10.6.7: Set up encrypted Backup in Time Machine for FileVault

May 09, '11 07:30:00AM

Contributed by: langiter

Snow Leopard only hintThis is how to set up Time Machine to work with FileVault, producing a proper incremental backup of each file in your home folder, and have that backup encrypted. If you use this technique, you should also have a second backup, preferably a clone of your hard drive.

Throughout this hint, replace $computername with the name of your computer, $username with the short name of your FileVault user, and $backupdrive with the name of your hard drive.

[crarko adds: Please treat the following process as experimental, and be dead sure you have a complete backup of any system you try this on.]

Here is the procedure:

Step 1: Prepare the Disk Image

To create the image: Open Disk Utility, click 'New Image,' and enter the following:

Save the image as $computername.sparsebundle, in location: root level of backup hard drive, Name: 'Time Machine Backups,' Size: Custom (then choose your size), Encryption: choose 128- or 256-bit, Format: sparsebundle.

If using an AFP drive over a network, it has to be on Mac OS X 10.5 or higher—use SMB otherwise. If using an SMB drive over a network, save the disk image to the local computer and then transfer it to network drive. You can make it small and then grow it after transferring, using same technique as used for shrinking FileVault ( see Step 4).

Follow these steps from sunkid's hint:


Step 2: Set up Time Machine

Step 3: Automate encrypted backups

Open AppleScript Editor, paste the following text, and replace the words starting with "$". Credit to llee for the shell script to launch TM.
if (do shell script "/usr/bin/whoami") is not "$username" then return
if "Passionfruit" is in (do shell script "/bin/ls /Volumes") then
<tell application "DiskImageMounter" to open file "Volumes:$backupdrive:$computername.sparsebundle"
<delay 10 --mine's never taken > 1 sec to mount
<do shell script "/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper >/dev/null 2> &1 &" -- Launches TM
end if
Save the AppleScript, and set it to run every hour, or however often you want. I did this using 'Alarm Clock S.E.' You can use launchd or try putting it in /private/etc/periodic/hourly.

Step 4: Add FileVault to the Time Machine backups

First, you probably have to resize the FileVault sparsebundle. Check by clicking on your Home folder in the Sidebar in the Finder and do a 'Get Info.' If its 'Capacity' is greater than your hard drive's true capacity, you should resize the sparsebundle. (Otherwise, your backups will fail, or have enormous wasted space, because it thinks it needs more room than it really does. For details, see the Notes below.)

Step 4a: Resizing the FileVault sparsebundle Step 4b: Adding the FileVault sparsebundle to Time Machine

Follow m4x's great guide to "Let Time Machine backup File Vault while logged in".

Step 5: Streamline FileVault file restores Now when restoring from 'Browse Time Machine,' it still thinks the FileVault home folder is another disk in the backup, but it also sees it as another disk on the current system. This alias persisted across rebooting for me, but if it disappears, just make it again.

Viewing Backups in Finder If anyone knows a way to use a script to initiate 'Browse Other Time Machine Disks,' please share! That would cut this two-step process in half. Unfortunately this technique doesn't help for viewing backups in other programs, like Address Book (see 'Notes').

Full restores

Easy way (with a clone backup): make sure you have another backup system, one which clones the hard drive. First restore from the clone, then use Time Machine to restore everything from your current backup (assuming your Time Machine backup is newer than the clone).

Hard way (without a clone backup): you may try using advice from apk5WEyJOQ at MacRumors.

This should work, except for FileVault. I suggest that before starting up the computer, you create a folder /Users/$username and an encrypted disk image inside it (as per Step 1), then copy the contents of FileVault backup folder into it. If anyone does this, please share.

I'm not sure what restoring through Time Machine will do with the $username alias in /Volumes -- I hope it won't follow the link and write the files in plaintext.

Notes

There is a known issue with certain files and folders not appearing in backups. I don't know if this applies to all Time Machine users, or only happens when using this technique for FileVault. In my experiments, these are files and folders anywhere inside the home folder, which start with the name of the home folder. E.g. in home folder jake any file or folder like 'jakes' or 'jakes story.rtf' will not be copied to the backup. The exception is files that have exactly the same name as the home folder (with or without an extension on the end). For example, a file or folder named 'jake' WILL be backed up, so will a file called 'jake.mov,' and even 'jake.'.

FileVault's raw .sparsebundle file will never be backed up with this setup, because Time Machine only tries to do it when the FileVault is logged out; but when it's logged out, the password in the keychain can't be accessed, so $computername.sparsebundle can't be opened automatically. You would need to mount the backup disk image manually, and manually start TM. If you want to do this, you can add your user folder to TM's special exclusions list if you want.

System keychain versus login keychain: A thanks to zegor for the hint "Create networkable and copyable Time Machine backups" which gave me the idea of storing the password in the keychain, and to mantrid who pointed out why it's insecure to store it in the System keychain. The problem is that another admin user can view the System keychain items. If a thief steals your Mac, they can reset an admin password, and access the System keychain. Then plug in your backup, and there are all your files.

FileVault sparsebundles 'Capacity': Big thanks to chunky23 for this. OS X sets a FileVault sparsebundle's 'Capacity' to twice the size of the hard drive. The 'Available' figure is either the amount of room left in the sparsebundle's 'Capacity,' or the amount of room left in the hard drive, whichever is smaller.

The 'Used' figure is simply 'Capacity' minus 'Available'. So when the sparsebundle's 'Capacity' is bigger than your hard drive's true capacity, the 'Used' figure is more (perhaps many times more) than the real amount of data used. Confusing? E.g. if 500 GB HD, then 1000 GB 'Capacity' FileVault sparsebundle. If 200 GB data in HD, with 100 GB in FV sparsebundle, then HD has 300 GB free, and FV sparsebundle has 900 GB free.

When beginning a backup TM calculates how much room it thinks it will need, partly based on this inflated 'Used' size of the sparsebundle (e.g. 700 GB). If this is larger than the backup hard drive, it refuses to back up. Otherwise, it starts to back up, but if it thinks the backup drive is too full, it deletes old backups to make room. The actual backup will take much less room than it expects (e.g. 200 GB), leaving many empty gigabytes (700 - 200 = 500 GB), but next time TM will again delete more backups to keep this large empty space (500 GB).

Restarting didn't cause a problem: Another user mentioned elsewhere that after restarting, his backup started afresh and backed up everything again rather than incrementally. I got a message in console saying com.apple.backupd[x] Event store UUIDs don't match for volume: $username, but the following backup was only small.

[crarko adds: OK, this is a very long and complicated process (and was quite a difficult edit). This procedure sounds pretty experimental, so I would be sure to have a full clone of my drive before attempting to do this. We've had hints about encrypted Time Machine backups before, but being able to handle FileVault is something of the Holy Grail of backups. Let's just be sure it's not the Monty Python version. If any of you are inclined to try this I'd love to hear how it goes, and please let me know if there are any errors in this. I won't be too surprised if there are.]

Comments (12)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20110502044636108