Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6: Let Time Machine backup File Vault while logged in System 10.6
Snow Leopard only hintIt bugs me that Time Machine won't backup my encrypted home folder, provided by File Vault, while I'm logged in. I rarely log out of my account, and that makes Time Machine pretty useless in my opinion. I wanted some way to create a backup while logged in.

I'm more concerned about my laptop being stolen than my backup drive, since it's sitting in my closet, attached to my AirPort Base Station. So the fact that the backup won't be encrypted with this hint is no big deal for me. As a side effect, it makes single file restoring much easier. (One caveat being that Time Machine complains that it can't find the original location of the file, since it treats the home folder as a disk and not a path on the startup disk. You need to manually select that.)

To sum it up: I need my home folder to be encrypted. I don't need my Time Machine disk to be encrypted (but I'm sure someone can come up with a way to accomplish that, too.) Read on for the how-to...

First, make sure your Time Machine setup is functioning properly. This hint assumes you have XCode installed, as it uses Property List Editor; you'll need to change the process a bit if you use a different property list editor.

You will need to manually edit the preference file for Time Machine, adding the ID string of your File Vault disk to the list of disks to backup. You can't do this from within System Preferences or otherwise. One way of finding the ID string of the disk is to open com.apple.finder.plist, located in your user's /Library/Preferences folder, and look for the FXRecentFolders item.

One of the entries should contain the name of your home folder (your login name) together with an entry called file-data. If it doesn't, you need to close the plist and visit your home folder in Finder. This will make it a 'recent folder,' and then you can check the file again.

The value of _CFURLAliasData inside file-data is the string we need, including the enclosing < and >. Copy this to the clipboard.

Now, disable Time Machine from within System Preferences, make a back up of com.apple.TimeMachine.plist, located in /Library/Preferences, and then open the original file in Property List Editor. Select IncludedVolumes and click Add Child. Select type Data and paste the string you copied earlier.

(If IncludedVolumes doesn't exist, select Root and click Add Child. Name the new entry IncludedVolumes and make it type Array. Then do the above.)

Check that the path to your home folder isn't listed in any of the items ExcludeByPath, ExcludedVolumes, or SkipPaths. Save and quit the editor.

Select Back Up Now from the Time Machine menu bar extra to start an initial backup. Note: You may already have a backup of your image file (located in the hidden folder /Users/.username), in which case you will have duplicates. You might want to exclude this from your backup.

When browsing your backup, your unencrypted home folder will be on the Computer level, alongside your startup disk. Not where it normally is -- under /Users -- since it is treated like a regular disk.

[robg adds: While this hint was submitted as a 10.6-only hint, I suspect it will also work in 10.5. However, I can't confirm that, so I left it marked as submitted.]
    •    
  • Currently 3.74 / 5
  You rated: 3 / 5 (27 votes cast)
 
[38,989 views]  

10.6: Let Time Machine backup File Vault while logged in | 17 comments | Create New Account
Click here to return to the '10.6: Let Time Machine backup File Vault while logged in ' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6: Let Time Machine backup File Vault while logged in
Authored by: V.K. on Jan 27, '10 08:16:23AM
Regarding robg's remark about 10.5, in 10.5 the same can be accomplished much easier. While logged into a filevaulted account go to TM system preferences->options. Your home folder will be listed on the exclusion list. That's the mounted virtual volume with your home folder, not the encrypted sparse bundle. Just remove it from the exclusion list and you are done. This does not work in 10.6 as in 10.6 mounted disk images of any kind are not backed up by default and are not present on the exclusion list so there is nothing to remove from there. The current hint can be easily adapted to back up mounted disk images if one really wants to. For example, if you don't use filevault but keep some sensitive data in an encrypted disk image made by hand you can make TM back it up this way too.

[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: Sesquipedalian on Jan 27, '10 08:43:29AM

1) This should be easy to adapt to enable me to back up my iDisk with Time Machine. Thanks!

2) It should be easy to to automate this process using AppleScript. I'll take a stab at it and post back with my results later.



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: Sesquipedalian on Jan 27, '10 10:19:01AM

Scratch that. This method doesn't seem to work with iDisk volumes after all.



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: NoComment on Jan 28, '10 02:45:59AM

If you want to have your time machine volume secured, use this trick (no matter if you use file vault or not, or if you backup to an external harddrive or a file share):

http://twi.gs/ramblings/time-capsuletime-machine-encrypted-backups/

I've done that with my external harddisk that I use in my office to backup my machine (at home I backup on a server's volume via afp, glad that time machine can backup on many different locations!).

Don't forget that you can limit the max size of the sparsebundle, too!



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: jberringer on Jan 30, '10 12:27:11PM

There's a downside to this hint, unfortunately. When you log out Time Machine will still try to back up your encrypted FileVault unless you manually cancel it. And if you stay logged in always there's not much point in using FV since, so long as you are logged in, your home directory is accessible.

Also, if you do log out and cancel the backup, TM will still back up the FV disk image if you log in as anybody else or someone else logs into the machine (guest or otherwise).

Cool hint but marginally useful since it'll eat disk at twice the rate.

Edited on Jan 30, '10 12:28:17PM by jberringer



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: Solarusdude on Feb 15, '10 06:50:37PM

Do you know if there's a way to exclude Time Machine from backing up the user sparsebundle file, but still back up the home folder unencrypted while the user is logged in? I would really like this trick to work without having TM spending a half hour backing up a 20GB sparse file.



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: humpalumpa on Feb 17, '10 05:32:08AM
Yes. Simply add the sparsebundle to the exluding list.
You have to log out of your FV-user and use another account to do so.

Open with PropertyEditor.app:
/Library/Preferences/com.apple.TimeMachine.plist
(Note: File is in the *global* library folder, not your own)

Add the path to the sparseimage/sparsebundle as a new item to the "ExcludeByPath" Dictionary. (Do not use the "SkipPaths" dict, this has a slightly different purpose)
Generally, the FV Image resides inside the users home folder, named by following this scheme:
.${USER}.sparsebundle
or (depending on OS version and your config)
.${USER}.sparseimage
You don't have permissions to save the file back in place, so save it to your Desktop (preserving the name) first. Close the App and use Terminal to kick the file into the right place:
sudo sh -c "cat ${HOME}/Desktop/com.apple.TimeMachine.plist  >  \
  /Library/Preferences/com.apple.TimeMachine.plist";
Reboot now. Done.

[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: Wolfgang123 on Apr 25, '10 01:17:24PM

Man was I excited when I found this post here. Exactly what I would need too. It does not work though. Here is the reason why:

Wheras the size of the sparseimage .$user.sparseimage may be small (~150GB in my case), opening the file fault may show a bigger size (1TB capacity, 800GB used in my case) than the actual internal HD (500GB in my case). This difference between the actual size of stored data and the logical size (?) confuses TimeMachine: I followed all steps above (original from m4x and follow-up from humpalumpa), but then TimeMachine strikes stating that there is not enough space on the external HD (size 500GB) to backup all data (900GB needed).

* Is there a way to reduce the "logical size" of the sparse image; so to not confuse TimeMachine?
* Is there a way to force TimeMachine to nevertheless start the backup, although it thinks there won't be enough space to finish?

Thanks a lot!



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: chucky23 on Apr 28, '10 10:15:51AM

@Wolfgang123:

I just found the exact same problem.

-----

I'm wondering what the cause of it is. The first thing I can think of is to disable FileVault and then immediately turn it back on. The theory being that I first enabled FV under 10.5, and perhaps 10.6 has a different method that doesn't make the system think the FV sparseimage is full of phantom gigabytes.

Unfortunately, disabling and then re-enabling FV will take several hours, so I probably won't test it for a few days, but that's my first idea.

(Is there anyone out there reading this who first enabled FV in 10.6? If so, does Getting Info on your home folder in the Finder show a "used" count far in excess of what's really there?)



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: chucky23 on Apr 28, '10 04:39:10PM

Here's my breakdown:

Home folder contents: 5 GB
Home folder size via Finder Info "Used": 145 GB

If I follow this hint, TimeMachine requests 145 GB for the backup, which I don't have available on my desired backup drive, all to backup 5 GB of data...

There really should be some solution here.



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: chucky23 on Apr 29, '10 03:35:59AM

I just created a new FV account under 10.6, and no luck.

Despite being an empty account, the file system thinks this empty account is using 230 GB of space.

-----

My next troubleshooting steps are to see if I can use the command line tools of "hdiutil resize" and/or "diskutil volumeResize" on the FV image to change the situation.



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: chucky23 on Apr 29, '10 07:58:59AM

OK, Wolfgang123, I think I have an actual SOLUTION here.

We're going to solve the "Is there a way to reduce the "logical size" of the sparse image; so to not confuse TimeMachine?" aspect.

First of all, here's the background as I have managed to semi-learn over the past 24 hours:

- When you create a FileVault account, the system gives it a "Capacity" of twice the size of the physical disk it sits upon. (That's why your FV account shows a capacity of 1TB, since your physical disk is 500GB.)

- The FV account calculates a "Used" size of "Capacity" - "Available". "Available" is either the amount of free space available on your physical disk or the amount of free space available on the sparsebundle, whichever is smaller. Since the sparsebundle is created with a larger amount of free space than the physical disk, normally the "Used" size is the "Capacity" - Free space on the physical drive. In your situation, your FileVault account reports 800GB as "Used" since the FV "Capacity" is 1TB, and I'd guess you have 200GB of free space on your physical drive. So 1TB - 200GB = 800GB "Used".

- TimeMachine (when misused according to this Hint) respects the "Used" value of a FileVault account when it checks to see if it has enough space on the backup drive.

-----

So, here is the solution.

FIRST OF ALL, MAKE SURE YOU DO A GOOD BACKUP PRIOR TO PROCEEDING. This is a hacky solution, that I've only begun to really test. It does seem to work, but you should be prepared for it not to work, and to be able to restore your hard drive if it doesn't work for you.

- Logout of your FileVault account.

- Log into a second admin account to do the work.

- Mount your FileVault sparseimage. (There are a hundred different ways to do this. Search google. My method is to launch Disk Utility from the terminal through sudo.)

- Issue the following command in Terminal (replace "username" with your FileVault username. replace "500" with the Capacity you want your FileVault to now have in gigabytes):

diskutil resizeVolume /Volumes/username 500g

- Unmount your FileVault sparseimage. (You can just eject from the Finder.)

- Logout of your second admin account and log back into your FileVault account.

- Voila.

-----

The trickiest thing here is in determining the "Capacity" you want for your FileVault image.

Obviously, this will serve as a maximum for the data you can put in the FileVault.

Assuming you set it to 500GB, since the FV account calculates it's "Used" size as "Capacity" - "Available", it should show a "Used" value of 300GB, which is what Time Machine will now check for to backup the drive.

Now, if you set the "Capacity" to 180GB, then "Used" will show up as your genuine 150GB, since your available on the sparsebundle is now less than the available on the physical hard drive, and Time Machine will now only check for that 150GB.

Happily, you can repeat the steps about to resize your "Capacity" if you find you've guessed wrong. For a first try, you might want to think about a value of perhaps 250GB...



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: chucky23 on Apr 30, '10 07:30:23PM

48 hours in, and the "Re-Capacity" measure is working with flying colors on my rig.

Multiple backups, multiple restores, and all works well.

And you can repeat the above steps to change your FV images capacity, both up and down.

-----

While it is hacky, I can't see a situation where it'd cause any real problems. The only exception is if Apple were to change FV methods in 10.7, but that won't be out for a year, and even if it does, you can just toggle FV off/on to restore to Apple factory defaults of FV capacity.

-----

In short, I recommend this method, should you wish to follow the trick but run into the false "Capacity" issue on a FV volume.

As always, I wouldn't count on this as a full backup solution. I use TM as above to backup my logged in FV, but then I backup with CCC twice a month when logged out of my FV account.

That gives me the TM backups when logged into FV, the starfield UI to examine, archive, and restore my FV volume, and also give me a FULL CCC close suitable for instant full restore in the event of things going blooey. (Then you'd have to manually restore your more recent FV logged in TM to overwrite the older FV items.

The only problem I still can 't work around is the insecurity of the encrypted image I make for FV login backups. The disk image key is stored in the System keychain, which is a bit security hole. I'll work for a bit on seeing if there is some workaround this one.



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: adrian.nier on Jan 04, '11 02:29:51PM

Following the hint, while paying attention to the comments by humpalumpa and chucky23, I can also confirm that user data is being backed up just fine although FileVault is enabled and the user is logged in.

The only issue that I observe is that Time Machine backs up all data anew after a restart. Did someone find a fix for this problem or can at least confirm it?



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: m4x on Feb 17, '11 09:12:01AM
Beware of Time Machine omitting certain folders with this method!
I was about to abandon my own backup hint, after discovering that some folders seemed to be left out from the backup. After some experimenting I narrowed it down to folders within my home disk image, having a name beginning with my user name, not being copied to the backup.
Renaming, or simply putting something before the name seems to solve it. Also, it doesn't seem to affect folders on other volumes.
Can anyone confirm/reproduce this?

[ Reply to This | # ]
10.6.7: Back up to encrypted image
Authored by: langiter on Apr 06, '11 07:47:26AM

Thanks m4x, this is working great for me in 10.6.7. And chucky23, your comment (7:58am) was also needed. I've also got it backing up to an encrypted sparsebundle, which other people have worked out how to do. The best instructions I've found are by sunkid on InsanelyMac.

I've added a couple of refinements myself, such as an AppleScript for automating the mounting of the encrypted image (without compromising its password), and restoring files from FileVault home folder smoothly—just put an alias to your home folder in /Volumes. :)

I'm hoping to post my complete method and script in a new hint on this site, by the title "10.6.7: Set up encrypted Backup in Time Machine for FileVault".



[ Reply to This | # ]
10.6: Let Time Machine backup File Vault while logged in
Authored by: seren on Sep 02, '11 12:33:50AM
You can update the "/Library/Preferences/com.apple.TimeMachine.plist" a bit file more easily by using the "defaults" command:
defaults write /Library/Preferences/com.apple.TimeMachine "IncludedVolumes" '(<......>)'
(replace the <......> with the huge string you got from _CFURLAliasData)

[ Reply to This | # ]