Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Easily encrypt Time Machine backups System
One missing element of Time Machine has been the ability to encrypt the backups. There have been suggestions of ways this can be done to an AFP connected network share using a sparse disk image, but not on a directly connected device. The method below shows how to accomplish this on a local volume.

This video (by Falko Zurell) shows how to do it in detail. The basic idea is to get Time Machine to treat a local encrypted sparse disk image in the same fashion as a remotely mounted backup volume. It's a careful but not particularly difficult procedure, mostly involving Disk Utility and following the precise naming convention that Time Machine uses for remote images.

A brief summary is that you format a new partition on your backup drive and let Time Machine know you want to use it, but don't actually run a backup yet. You create a sparse encrypted disk image and name it by concatenating the hostname and the en0 interface MAC address, and save it to the partition you just created. Then you save the password to your Keychain and put it in the System Keychain so Time Machine can access the image. Point Time Machine to the image will automatically mount when Time Machine does a backup. Complete details of how to do this are in the video (which is about ten minutes long and uses Flash). It's much easier to see than to write down the whole process.

Because I have been looking for this kind of easy how-to for a long time, and I thought it might interest you. All other how-to's I found on the Internet, about the same subject, involved mouting AFP servers, modifying hidden files, etc. This one is the most straightforward way I found to encrypt Time Machine backups.

[crarko adds: The fellow in the video speaks softly so you may want to use earphones to catch all the details. The one caveat I saw in the method is that to do a restore you'd need to mount the disk image manually first, instead of using the normal Time Machine UI. This didn't strike me as that much of a drawback. And obviously, anyone with physical access to both your Mac and the backup drive could get in, since the password is saved to the Keychain.]
    •    
  • Currently 2.50 / 5
  You rated: 1 / 5 (8 votes cast)
 
[20,903 views]  

Easily encrypt Time Machine backups | 15 comments | Create New Account
Click here to return to the 'Easily encrypt Time Machine backups' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Easily encrypt Time Machine backups
Authored by: noworryz on Oct 07, '10 09:56:22AM

This hint really only applies if you want to store your files unencrypted on your computer but have them encrypted on the backup volume, which is an odd thing to do.

Without using this hint, users of File Vault will have their home directories backed up encrypted on a Time Machine volume when the disk is connected and they log out or when another user is logged in.

Also, if a user creates an encrypted disk image on the computer (using Disk Utility) and uses it to store sensitive files, it will be continually backed up encrypted on a normal Time Machine volume.



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: asmeurer on Oct 07, '10 03:01:14PM

Maybe not necessarily. My computer is fairly well protected by the login password, but anyone could just plug in the backup drive and access the data.

Also, you might not care so much about having local data encrypted, but I wouldn't backup remotely without encrypting, especially if the server is owned by someone else.



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: afingal on Oct 11, '10 09:22:37AM

<blockquote>Maybe not necessarily. My computer is fairly well protected by the login password, but anyone could just plug in the backup drive and access the data. </blockquote>

What if someone puts your computer in target disk mode?



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: asmeurer on Oct 11, '10 06:48:00PM

That's what the firmware password is for.



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: Detrius on Dec 15, '10 07:14:56AM

Even the firmware password can be reset if you have physical access to the machine. If you have access to the RAM, it's very easily reset.



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: TrumpetPower! on Oct 07, '10 11:23:58AM

I'm compelled to observe: encrypting backups is almost (but not quite) universally a very, very, very bad idea.

The whole point of backups is to be able to recover your data in the event that something goes worng.

The whole point of encryption is to make it impossible to recover your data in the event that something goes worng.

Encrypted backups only make sense when the backup medium cannot be physically secured and when you'd rather lose the data entirely than have it fall into the worng hands.

If you have a good backup system in place but want to protect against catastrophic damage to the storage facility where you keep your plain-text backups, you would have at least one additional set of off-site backups. Ideally, your off-site facility would be well secured, but that might not be practical. For example, you might be running a small business and keep a backup set at a relative's house. In such an instance, you would encrypt the backups and only go to them in a "Hail Mary" all-else-is-lost situation. And you'd have multiple encrypted backups at multiple locations, in addition to the unencrypted backup you keep in the bank's safety deposit box.

Most people don't need that level of redundancy. If you can't trust a plaintext backup in your safety deposit box, you've got far bigger problems. (And multinational corporations do, which is why some have redundancy designed to let them keep going even if entire cities or regions drop off line.)

And, of course, as always, a backup simply doesn't exist unless you've successfully restored it. Regularly restoring your backups and checking the integrity of the restored files is about the only part of a backup system that really matters. If you don't do that...then don't kid yourself into thinking that you're making backups.

Cheers,

b&



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: NoComment on Oct 08, '10 07:31:32AM

I've a backup disk at my main client's office, I use it during the times that I'm with the client. There is no safe way to store the disk when I'm not at the office, and I can't take it with me each day. So I've used the encrypted sparse bundle for over a year now, and I know if someone steals it at least he can't use the data on it. And accessing an encrypted sparse bundle in the case of an emergency recovery is not that big of a deal as the tools are available on every mac, so no special software is needed to gain access to your backuped data as long as you know the (long) password.



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: JYF on Oct 08, '10 11:12:46AM

This is exactly why I submitted this hint to the site: storing an external hard disk at the workplace. I do not want my coworkers to peer into my data.

I also have another external disk at home for regular, non-encrypted Time Machine backups.



[ Reply to This | # ]
Whole-disk encryption
Authored by: lincd0 on Oct 07, '10 01:27:30PM

TM works fine with devices encrypted with PGP whole-disk encryption.



[ Reply to This | # ]
Whole-disk encryption
Authored by: anode505 on Oct 08, '10 05:41:48AM

May or may no be an issue for you, but PGP has a federal backdoor to it. Phil added that to stay out of jail and stop all the legal hassles he was getting.



[ Reply to This | # ]
Whole-disk encryption
Authored by: pub3abn on Oct 11, '10 09:05:50AM
Easily encrypt Time Machine backups
Authored by: jaydisc on Oct 07, '10 04:35:54PM

I've had a detailed write up with screenshots of the process up for a while. It also includes how to rotate Time Machine backups:

Encrypted, Rotating Time Machine Backups on Snow Leopard



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: NoComment on Oct 08, '10 07:27:59AM

Important to note is that the normal time machine view won't work automatically with local encrypted sparse bundles UNTIL you manually open and mount the sparse bundle. You will not see any backups in the time line view of time machine until then.



[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: frank_martin on Oct 08, '10 01:00:03PM
Maybe not. If you read the link posted in the comment above yours, Encrypted, Rotating Time Machine Backups on Snow Leopard, you see the following claim: "The image should automatically mount as Time Machine Backups on your desktop."

[ Reply to This | # ]
Easily encrypt Time Machine backups
Authored by: davebreak on Dec 15, '10 10:50:28AM

i had the problem when my hard drive broke and all my files crashed so by restoring the files i had duplicate applications and most of them required registrations keys and stuff.

So frustrating!!!

---
Live today like there is no tomorrow!



[ Reply to This | # ]