Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Insure that Time Machine runs on FileVault accounts System 10.5
This is not exactly a hint, but it is a very important thing to know. Luckily I realized it before it was too late. If you are using Filevault and Time Machine, you've probably already heard that Time Machine doesn't back up your FileVaulted home folder while you are logged in. What you may not know is that Time Machine also doesn't back it up while you are logged out! Time machine only backs up a Filevaulted home folder during the logout process for that user.

Why is this important to know? Some of you may be backing up your computer the way I was. If you are, then you are failing to back up your home folder, like I was. I have been following this incorrect procedure: (1) log out of my filevault user's account, (2) then attaching my Time Machine backup drive assuming Time Machine would back up the whole computer automatically overnight.

The problem is that the Time Machine drive was not attached while I was logging out of the FileVaulted user account, only afterwards. This means that my FileVaulted user's home folder was not being backed up; only the rest of my filesystem was. The backup of my FileVaulted user's home folder was stuck at a very old version (created the last time the Time machine drive was attached during logout.) 2br So, the proper procedure is:
  1. Attach the Time Machine backup drive.
  2. After the Time Machine backup drive shows up in Finder, then log out of your FileVault account and make sure the logout window specifically says that it's backing up the FileVault.
You can just leave the drive attached for automatic backups of everything else (everything outside your FileVault home folder), or you can log back in as an administrator, and tell Time Machine to "Back up now" if you want to make an immediate backup of everything else. For people with desktops, you could of course just leave your Time Machine drive attached. I have a laptop which I have to take to multiple locations, so it's not practical for me to keep my backup drive attached continually.

[robg adds: I thought it good to run this hint today as it goes hand-in-hand with this one.]
    •    
  • Currently 3.33 / 5
  You rated: 3 / 5 (9 votes cast)
 
[32,129 views]  

10.5: Insure that Time Machine runs on FileVault accounts | 14 comments | Create New Account
Click here to return to the '10.5: Insure that Time Machine runs on FileVault accounts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: Superboy on Nov 28, '07 08:31:28AM

It's Ensure not Insure, Rob... :P



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: pascalpp on Nov 28, '07 09:48:43AM

Unless perhaps you're offering a policy to protect against any harm that might come from Time Machine not running on FileVault accounts, with good coverage and reasonable premiums, of course ; )



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 28, '07 03:58:08PM

I did several experiments to confirm this hint and found that its main conclusion is wrong, although the problem the hinter described does exist.

The hint states that Time Machine only backs up a FileVault user's home directory while the user is in the process of logging out and at no other time. Actually, Time Machine will back up FileVault directories whenever all of the following are true:

  1. Time Machine is enabled.
  2. The FileVault user is logged out.
  3. The backup USB disk is connected to the Mac and powered on.
  4. The computer is not asleep.
  5. Any other user is logged in (even a non-admin user or one running the screen saver).
  6. The logged-in user has not ejected the USB disk; i.e., the disk is mounted.
  7. The hourly time for a backup occurs or the user selects "Back Up Now."

So, while it is true that plugging in the USB drive at the Login prompt dialog will not allow backups, one can create a dummy non-admin account and log into it after plugging in the USB drive. This may be preferable to logging in and out of the FileVault account because, for the dummy account, you can have an easy/insecure password, turn parental controls up to the max, run the screen saver and lock the screen, and/or just walk away as soon as you enter the dummy username and password without fear of data theft from the FileVault account.

The worst thing to do is to leave the FileVault user logged in while transporting a laptop to its home site for USB disk connection and backup. If the laptop is lost during transport, the FileVault directory is left unencrypted and accessible by an admin user.

The time of the last backup of a FileVault directory is surprisingly hard to determine. Open your USB drive and /Backups.backupdb / machine_name. The modification time of the "Latest" alias is the last backup time, which may or may not include the FileVault directory. Open Latest / disk_name / Users / user_name directory. If you see a file with the ".sparseimage" extension, its modification time is the time of the last backed-up change to the user's home directory. If you see a file with the ".sparebundle" extension, right-click or control-click to select "Show Package Contents," then open the Bands directory. The modification time of the newest file is the time of the last backed-up change to the user's home directory (select list view and sort by Date Modified). Note that the time of last backed up change to the user's home directory must always be before the last backup, usually just before the user logged out.

[ Reply to This | # ]

10.5: Insure that Time Machine runs on FileVault accounts
Authored by: mofo@twobitblues on Nov 29, '07 11:56:55AM

what if i have firewire drive??



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 29, '07 03:50:55PM

FireWire is the same as USB, as far as Time Machine is concerned.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Dec 03, '07 09:58:39AM

Several forum members have asked about "Safe Sleep" and what it means for FileVault. Safe sleep stores the entire contents of memory in the file /var/vm/sleepimage when the computer is put to sleep. With previous versions of the operating system, some people reported that cleartext FileVault passwords could be found in the file. More recently, the file appears to be encrypted but with the encryption key stored in the header of the file. Some file attributes have also been changed to make reading more difficult.

One difficulty is that the code for this is Apple proprietary so doing a security audit is very difficult. In any case, sleeping when logged into a FileVaulted account appears to be very insecure. Users may want to disable safe sleep using this hint. If not, logging out of the secure account and logging into a dummy account may help, especially if an application is then run that allocates large amounts of memory before putting the computer to sleep.

[ Reply to This | # ]

10.5: Insure that Time Machine runs on FileVault accounts
Authored by: Alrescha on Nov 29, '07 01:04:39PM

noworryz:

"The worst thing to do is to leave the FileVault user logged in while transporting a laptop to its home site for USB disk connection and backup. If the laptop is lost during transport, the FileVault directory is left unencrypted and accessible by an admin user."

You keep saying this, but for most laptop users another 'admin user' is a non-existent problem. I think that for most people, there is little appreciable security difference between a locked screen and being logged out (and a big difference in convenience).

A.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 29, '07 03:38:33PM

By that argument, there is no reason to use FileVault at all because all admin users can be trusted.

The fact is, if you are logged in, your home directory is in a mounted, unencrypted state. Just imagine if a laptop containing medical or financial data for thousands of people was stolen and the user was left logged in. What would be announced to the media: "no need to worry, the drive was fully encrypted, but actually, due to laziness, it was left in an unencrypted state, but probably nobody can unlock the screen or log in, although quite a few people know the admin password, come to think of it, and maybe the firewall wasn't enabled, we're not sure?!"

There is a saying in the security biz that convenience trumps security. Your comment embodies that principle.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: Alrescha on Nov 30, '07 09:51:36AM

I'm sorry to prolong this, but you want people to believe that a powered-on laptop with a locked screen is vulnerable, but you offer no evidence to support that claim. Just because one can conceive of a possibility does not make it a realistic threat. Regardless, it is only potentially vulnerable as long as the laptop is powered on.

Furthermore, you suggest that it's the only threat - if we don't log off we might as well not use FileVault at all. That's not helping anyone.

I think a far more likely event is that someone after your data pulls the hard drive and attempts to copy files from it. FileVault will keep this from happening, regardless of whether the user logged out or not.

Security and Convenience are the opposite ends of a continuum. Real life is somewhere along that continuum. Misinformation and baseless fears do not help people make reasonable decisions.

A.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 30, '07 11:22:53AM

While a "typical user" might be satisfied with using a screen lock for security, that is because they don't have any data of real value and there isn't much downside to having it disclosed. The users that really need FileVault have medical or financial data or trade secrets that would cause a huge problem if there was even a possibility it was disclosed after a computer theft. Several people have left comments on MacOSXhints and other forums who are clearly concerned about such a possibility.

The difference between a FileVault user leaving themselves logged in with a screen saver and logging out is that, in the former case, the user's home directory is left mounted and unencrypted. For a hacker, that reduces the problem from a mathematically intractable one (cracking 128-bit AES encryption) to a practical one (obtaining admin or root access to the computer or physically connecting to and reading the RAM). These are not the same thing at all, given sufficient motivation. For example, if the data was known to be worth at least a few million dollars (e.g., if it had tens of thousands of bank card numbers and PINs), a good lab could get it off the machine within 48 hours.

For a more authoritative source, read the National Security Agency's security configuration guide, located at http://www.nsa.gov/snac/ On page 153, in the "Best Practices" section, they say "Log out of secure accounts when you aren't using them, or when you leave your computer." They don't say to just use a screen saver.

Your comment that the computer "is only potentially vulnerable as long as the laptop is powered on" is bizarre. How would a user remain logged on when the computer is powered off? The vulnerability only exists when the FileVault user is logged on, as discussed ad nauseum. Powering off a machine is even more inconvenient that logging off.

In any case, the argument that users need not log off ignores a key point of the above hint: their home folder won't be backed up unless they log off. Presumably, users with valuable data will want it backed up. So telling them not to log off for convenience is bad advice.

[ Reply to This | # ]

10.5: Insure that Time Machine runs on FileVault accounts
Authored by: Alrescha on Nov 30, '07 11:48:35AM

There is always the possibility that information may be disclosed. FileVault or not. All someone has to do is guess the login password.

That a good lab could gain admin access or break through the screen saver "within 48 hours" is speculation on your part. Moreover, in order to access the FileVault-protected files they have to do so without restarting the laptop.

You are right in saying that best practices for NSA-level security is to log out. But that's not the thread and not where we started. You made the claim that if users do not log out they might as well not use FileVault at all. This is fear-mongering and helps no-one.

A.

(my last post in this thread, apologies to all for letting it go this long)



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 30, '07 04:20:56PM

The guidelines NSA publishes are for government and industry and they cover confidential but not Top Secret information, which is stored under much stricter rules. In other words, the guidelines are not for "NSA-level" security but rather recommendations for the configuration and use of computers containing sensitive data.

Users concerned about the cost and embarrassment of data theft should consider the NSA guidelines. To provide protection against a sophisticated and well-funded hacker (but not one with unlimited government resources) users can:

  1. Chose a strong password for their secure accounts with the aid of Apple's password assistant.
  2. Enable FileVault for secure accounts.
  3. Disable automatic login (in Security preferences).
  4. Enable secure virtual memory (in Security preferences).
  5. Enable the firewall (in Security preferences).
  6. Log out of secure accounts when not using them (and not assume that sleeping with the screen locked or switching accounts with Fast User Switch are equivalent to logging out).
  7. Avoid executing untrusted, especially downloaded, applications.

If all of the above guidelines are followed, secure accounts on a stolen computer are probably safe, in that no exploits are generally known.

Time machine will not back up a secure account when the user is logged in or when no user at all is logged in, but will back it up when the user is in the process of logging out. If connecting a USB or Firewire disk is not practical when logging out of a secure account, creating a "backup" non-FileVault, non-admin account with limited privileges is a convenient way to allow backups later, with minimal risk to security. Logging in to such an account, with a USB or Firewire disk connected, will allow Time Machine to back up all secure and insecure accounts.

[ Reply to This | # ]

10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Dec 03, '07 10:00:52AM

... and disable safe sleep, as mentioned above.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: the_mace on Dec 12, '07 07:49:38PM

The convergence of Time Machine, File Vault and Spotlight is a mess.

You're best off to create encrypted disk images for the stuff you want to keep safe (and only mount them when you need them) and leave the rest unencrypted.

This keeps the incremental backups small and you dont end up encrypting your music library and other silly things.

Plea to apple: Make file vault more granular without forcing us to have piles of disk images around. Allow images to be searchable if they're mounted etc and back them up when unmounted.




[ Reply to This | # ]