Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.6.7: Set up encrypted Backup in Time Machine for FileVault System 10.6
Snow Leopard only hintThis is how to set up Time Machine to work with FileVault, producing a proper incremental backup of each file in your home folder, and have that backup encrypted. If you use this technique, you should also have a second backup, preferably a clone of your hard drive.

Throughout this hint, replace $computername with the name of your computer, $username with the short name of your FileVault user, and $backupdrive with the name of your hard drive.

[crarko adds: Please treat the following process as experimental, and be dead sure you have a complete backup of any system you try this on.]

Here is the procedure:

Step 1: Prepare the Disk Image

To create the image: Open Disk Utility, click 'New Image,' and enter the following:

Save the image as $computername.sparsebundle, in location: root level of backup hard drive, Name: 'Time Machine Backups,' Size: Custom (then choose your size), Encryption: choose 128- or 256-bit, Format: sparsebundle.

If using an AFP drive over a network, it has to be on Mac OS X 10.5 or higher—use SMB otherwise. If using an SMB drive over a network, save the disk image to the local computer and then transfer it to network drive. You can make it small and then grow it after transferring, using same technique as used for shrinking FileVault ( see Step 4).

Follow these steps from sunkid's hint:
  • Get the machine's 'Hardware UUID' from System Profiler
  • Create a new plain text file, paste the following text, and replace "$HostUUID" with your UUID.
    <?xml version="1.0" encoding="UTF-8">
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>com.apple.backupd.$HostUUID</key>
    <string>YOURUUIDHERE</string>
    </dict>
    </plist>
    
  • Save the file as com.apple.TimeMachine.MachineID.plist and put it in sparsebundle package. (In Finder, right-click on $computername.sparsebundle and go 'Show package contents.' Put it right there, next to 'Info.plist.'

Step 2: Set up Time Machine
  • Double-click sparsebundle in the Finder, and tell it to store your password. The password's stored in your login keychain, encrypted with your keychain password. (This hint does not require you to transfer the password to the System keychain. Putting the password in the System keychain would mean your backed-up data can be read if your computer and backup drive are stolen together—see Notes below.)
  • Open Time Machine, select your backup hard drive as your disk, and let it back up! It won't back up your FileVault folder yet.
  • Switch Time Machine 'off.' (This only turns off automatic backups. Unfortunately, with the backup encrypted, Time Machine's automatic backups always fail.)
  • In 10.6.7, automatic backups fail even with the password in the System keychain.

Step 3: Automate encrypted backups

Open AppleScript Editor, paste the following text, and replace the words starting with "$". Credit to llee for the shell script to launch TM.
if (do shell script "/usr/bin/whoami") is not "$username" then return
if "Passionfruit" is in (do shell script "/bin/ls /Volumes") then
<tell application "DiskImageMounter" to open file "Volumes:$backupdrive:$computername.sparsebundle"
<delay 10 --mine's never taken > 1 sec to mount
<do shell script "/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper >/dev/null 2> &1 &" -- Launches TM
end if
Save the AppleScript, and set it to run every hour, or however often you want. I did this using 'Alarm Clock S.E.' You can use launchd or try putting it in /private/etc/periodic/hourly.

Step 4: Add FileVault to the Time Machine backups

First, you probably have to resize the FileVault sparsebundle. Check by clicking on your Home folder in the Sidebar in the Finder and do a 'Get Info.' If its 'Capacity' is greater than your hard drive's true capacity, you should resize the sparsebundle. (Otherwise, your backups will fail, or have enormous wasted space, because it thinks it needs more room than it really does. For details, see the Notes below.)

Step 4a: Resizing the FileVault sparsebundle
  • Log out of the FileVault account, and log into another admin account.
  • Back up the FileVault account. To find its sparsebundle, go to /Users/$username and do a 'Get Info.' In Sharing & Permissions click the padlock to unlock, and change the owner to the username you're logged in as. DON'T FORGET: *CHANGE THIS BACK LATER!* Go to /Users/$username/$username.sparsebundle and 'Get Info.' Again, change the owner to yourself, and *CHANGE IT BACK* later. Now make a backup of the entire sparsebundle by copying it somewhere else.
  • Resize the original sparsebundle by opening Terminal and running the following command, replacing $size with something less than the size of your hard disk. Perhaps its size minus combined size of other files in the hard drive (i.e. excluding the FileVault user's folder). Put a 'g' after this number, for gigabytes.
      hdiutil resize -size $size /Users/$username/$username.sparsebundle
      (For example: hdiutil resize -size 280g /Users/frank/frank.sparsebundle).
  • *CHANGING BACK* Return to 'Get Info' on $username.sparsebundle and set the owner back to $username. Repeat for the /Users/$username folder.
  • Log out of your other admin account, and log back into FileVault account.
Step 4b: Adding the FileVault sparsebundle to Time Machine

Follow m4x's great guide to "Let Time Machine backup File Vault while logged in".

Step 5: Streamline FileVault file restores
  • In a Finder window, press Cmd+Shift+G. Type /Volumes in the Go To field. You now see the hidden 'Volumes' folder where disks and disk images are mounted.
  • Open /Users in another Finder window, and click on the FileVault home folder. Make an alias and put it in the Volumes folder.
Now when restoring from 'Browse Time Machine,' it still thinks the FileVault home folder is another disk in the backup, but it also sees it as another disk on the current system. This alias persisted across rebooting for me, but if it disappears, just make it again.

Viewing Backups in Finder
  • Mount the disk image.
  • Go to 'Browse Other Time Machine Disks' (in the Time Machine menu, hold down the Option key) and select your disk image.
  • The FileVault home folder will appear in your backups as another 'disk', next to your hard drive. It won't be in /Users
If anyone knows a way to use a script to initiate 'Browse Other Time Machine Disks,' please share! That would cut this two-step process in half. Unfortunately this technique doesn't help for viewing backups in other programs, like Address Book (see 'Notes').

Full restores

Easy way (with a clone backup): make sure you have another backup system, one which clones the hard drive. First restore from the clone, then use Time Machine to restore everything from your current backup (assuming your Time Machine backup is newer than the clone).

Hard way (without a clone backup): you may try using advice from apk5WEyJOQ at MacRumors.

This should work, except for FileVault. I suggest that before starting up the computer, you create a folder /Users/$username and an encrypted disk image inside it (as per Step 1), then copy the contents of FileVault backup folder into it. If anyone does this, please share.

I'm not sure what restoring through Time Machine will do with the $username alias in /Volumes -- I hope it won't follow the link and write the files in plaintext.

Notes

There is a known issue with certain files and folders not appearing in backups. I don't know if this applies to all Time Machine users, or only happens when using this technique for FileVault. In my experiments, these are files and folders anywhere inside the home folder, which start with the name of the home folder. E.g. in home folder jake any file or folder like 'jakes' or 'jakes story.rtf' will not be copied to the backup. The exception is files that have exactly the same name as the home folder (with or without an extension on the end). For example, a file or folder named 'jake' WILL be backed up, so will a file called 'jake.mov,' and even 'jake.'.

FileVault's raw .sparsebundle file will never be backed up with this setup, because Time Machine only tries to do it when the FileVault is logged out; but when it's logged out, the password in the keychain can't be accessed, so $computername.sparsebundle can't be opened automatically. You would need to mount the backup disk image manually, and manually start TM. If you want to do this, you can add your user folder to TM's special exclusions list if you want.

System keychain versus login keychain: A thanks to zegor for the hint "Create networkable and copyable Time Machine backups" which gave me the idea of storing the password in the keychain, and to mantrid who pointed out why it's insecure to store it in the System keychain. The problem is that another admin user can view the System keychain items. If a thief steals your Mac, they can reset an admin password, and access the System keychain. Then plug in your backup, and there are all your files.

FileVault sparsebundles 'Capacity': Big thanks to chunky23 for this. OS X sets a FileVault sparsebundle's 'Capacity' to twice the size of the hard drive. The 'Available' figure is either the amount of room left in the sparsebundle's 'Capacity,' or the amount of room left in the hard drive, whichever is smaller.

The 'Used' figure is simply 'Capacity' minus 'Available'. So when the sparsebundle's 'Capacity' is bigger than your hard drive's true capacity, the 'Used' figure is more (perhaps many times more) than the real amount of data used. Confusing? E.g. if 500 GB HD, then 1000 GB 'Capacity' FileVault sparsebundle. If 200 GB data in HD, with 100 GB in FV sparsebundle, then HD has 300 GB free, and FV sparsebundle has 900 GB free.

When beginning a backup TM calculates how much room it thinks it will need, partly based on this inflated 'Used' size of the sparsebundle (e.g. 700 GB). If this is larger than the backup hard drive, it refuses to back up. Otherwise, it starts to back up, but if it thinks the backup drive is too full, it deletes old backups to make room. The actual backup will take much less room than it expects (e.g. 200 GB), leaving many empty gigabytes (700 - 200 = 500 GB), but next time TM will again delete more backups to keep this large empty space (500 GB).

Restarting didn't cause a problem: Another user mentioned elsewhere that after restarting, his backup started afresh and backed up everything again rather than incrementally. I got a message in console saying com.apple.backupd[x] Event store UUIDs don't match for volume: $username, but the following backup was only small.

[crarko adds: OK, this is a very long and complicated process (and was quite a difficult edit). This procedure sounds pretty experimental, so I would be sure to have a full clone of my drive before attempting to do this. We've had hints about encrypted Time Machine backups before, but being able to handle FileVault is something of the Holy Grail of backups. Let's just be sure it's not the Monty Python version. If any of you are inclined to try this I'd love to hear how it goes, and please let me know if there are any errors in this. I won't be too surprised if there are.]
    •    
  • Currently 4.00 / 5
  You rated: 4 / 5 (3 votes cast)
 
[9,828 views]  

10.6.7: Set up encrypted Backup in Time Machine for FileVault | 12 comments | Create New Account
Click here to return to the '10.6.7: Set up encrypted Backup in Time Machine for FileVault' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.6.7: Set up encrypted Backup in Time Machine for FileVault
Authored by: rumpoleon on May 09, '11 08:29:49AM

A good description of a similar method, including appropriate screen shots, can be found at http://thepracticeofcode.com/post/749686705/encrypted-rotating-time-machine-backups-on-snow



[ Reply to This | # ]
10.6.7: Set up encrypted Backup in Time Machine for FileVault
Authored by: langiter on May 29, '11 10:50:13PM

Yep, this is a method I looked through carefully when researching my own method. The main differences (as I remember) are this one works nicely with FileVault, and that one allows rotating backups.



[ Reply to This | # ]
10.6.7: Set up encrypted Backup in Time Machine for FileVault
Authored by: alexburke on May 09, '11 09:32:26AM

... or you could wait a couple of months for Lion, which has full-disk encryption and fully-encrypted backups, instead of the mess which is the combination of Time Machine and FileVault.

If you're running Snow Leopard you're on Intel already, and all Core 2 Duo machines should work fine with Lion (the few machines with Core Solo or Core Duo CPUs are left out).

So, just wait for Lion.



[ Reply to This | # ]
10.6.7: Set up encrypted Backup in Time Machine for FileVault
Authored by: langiter on May 29, '11 10:53:14PM

You bet! Lion should have the nice solution. But alas, my favourite PPC programs won't run on Lion, for Rosetta is no more. This can be an option for those of us staying on Snow Leopard.



[ Reply to This | # ]
10.6.7: Set up encrypted Backup in Time Machine for FileVault
Authored by: Notch Johnson on Jul 22, '11 11:25:02AM

Lion is out. As it turns out, Lion only supports encryption to locally connected disks, not Time Machine disks. Still need this work-around.



[ Reply to This | # ]
10.6.7: Set up encrypted Backup in Time Machine for FileVault
Authored by: michaelkiaer on May 10, '11 06:08:38PM
I haven't tried the hint so take this with a grain of salt -- but comparing with other hints on the web, I think there's a mistake in Step 1:
  • Create a new plain text file, paste the following text, and replace "$HostUUID" with your UUID
  • should read
  • Create a new plain text file, paste the following text, and replace "YOURUUIDHERE" with your UUID"
  • And in the sample file "com.apple.backupd.$HostUUID" should be "com.apple.backupd.HostUUID" (no dollar sign.)

    [ Reply to This | # ]
    10.6.7: Set up encrypted Backup in Time Machine for FileVault
    Authored by: langiter on May 29, '11 11:06:26PM

    Thanks for your feedback, michaelkiaer, great to know someone’s going over my post with a fine-toothed comb. You’re right, my mistake. I’ve just double-checked my own implementation, and both your corrections are…correct.

    Can an admin correct this in the hint?

    Edited on May 29, '11 11:22:47PM by langiter



    [ Reply to This | # ]
    I Ain't Chunky
    Authored by: chucky23 on May 11, '11 08:32:04AM

    "FileVault sparsebundles 'Capacity': Big thanks to chunky23 (sic) for this"

    Glad that was able to help someone else. I was quite proud with myself for figuring that one out.

    I've been happily using a much-simplified backup routine to this one (via AppleScript instead of shell scripting) for the past year without incident.

    But, two things:

    1) If you're going to cite my screename, could you please spell it properly?

    2) Given that Lion is coming in a couple of months with the elimation of FileVault and a completely different encryption scheme, it might be little late in the game to start out with a backup routine like this...



    [ Reply to This | # ]
    I Ain't Chunky
    Authored by: langiter on May 29, '11 11:29:14PM

    So sorry, chucky23! I have a friend nicknamed “Chunky”—please take it as a compliment! And please accept my apologies.

    Ah, Lion, yes. It will render my procedure obsolete, I’m sure, but this method may still be useful for those of us staying on Snow Leopard.



    [ Reply to This | # ]
    I Ain't Chunky
    Authored by: chucky23 on Aug 23, '11 03:55:50PM

    "Ah, Lion, yes. It will render my procedure obsolete, I’m sure, but this method may still be useful for those of us staying on Snow Leopard."

    Huh. Back then, I expected to be an early upgrader to Lion, but given what I've seen, I think I may stay on Snowy for a loooooong time. So good on you for putting this all together, langiter.

    (And FWIW, Lion actually supports "Legacy FileVault" if you upgrade a Snowy machine with an existing FileVault account, so this hint is actually applicable to anyone who wants to roll that way on Lion. I actually think "Legacy FileVault is superior to whole disk encryption in several ways, and would use it if I were to upgrade to Lion, which I'm not planning on doing.)



    [ Reply to This | # ]
    10.6.7: Set up encrypted Backup in Time Machine for FileVault
    Authored by: langiter on May 29, '11 11:49:50PM

    Thankyou, crarko, for patiently going through the whole thing! I’ve now been using this technique for all my Time Machine backups for almost two months, with almost no hiccups.

    The one hiccup: once, Time Machine refused to back up when told to. Solution was to copy the encrypted backup’s password into the System keychain, back up, and then remove it again. Has worked perfectly since then.

    If anyone wants the whole explanation for inflated FileVault ‘Used’ values, here is the complete example:
    E.g. if 500 GB HD, then 1000 GB “Capacity” FileVault sparsebundle. If 200 GB data in HD, with 100 GB in FV sparsebundle, then HD has 300 GB free, and FV sparsebundle has 900 GB free. 300 is less than 900, so “Available” figure is set to 300 GB. “Used” is then erroneously 1000 - 300 = 700 GB.



    [ Reply to This | # ]
    10.6.7: Set up encrypted Backup in Time Machine for FileVault
    Authored by: langiter on Jun 13, '11 07:14:28AM

    The 'hiccup' just happened again. The reason appears to be Time Machine wanted to verify the backup. Again, used Keychain Access to copy password into System Keychain, and then it worked. Once again, removed password from System Keychain afterwards and it's been fine since.



    [ Reply to This | # ]