HOWTO: Creating an encrypted Time Machine backup

Discussion in 'OS X' started by Mr. Zorg, Feb 14, 2008.

  1. macrumors regular

    Mr. Zorg

    Joined:
    Sep 5, 2007
    #1
    I've noticed that under 10.5.2 Time Machine now backs up my mounted FileVault volume while I'm logged in, but alas it is unencrypted this way. At least before it was only copying the encrypted sparsebundle as a whole. This underscored the need to create an encrypted backup system since I have sensitive work data that is just unacceptable to leave in the clear. I figured out how to get Time Machine to make an encrypted backup, here's how:

    1. Set up Time Machine to backup to an AFP volume, I haven't figured out how to make it work on a local drive.
    2. Let Time Machine start backing up, and then stop the backup. This should create a <machine_name>_<random_number>.sparseimage volume on the AFP drive.
    3. Turn off Time Machine.
    4. Rename the <machine_name>_<random_number>.sparseimage to old_<machine_name>_<random_number>.sparseimage.
    5. Open Terminal, cd to your AFP volume and encrypt the image with this command: hdiutil convert -format UDSB -o <machine_name>_<random_number>.sparseimage -encryption AES-256 old_<machine_name>_<random_number>.sparseimage
    6. When that's done, double click on the newly encrypted image, enter your password and check the remember my password box. After it mounts, eject the volume (this may take a little while).
    7. Open up Keychain Access, and locate the <machine_name>_<random_number>.sparseimage entry in your login keychain. Right click it and choose copy.
    8. Unlock the system keychain (requires an administrator login), right click in the right hand side and choose paste. (It will not work if the password isn't in the system keychain.) Don't forget to relock the system keychain.
    9. Turn Time Machine back on, and tell it to backup now.
    10. At this point it should start backing up successfully. Once it does, you can delete the old_<machine_name>_<random_number>.sparseimage file.

    This worked for me, I hope it works for you too!
     
  2. macrumors regular

    Joined:
    May 19, 2007
    Location:
    TX
    #2
    This is interesting. I may have to try this.
     
  3. macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Cuidad de México
    #3
    I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either. :D
     
  4. dvd
    macrumors regular

    dvd

    Joined:
    Oct 12, 2007
    Location:
    Massachusetts
    #4
    very cool, I've been thinking about trying this so good to hear it works!

    By the way, that <random_number> is the MAC address of your computer and should therefore be basically globally unique.
     
  5. dvd
    macrumors regular

    dvd

    Joined:
    Oct 12, 2007
    Location:
    Massachusetts
    #5
    You can probably do this via a SMB mount as well. Performance may slow down the big initial backup, but the incremental/hourly backups shouldn't be large enough for the performance hit to be noticable.
     
  6. macrumors newbie

    Joined:
    Mar 6, 2006
    #6
    Just used this tip to encrypt a Time Machine backup on a shared Time Capsule and it seems to be working fine. The filenames are slightly different with Time Capsule (.sparsebundle instead of .sparseimage and user name added to beginning of filename) but it didn't seem to make any difference.

    Thanks!

    Miles
     
  7. macrumors newbie

    Joined:
    Jul 31, 2007
    #7
    Full restore

    Has anyone tried a full restore with an encrypted sparseimage?

    Does it prompt for your username/password? Or do we have to do additional steps?
     
  8. macrumors newbie

    Joined:
    Oct 10, 2009
    #8
    Making it work on Snow Leopard

    There are a few changes when creating an encrypted Time Machine backup under Snow Leopard:

    1. The name of the sparse bundle no longer contains a <random_number> (which was in fact the Ethernet adapter address). It is now simply named <machine>.sparsebundle.
    2. The unique machine identifier is now hidden in the sparsebundle. After you create the encrypted image, open the contents of both sparsebundles (in the Finder, right-click on the sparsebundles, "Show Package Contents") and move the file "com.apple.TimeMachine.MachineID.plist" from the old sparsebundle to the new one.
    3. That's it. Start the Time Machine Backup and it should work.
    P.S. If you created your encrypted Time Machine backup under Leopard, it will still work unchanged when you upgrade to Snow Leopard. These changes apply only if you create a new Time Machine backup under Snow Leopard. Hope this helps!
     
  9. Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #9
    I dunno, something just doesn't seem right about this. I have a backup so that I can restore my drive/data. By encrypting it, and if I then have a problem with the decryption (for what ever reason), I'm sunk. I have no backup. Seems to me, a safer approach is to store your sensitive data on an encrypted dmg. Leave everything else ok, and the TM will back up both the encrypted dmg and your data.

    Maybe I'm being overly cautious, but when it rains it pours, I can easily see having something bad happen, that I need to restore my drive and then something else bad happening because I encrypted my backup...
     
  10. macrumors 6502a

    Joined:
    Oct 26, 2007
    Location:
    USA
    #10
    It is a hack (and is undocumented/unsupported), and EDevil's rather good question has gone unanswered for months (I'll expand on the question and ask if the OS X Install DVD recognizes the TM disk).

    It may be ok under some very limited cirumstances as a redundant backup, but not something that I'd recommend relying on in a primary-use machine.
     
  11. macrumors newbie

    Joined:
    May 4, 2010
    #11
    I am successfully using the encrypted backup sparseimage I created under Mac OS X 10.5 Leopard after upgrading to Mac OS X 10.6 Snow Leopard. I had to re-copy the keychain item to the System keychain (Steps 7-8). For some reason it was lost during the upgrade and I would receive the error "Time Machine could not complete the backup. The backup disk image <name> culd not be accessed (error -1)."

    [​IMG]

    I think that's a bit off. My encrypted data is more important than my unencrypted (that's part of the reason it's secured) so I wouldn't use any backup solution that can't tolerate a single point failure.

    Personally I keep two identically-named Time Machine disks: one at work (encrypted) and one at home (vanilla).
     
  12. macrumors member

    Joined:
    May 11, 2010
    #12
    Migration Assistent seems to work after the sparsebundle is mounted manually.

    But I couldn't make it show up booting from the install dvd even if the image is manually mounted via terminal.

    My google-fu is failing me on this: multiple description how to setup but nobody did a restore? Maybe someone more powerful than me …
     
  13. macrumors newbie

    Joined:
    Dec 22, 2006
    Location:
    Birmingham, Al
    #13
    Any Other Progress?

    Anyone had any other progress on restoring data or accessing from OSX DVD?
     
  14. macrumors newbie

    Joined:
    Oct 8, 2010
    #14
    Restoring encrypted backup from OSX DVD

    Yes, I've successfully recovered a system from an encrypted sparsebundle.

    The problem was kinda interesting and nerve-racking at the time, but only because OS X doesn't walk you through it.

    What you need to do is proceed through the recovery prompts until it asks you to select a location of the Time Machine backup. At this point, select the NAS so that the graphical install interface mounts the NAS sharepoint (let's say this is /Volumes/timemachine). But it won't see your Time Machine backup, because it's encrypted inside mymac_MACaddress.sparsebundle. But since the volume on the network is mounted, we can do this through the terminal.

    Open Terminal from the Utilities menu, and then do:
    hdiutil attach /Volumes/timemachine/mymac_MACaddress.sparsebundle

    This will prompt you for the password; enter it, and then return to the graphical installer. The recovery option should now show that Time Machine Backup or whatever the name of your backup container within the encrypted sparsebundle is a restore option. Sometimes, I've seen this as a blank line listed alongside other disks. Other times, I've had to Go Back in the recovery process and then proceed again through it until it asks to pick the source. But it should show up, and then restore as normal.

    My work requires me to have disk encryption on my laptop, but I hate that FileVault is so heavy when it's backed up. I switched to full disk encryption and use an encrypted sparsebundle to receive my TM backups hourly now. It's fantastic, and the space savings, convenience, and the live-backup-without-logout over FileVault are a real winner.
     
  15. macrumors 6502

    Joined:
    Oct 7, 2007
    #15
    apk5WEyJOQ,
    Good evening! Quick question, this essentially is for having an unencrypted home directory on your computer, but backing it up to an encrypted sparse bundle on your Time Capsule, correct?

    Or in the case of your example, you use third-party software (what do you use?) to encrypt your entire hard disk drive which protects data on your MacBook if it is stolen, and you use your solution above to protect data on your Time Capsule by keeping it on an encrypted disk image. Since FileVault is off, data is sent back and forth "in the clear" to the Time Capsule while you are logged in, and therefore it happens hourly (and you can restore individual files), without requiring you to log out to back up. Am I reading all this correctly?

    thanks!
    Mark
     
  16. macrumors newbie

    Joined:
    Nov 21, 2010
    #16
    This is a great tip, thanks. I tried to implement it for a local encrypted sparsebundle and, although it worked, it seems Time Machine in Mac OS X 10.6.5 won't actually work back up without a manual invocation. That is, while manually invoking a backup after following these instructions work, the automatic/scheduled backups fail.

    The issue is described in detail in this thread:

    http://discussions.apple.com/thread.jspa?messageID=12623426

    Any advice? Thanks in advance.
     
  17. macrumors newbie

    Joined:
    Sep 17, 2009
    #17
    I'm running into this too since upgrading to 10.6.5.
     
  18. macrumors newbie

    Joined:
    Apr 6, 2011
    #18
    Solutions for 10.6.7

    Thankyou Mr Zorg for your help! I've got my FileVault account backing up through Time Machine in OS X 10.6.7, onto an encrypted backup, with the help of you and others. To get the encrypted backup working in 10.6.7, note guysab's comment above. Also, it won't run the automated backups, unfortunately. So I've written an AppleScript which mounts the backup image, and manually starts a backup. I've set this script to run every hour. Note that this also allows you to keep the password for the encrypted backup in the login keychain, not the System keychain, which I believe avoids the problem where someone who steals your computer AND your backup can access all your files on your backup.

    Also, to get FileVault to backup while logged in on 10.6.7, I had to follow m4x's hint on hints.macworld.com.

    I'm hoping to post my complete instructions and script in a hint called “10.6.7: Set up encrypted Backup in Time Machine for FileVault” on hints.macworld.com.
     
  19. macrumors newbie

    Joined:
    Sep 19, 2008
    #19
    Encrypted backup when logged out ?

    My encrypted backup to a sparsebundle is working just fine in Snow Leopard when I am logged in. However, the backup does not happen when I am logged out (and no other user is logged in). Do you have the same issue ?
     
  20. macrumors newbie

    Joined:
    Aug 12, 2010
    Location:
    New Zealand
    #20
    Try this: Open Keychain Access and move the key for the sparseimage from your Login keychain to the System keychain. You will need an administrator password to do this.

    I am not sure how secure this is if your boot drive is not encrypted. I am not knowledgeable enough to know if the key could be extracted by an expert.

    I use Symantec PGP10.2.0 whole disk encryption, boot from that disk that has Mac 10.6.8, my physically local Backups are on an unencrypted DroboPro but the backups on it are encrypted as above so once powered down, no one can get access to the computer disk or the backups if stolen. Physically distant bootable backups are on an external drive also with whole disk encryption. I decrypt then SuperDuper the volume then reboot from the SuperDuper backup created and reencrypt that from within the backup volume, check it works! Then restart from the local drive and recrypt that again. These encrypted but bootable disaster backups must be offsite at some other physically remote location or it just is a waste of time if you have a fire etc.

    Don't rely on one system of backup, encrypted or not, or one Disk, or one piece of software. Use multiple sets, encrypt or not, {PGP or Retrospect (I also have Retrospect 8.2.0)} Timemachine (rotate Timemachine drives! on and offsite) and other Backups, copies. Also if your Computer is lost will you have a machine that will will boot up YOUR backups and "bootable drives"?

    Sorry I've wandered off topic a bit!
     
  21. macrumors newbie

    Joined:
    Mar 6, 2008
    #21
    hdiutil incantation for NFS and encryption?

    I want to experiment with (unsupported) NFS Time Machine backups, using an encrypted sparsebundle. I'm guessing that the initial creation of the bundle just needs the encryption flag added to it (does it ask for a password).

    hdiutil create -size 128g -type SPARSEBUNDLE -nospotlight -volname "Time Machine Backup" -fs "Case-sensitive Journaled HFS+" -verbose ./mybackup.sparsebundle

    (I found elsewhere)

    How to determine the best initial size for your sparsebundle? I would presume at least as much as the drive is occupying.


    Thanks.
     
  22. macrumors newbie

    Joined:
    Apr 6, 2011
    #22
    You probably want much more than that. The "size" of the sparsebundle is the maximum storage space in the disk image. A half-full sparsebundle will take up only half that space on the actual disk. For Time Machine to keep sequential backups, you need the sparsebundle to be much larger than the space taken by the data you want to back up. You might make it the size of your whole disk, for example.
     
  23. macrumors newbie

    Joined:
    Mar 6, 2008
    #23
    Thanks for the clarification. I initially created one 1.5 times the data I am using. I will change it.

    However, I ran into a problem after following the directions at:

    Micromux

    The system complained that the volume cannot be used with Time Machine. I am using the latest OSX Lion.

    Failing that, my next option is to perhaps try the latest "netatalk" and use AFS. Has anyone experience with this? I understand the pros-and-cons of fragmented traffic there, but our network isn't that noisy and it's all local to the building.


    Thanks.
     
  24. macrumors newbie

    Joined:
    Apr 6, 2011
    #24
    Micromux

    I haven't used NFS or NAS, sorry. Maybe the Micromux technique doesn't work with Lion. Have they changed the way Time Machine identifies usable volumes? I don't have access to a Lion install.
     

Share This Page