HOWTO: Creating an encrypted Time Machine backup

Discussion in 'macOS' started by Mr. Zorg, Feb 14, 2008.

  1. Mr. Zorg macrumors regular

    Mr. Zorg

    Sep 5, 2007
    I've noticed that under 10.5.2 Time Machine now backs up my mounted FileVault volume while I'm logged in, but alas it is unencrypted this way. At least before it was only copying the encrypted sparsebundle as a whole. This underscored the need to create an encrypted backup system since I have sensitive work data that is just unacceptable to leave in the clear. I figured out how to get Time Machine to make an encrypted backup, here's how:

    1. Set up Time Machine to backup to an AFP volume, I haven't figured out how to make it work on a local drive.
    2. Let Time Machine start backing up, and then stop the backup. This should create a <machine_name>_<random_number>.sparseimage volume on the AFP drive.
    3. Turn off Time Machine.
    4. Rename the <machine_name>_<random_number>.sparseimage to old_<machine_name>_<random_number>.sparseimage.
    5. Open Terminal, cd to your AFP volume and encrypt the image with this command: hdiutil convert -format UDSB -o <machine_name>_<random_number>.sparseimage -encryption AES-256 old_<machine_name>_<random_number>.sparseimage
    6. When that's done, double click on the newly encrypted image, enter your password and check the remember my password box. After it mounts, eject the volume (this may take a little while).
    7. Open up Keychain Access, and locate the <machine_name>_<random_number>.sparseimage entry in your login keychain. Right click it and choose copy.
    8. Unlock the system keychain (requires an administrator login), right click in the right hand side and choose paste. (It will not work if the password isn't in the system keychain.) Don't forget to relock the system keychain.
    9. Turn Time Machine back on, and tell it to backup now.
    10. At this point it should start backing up successfully. Once it does, you can delete the old_<machine_name>_<random_number>.sparseimage file.

    This worked for me, I hope it works for you too!
  2. tuxtpenguin macrumors regular

    May 19, 2007
  3. Eidorian macrumors Penryn


    Mar 23, 2005
    I'd love to try this but what's the performance loss due to FileVault? I don't have an AFP mount either. :D
  4. dvd macrumors regular


    Oct 12, 2007
    very cool, I've been thinking about trying this so good to hear it works!

    By the way, that <random_number> is the MAC address of your computer and should therefore be basically globally unique.
  5. dvd macrumors regular


    Oct 12, 2007
    You can probably do this via a SMB mount as well. Performance may slow down the big initial backup, but the incremental/hourly backups shouldn't be large enough for the performance hit to be noticable.
  6. MilesM macrumors newbie

    Mar 6, 2006
    Just used this tip to encrypt a Time Machine backup on a shared Time Capsule and it seems to be working fine. The filenames are slightly different with Time Capsule (.sparsebundle instead of .sparseimage and user name added to beginning of filename) but it didn't seem to make any difference.


  7. EDevil macrumors newbie

    Jul 31, 2007
    Full restore

    Has anyone tried a full restore with an encrypted sparseimage?

    Does it prompt for your username/password? Or do we have to do additional steps?
  8. guysab macrumors newbie

    Oct 10, 2009
    Making it work on Snow Leopard

    There are a few changes when creating an encrypted Time Machine backup under Snow Leopard:

    1. The name of the sparse bundle no longer contains a <random_number> (which was in fact the Ethernet adapter address). It is now simply named <machine>.sparsebundle.
    2. The unique machine identifier is now hidden in the sparsebundle. After you create the encrypted image, open the contents of both sparsebundles (in the Finder, right-click on the sparsebundles, "Show Package Contents") and move the file "" from the old sparsebundle to the new one.
    3. That's it. Start the Time Machine Backup and it should work.
    P.S. If you created your encrypted Time Machine backup under Leopard, it will still work unchanged when you upgrade to Snow Leopard. These changes apply only if you create a new Time Machine backup under Snow Leopard. Hope this helps!
  9. maflynn Moderator


    Staff Member

    May 3, 2009
    I dunno, something just doesn't seem right about this. I have a backup so that I can restore my drive/data. By encrypting it, and if I then have a problem with the decryption (for what ever reason), I'm sunk. I have no backup. Seems to me, a safer approach is to store your sensitive data on an encrypted dmg. Leave everything else ok, and the TM will back up both the encrypted dmg and your data.

    Maybe I'm being overly cautious, but when it rains it pours, I can easily see having something bad happen, that I need to restore my drive and then something else bad happening because I encrypted my backup...
  10. BobZune macrumors 6502a

    Oct 26, 2007
    It is a hack (and is undocumented/unsupported), and EDevil's rather good question has gone unanswered for months (I'll expand on the question and ask if the OS X Install DVD recognizes the TM disk).

    It may be ok under some very limited cirumstances as a redundant backup, but not something that I'd recommend relying on in a primary-use machine.
  11. abackstrom macrumors newbie

    May 4, 2010
    I am successfully using the encrypted backup sparseimage I created under Mac OS X 10.5 Leopard after upgrading to Mac OS X 10.6 Snow Leopard. I had to re-copy the keychain item to the System keychain (Steps 7-8). For some reason it was lost during the upgrade and I would receive the error "Time Machine could not complete the backup. The backup disk image <name> culd not be accessed (error -1)."


    I think that's a bit off. My encrypted data is more important than my unencrypted (that's part of the reason it's secured) so I wouldn't use any backup solution that can't tolerate a single point failure.

    Personally I keep two identically-named Time Machine disks: one at work (encrypted) and one at home (vanilla).
  12. Schlaefer macrumors member

    May 11, 2010
    Migration Assistent seems to work after the sparsebundle is mounted manually.

    But I couldn't make it show up booting from the install dvd even if the image is manually mounted via terminal.

    My google-fu is failing me on this: multiple description how to setup but nobody did a restore? Maybe someone more powerful than me …
  13. nvrau macrumors newbie

    Dec 22, 2006
    Birmingham, Al
    Any Other Progress?

    Anyone had any other progress on restoring data or accessing from OSX DVD?
  14. apk5WEyJOQ macrumors newbie

    Oct 8, 2010
    Restoring encrypted backup from OSX DVD

    Yes, I've successfully recovered a system from an encrypted sparsebundle.

    The problem was kinda interesting and nerve-racking at the time, but only because OS X doesn't walk you through it.

    What you need to do is proceed through the recovery prompts until it asks you to select a location of the Time Machine backup. At this point, select the NAS so that the graphical install interface mounts the NAS sharepoint (let's say this is /Volumes/timemachine). But it won't see your Time Machine backup, because it's encrypted inside mymac_MACaddress.sparsebundle. But since the volume on the network is mounted, we can do this through the terminal.

    Open Terminal from the Utilities menu, and then do:
    hdiutil attach /Volumes/timemachine/mymac_MACaddress.sparsebundle

    This will prompt you for the password; enter it, and then return to the graphical installer. The recovery option should now show that Time Machine Backup or whatever the name of your backup container within the encrypted sparsebundle is a restore option. Sometimes, I've seen this as a blank line listed alongside other disks. Other times, I've had to Go Back in the recovery process and then proceed again through it until it asks to pick the source. But it should show up, and then restore as normal.

    My work requires me to have disk encryption on my laptop, but I hate that FileVault is so heavy when it's backed up. I switched to full disk encryption and use an encrypted sparsebundle to receive my TM backups hourly now. It's fantastic, and the space savings, convenience, and the live-backup-without-logout over FileVault are a real winner.
  15. g-boac macrumors 6502

    Oct 7, 2007
    Good evening! Quick question, this essentially is for having an unencrypted home directory on your computer, but backing it up to an encrypted sparse bundle on your Time Capsule, correct?

    Or in the case of your example, you use third-party software (what do you use?) to encrypt your entire hard disk drive which protects data on your MacBook if it is stolen, and you use your solution above to protect data on your Time Capsule by keeping it on an encrypted disk image. Since FileVault is off, data is sent back and forth "in the clear" to the Time Capsule while you are logged in, and therefore it happens hourly (and you can restore individual files), without requiring you to log out to back up. Am I reading all this correctly?

  16. meitar macrumors newbie

    Nov 21, 2010
    This is a great tip, thanks. I tried to implement it for a local encrypted sparsebundle and, although it worked, it seems Time Machine in Mac OS X 10.6.5 won't actually work back up without a manual invocation. That is, while manually invoking a backup after following these instructions work, the automatic/scheduled backups fail.

    The issue is described in detail in this thread:

    Any advice? Thanks in advance.
  17. chucksense macrumors newbie

    Sep 17, 2009
    I'm running into this too since upgrading to 10.6.5.
  18. langiter macrumors newbie

    Apr 6, 2011
    Solutions for 10.6.7

    Thankyou Mr Zorg for your help! I've got my FileVault account backing up through Time Machine in OS X 10.6.7, onto an encrypted backup, with the help of you and others. To get the encrypted backup working in 10.6.7, note guysab's comment above. Also, it won't run the automated backups, unfortunately. So I've written an AppleScript which mounts the backup image, and manually starts a backup. I've set this script to run every hour. Note that this also allows you to keep the password for the encrypted backup in the login keychain, not the System keychain, which I believe avoids the problem where someone who steals your computer AND your backup can access all your files on your backup.

    Also, to get FileVault to backup while logged in on 10.6.7, I had to follow m4x's hint on

    I'm hoping to post my complete instructions and script in a hint called “10.6.7: Set up encrypted Backup in Time Machine for FileVault” on
  19. odaigle macrumors newbie

    Sep 19, 2008
    Encrypted backup when logged out ?

    My encrypted backup to a sparsebundle is working just fine in Snow Leopard when I am logged in. However, the backup does not happen when I am logged out (and no other user is logged in). Do you have the same issue ?
  20. ShockDoc macrumors newbie

    Aug 12, 2010
    New Zealand
    Try this: Open Keychain Access and move the key for the sparseimage from your Login keychain to the System keychain. You will need an administrator password to do this.

    I am not sure how secure this is if your boot drive is not encrypted. I am not knowledgeable enough to know if the key could be extracted by an expert.

    I use Symantec PGP10.2.0 whole disk encryption, boot from that disk that has Mac 10.6.8, my physically local Backups are on an unencrypted DroboPro but the backups on it are encrypted as above so once powered down, no one can get access to the computer disk or the backups if stolen. Physically distant bootable backups are on an external drive also with whole disk encryption. I decrypt then SuperDuper the volume then reboot from the SuperDuper backup created and reencrypt that from within the backup volume, check it works! Then restart from the local drive and recrypt that again. These encrypted but bootable disaster backups must be offsite at some other physically remote location or it just is a waste of time if you have a fire etc.

    Don't rely on one system of backup, encrypted or not, or one Disk, or one piece of software. Use multiple sets, encrypt or not, {PGP or Retrospect (I also have Retrospect 8.2.0)} Timemachine (rotate Timemachine drives! on and offsite) and other Backups, copies. Also if your Computer is lost will you have a machine that will will boot up YOUR backups and "bootable drives"?

    Sorry I've wandered off topic a bit!
  21. forrie macrumors member


    Mar 6, 2008
    hdiutil incantation for NFS and encryption?

    I want to experiment with (unsupported) NFS Time Machine backups, using an encrypted sparsebundle. I'm guessing that the initial creation of the bundle just needs the encryption flag added to it (does it ask for a password).

    hdiutil create -size 128g -type SPARSEBUNDLE -nospotlight -volname "Time Machine Backup" -fs "Case-sensitive Journaled HFS+" -verbose ./mybackup.sparsebundle

    (I found elsewhere)

    How to determine the best initial size for your sparsebundle? I would presume at least as much as the drive is occupying.

  22. langiter macrumors newbie

    Apr 6, 2011
    You probably want much more than that. The "size" of the sparsebundle is the maximum storage space in the disk image. A half-full sparsebundle will take up only half that space on the actual disk. For Time Machine to keep sequential backups, you need the sparsebundle to be much larger than the space taken by the data you want to back up. You might make it the size of your whole disk, for example.
  23. forrie macrumors member


    Mar 6, 2008
    Thanks for the clarification. I initially created one 1.5 times the data I am using. I will change it.

    However, I ran into a problem after following the directions at:


    The system complained that the volume cannot be used with Time Machine. I am using the latest OSX Lion.

    Failing that, my next option is to perhaps try the latest "netatalk" and use AFS. Has anyone experience with this? I understand the pros-and-cons of fragmented traffic there, but our network isn't that noisy and it's all local to the building.

  24. langiter macrumors newbie

    Apr 6, 2011

    I haven't used NFS or NAS, sorry. Maybe the Micromux technique doesn't work with Lion. Have they changed the way Time Machine identifies usable volumes? I don't have access to a Lion install.

Share This Page