is undocumented/unsupported), and EDevil's rather good question has gone unanswered for months (I'll expand on the question and ask if the OS X Install DVD recognizes the TM disk).

It may be ok under some very limited cirumstances as a redundant backup, but not something that I'd recommend relying on in a primary-use machine.
BobZune is offline   0 Reply With Quote
Old May 4, 2010, 07:49 AM   #11
abackstrom
macrumors newbie
 
Join Date: May 2010
I am successfully using the encrypted backup sparseimage I created under Mac OS X 10.5 Leopard after upgrading to Mac OS X 10.6 Snow Leopard. I had to re-copy the keychain item to the System keychain (Steps 7-8). For some reason it was lost during the upgrade and I would receive the error "Time Machine could not complete the backup. The backup disk image <name> culd not be accessed (error -1)."



Quote:
Originally Posted by maflynn View Post
I dunno, something just doesn't seem right about this. I have a backup so that I can restore my drive/data. By encrypting it, and if I then have a problem with the decryption (for what ever reason), I'm sunk. I have no backup. Seems to me, a safer approach is to store your sensitive data on an encrypted dmg. Leave everything else ok, and the TM will back up both the encrypted dmg and your data.

Maybe I'm being overly cautious, but when it rains it pours, I can easily see having something bad happen, that I need to restore my drive and then something else bad happening because I encrypted my backup...
I think that's a bit off. My encrypted data is more important than my unencrypted (that's part of the reason it's secured) so I wouldn't use any backup solution that can't tolerate a single point failure.

Personally I keep two identically-named Time Machine disks: one at work (encrypted) and one at home (vanilla).
abackstrom is offline   0 Reply With Quote
Old May 11, 2010, 09:35 AM   #12
Schlaefer
macrumors member
 
Join Date: May 2010
Quote:
Originally Posted by EDevil View Post
Has anyone tried a full restore with an encrypted sparseimage?

Does it prompt for your username/password? Or do we have to do additional steps?
Migration Assistent seems to work after the sparsebundle is mounted manually.

But I couldn't make it show up booting from the install dvd even if the image is manually mounted via terminal.

My google-fu is failing me on this: multiple description how to setup but nobody did a restore? Maybe someone more powerful than me …
Schlaefer is offline   0 Reply With Quote
Old Sep 29, 2010, 09:05 PM   #13
nvrau
macrumors newbie
 
Join Date: Dec 2006
Location: Birmingham, Al
Any Other Progress?

Anyone had any other progress on restoring data or accessing from OSX DVD?
__________________
===================================
B.
nvrau is offline   0 Reply With Quote
Old Oct 9, 2010, 06:18 AM   #14
apk5WEyJOQ
macrumors newbie
 
Join Date: Oct 2010
Restoring encrypted backup from OSX DVD

Yes, I've successfully recovered a system from an encrypted sparsebundle.

The problem was kinda interesting and nerve-racking at the time, but only because OS X doesn't walk you through it.

What you need to do is proceed through the recovery prompts until it asks you to select a location of the Time Machine backup. At this point, select the NAS so that the graphical install interface mounts the NAS sharepoint (let's say this is /Volumes/timemachine). But it won't see your Time Machine backup, because it's encrypted inside mymac_MACaddress.sparsebundle. But since the volume on the network is mounted, we can do this through the terminal.

Open Terminal from the Utilities menu, and then do:
hdiutil attach /Volumes/timemachine/mymac_MACaddress.sparsebundle

This will prompt you for the password; enter it, and then return to the graphical installer. The recovery option should now show that Time Machine Backup or whatever the name of your backup container within the encrypted sparsebundle is a restore option. Sometimes, I've seen this as a blank line listed alongside other disks. Other times, I've had to Go Back in the recovery process and then proceed again through it until it asks to pick the source. But it should show up, and then restore as normal.

My work requires me to have disk encryption on my laptop, but I hate that FileVault is so heavy when it's backed up. I switched to full disk encryption and use an encrypted sparsebundle to receive my TM backups hourly now. It's fantastic, and the space savings, convenience, and the live-backup-without-logout over FileVault are a real winner.
apk5WEyJOQ is offline   0 Reply With Quote
Old Oct 30, 2010, 09:54 PM   #15
g-boac
macrumors 6502
 
Join Date: Oct 2007
Quote:
Originally Posted by apk5WEyJOQ View Post
My work requires me to have disk encryption on my laptop, but I hate that FileVault is so heavy when it's backed up. I switched to full disk encryption and use an encrypted sparsebundle to receive my TM backups hourly now. It's fantastic, and the space savings, convenience, and the live-backup-without-logout over FileVault are a real winner.
apk5WEyJOQ,
Good evening! Quick question, this essentially is for having an unencrypted home directory on your computer, but backing it up to an encrypted sparse bundle on your Time Capsule, correct?

Or in the case of your example, you use third-party software (what do you use?) to encrypt your entire hard disk drive which protects data on your MacBook if it is stolen, and you use your solution above to protect data on your Time Capsule by keeping it on an encrypted disk image. Since FileVault is off, data is sent back and forth "in the clear" to the Time Capsule while you are logged in, and therefore it happens hourly (and you can restore individual files), without requiring you to log out to back up. Am I reading all this correctly?

thanks!
Mark
g-boac is offline   0 Reply With Quote
Old Nov 22, 2010, 12:23 AM   #16
meitar
macrumors newbie
 
Join Date: Nov 2010
This is a great tip, thanks. I tried to implement it for a local encrypted sparsebundle and, although it worked, it seems Time Machine in Mac OS X 10.6.5 won't actually work back up without a manual invocation. That is, while manually invoking a backup after following these instructions work, the automatic/scheduled backups fail.

The issue is described in detail in this thread:

http://discussions.apple.com/thread....ageID=12623426

Any advice? Thanks in advance.
meitar is offline   0 Reply With Quote
Old Nov 22, 2010, 03:50 PM   #17
chucksense
macrumors newbie
 
Join Date: Sep 2009
Quote:
Originally Posted by meitar View Post
That is, while manually invoking a backup after following these instructions work, the automatic/scheduled backups fail.
I'm running into this too since upgrading to 10.6.5.
chucksense is offline   0 Reply With Quote
Old Apr 6, 2011, 09:25 AM   #18
langiter
macrumors newbie
 
Join Date: Apr 2011
Solutions for 10.6.7

Quote:
Originally Posted by chucksense View Post
I'm running into this too since upgrading to 10.6.5.
Thankyou Mr Zorg for your help! I've got my FileVault account backing up through Time Machine in OS X 10.6.7, onto an encrypted backup, with the help of you and others. To get the encrypted backup working in 10.6.7, note guysab's comment above. Also, it won't run the automated backups, unfortunately. So I've written an AppleScript which mounts the backup image, and manually starts a backup. I've set this script to run every hour. Note that this also allows you to keep the password for the encrypted backup in the login keychain, not the System keychain, which I believe avoids the problem where someone who steals your computer AND your backup can access all your files on your backup.

Also, to get FileVault to backup while logged in on 10.6.7, I had to follow m4x's hint on hints.macworld.com.

I'm hoping to post my complete instructions and script in a hint called “10.6.7: Set up encrypted Backup in Time Machine for FileVault” on hints.macworld.com.
langiter is offline   0 Reply With Quote
Old Oct 5, 2011, 01:15 PM   #19
odaigle
macrumors newbie
 
Join Date: Sep 2008
Encrypted backup when logged out ?

My encrypted backup to a sparsebundle is working just fine in Snow Leopard when I am logged in. However, the backup does not happen when I am logged out (and no other user is logged in). Do you have the same issue ?
odaigle is offline   0 Reply With Quote
Old Oct 13, 2011, 10:07 PM   #20
ShockDoc
macrumors newbie
 
Join Date: Aug 2010
Location: New Zealand
Quote:
Originally Posted by odaigle View Post
My encrypted backup to a sparsebundle is working just fine in Snow Leopard when I am logged in. However, the backup does not happen when I am logged out (and no other user is logged in). Do you have the same issue ?
Try this: Open Keychain Access and move the key for the sparseimage from your Login keychain to the System keychain. You will need an administrator password to do this.

I am not sure how secure this is if your boot drive is not encrypted. I am not knowledgeable enough to know if the key could be extracted by an expert.

I use Symantec PGP10.2.0 whole disk encryption, boot from that disk that has Mac 10.6.8, my physically local Backups are on an unencrypted DroboPro but the backups on it are encrypted as above so once powered down, no one can get access to the computer disk or the backups if stolen. Physically distant bootable backups are on an external drive also with whole disk encryption. I decrypt then SuperDuper the volume then reboot from the SuperDuper backup created and reencrypt that from within the backup volume, check it works! Then restart from the local drive and recrypt that again. These encrypted but bootable disaster backups must be offsite at some other physically remote location or it just is a waste of time if you have a fire etc.

Don't rely on one system of backup, encrypted or not, or one Disk, or one piece of software. Use multiple sets, encrypt or not, {PGP or Retrospect (I also have Retrospect 8.2.0)} Timemachine (rotate Timemachine drives! on and offsite) and other Backups, copies. Also if your Computer is lost will you have a machine that will will boot up YOUR backups and "bootable drives"?

Sorry I've wandered off topic a bit!
ShockDoc is offline   0 Reply With Quote
Old Jan 27, 2012, 04:16 PM   #21
forrie
macrumors newbie
 
Join Date: Mar 2008
hdiutil incantation for NFS and encryption?

I want to experiment with (unsupported) NFS Time Machine backups, using an encrypted sparsebundle. I'm guessing that the initial creation of the bundle just needs the encryption flag added to it (does it ask for a password).

hdiutil create -size 128g -type SPARSEBUNDLE -nospotlight -volname "Time Machine Backup" -fs "Case-sensitive Journaled HFS+" -verbose ./mybackup.sparsebundle

(I found elsewhere)

How to determine the best initial size for your sparsebundle? I would presume at least as much as the drive is occupying.


Thanks.
forrie is offline   0 Reply With Quote
Old Jan 30, 2012, 04:27 AM   #22
langiter
macrumors newbie
 
Join Date: Apr 2011
Quote:
Originally Posted by forrie View Post
How to determine the best initial size for your sparsebundle? I would presume at least as much as the drive is occupying.


Thanks.
You probably want much more than that. The "size" of the sparsebundle is the maximum storage space in the disk image. A half-full sparsebundle will take up only half that space on the actual disk. For Time Machine to keep sequential backups, you need the sparsebundle to be much larger than the space taken by the data you want to back up. You might make it the size of your whole disk, for example.
langiter is offline   0 Reply With Quote
Old Jan 30, 2012, 01:30 PM   #23
forrie
macrumors newbie
 
Join Date: Mar 2008
Thanks for the clarification. I initially created one 1.5 times the data I am using. I will change it.

However, I ran into a problem after following the directions at:

Micromux

The system complained that the volume cannot be used with Time Machine. I am using the latest OSX Lion.

Failing that, my next option is to perhaps try the latest "netatalk" and use AFS. Has anyone experience with this? I understand the pros-and-cons of fragmented traffic there, but our network isn't that noisy and it's all local to the building.


Thanks.
forrie is offline   0 Reply With Quote
Old Feb 6, 2012, 01:03 AM   #24
langiter
macrumors newbie
 
Join Date: Apr 2011
Micromux

Quote:
Originally Posted by forrie View Post
…However, I ran into a problem after following the directions at:

Micromux

The system complained that the volume cannot be used with Time Machine. I am using the latest OSX Lion.
I haven't used NFS or NAS, sorry. Maybe the Micromux technique doesn't work with Lion. Have they changed the way Time Machine identifies usable volumes? I don't have access to a Lion install.
langiter is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Time Machine/External HD problems... "Error Occured while creating the backup folder" djelite Mac Basics and Help 1 Oct 26, 2013 10:39 AM
"Restore" encrypted Time Machine backup to new Mac? Mactabulous OS X 8 Oct 22, 2012 03:53 PM
Filevault 2, MBP Lion, Time Machine to Time Capsule: Encrypted already? dandanapple Mac Basics and Help 6 Aug 6, 2012 07:10 AM
Encrypted backup and restore on non-primary machine? benguild iPhone 0 Jul 30, 2012 08:01 PM
Pros and cons for using the new encrypted backup option with Time Machine? forgotmyusernam OS X 10.8 Mountain Lion 0 Jul 26, 2012 09:37 AM

Forum Jump

All times are GMT -5. The time now is 09:39 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC