This is a fairly specific hint, but it might help someone trying to achieve the same thing. The goal: To back up a FileVault-protected home directory to a UNIX server, keeping the backup encrypted, and without logging off. Time Machine isn't an option, as it doesn't play well with Filevault. A previous hint I submitted does half the job, but the backups are stored unencrypted, so anyone with access to the server can read them.
The solution is to use EncFS on the server. This ensures files are stored encrypted (the password is stored in a file on the client, safely inside the FileVault protected home directory). Only SSH access to the server is required, no special encrypted volume is used (so the encrypted backup can easily be backed up itself), and root access is only required to install EncFS and add the user to the correct group. Here's what you need to do:
So, for example, to back up a user called "mike" on the host "macbook", do:
bash$ encfs /mnt/backup/.mike@macbook /mnt/backup/mike@macbook.local
The directory "/mnt/backup/.mike@macbook" does not exist. Should it be created? (y,n) y
The directory "/mnt/backup/mike@macbook" does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>
Standard configuration selected.
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:1:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password: *****
Verify Encfs Password: *****
Now on the client, create a folder (we use $HOME/bin/backup), cd into it, and run the following command: echo secret > password; chmod 600 password, where secret is the password you used on the server. Then save the following file as backup, and chmod 755 backup (remember to change the host and path):
What this script does is:
0 13 * * 1-5 $HOME/bin/backup/backup
To access the backed-up files on the server, simply log on and run encfs /mnt/backup/.user@hostname /mnt/backup/user@hostname. Enter your password and the files can be recovered.
Mac OS X Hints
http://hints.macworld.com/article.php?story=2008052909003014