10.6.7: Set up encrypted Backup in Time Machine for FileVault
May 09, '11 07:30:00AM
Contributed by: langiter
This is how to set up Time Machine to work with FileVault, producing a proper incremental backup of each file in your home folder, and have that backup encrypted. If you use this technique, you should also have a second backup, preferably a clone of your hard drive.
Throughout this hint, replace $computername with the name of your computer, $username with the short name of your FileVault user, and $backupdrive with the name of your hard drive.
[crarko adds: Please treat the following process as experimental, and be dead sure you have a complete backup of any system you try this on.]
Here is the procedure:
Step 1: Prepare the Disk Image
To create the image: Open Disk Utility, click 'New Image,' and enter the following:
Save the image as $computername.sparsebundle, in location: root level of backup hard drive, Name: 'Time Machine Backups,' Size: Custom (then choose your size), Encryption: choose 128- or 256-bit, Format: sparsebundle.
If using an AFP drive over a network, it has to be on Mac OS X 10.5 or higher—use SMB otherwise. If using an SMB drive over a network, save the disk image to the local computer and then transfer it to network drive. You can make it small and then grow it after transferring, using same technique as used for shrinking FileVault ( see Step 4).
Follow these steps from sunkid's hint:
- Get the machine's 'Hardware UUID' from System Profiler
- Create a new plain text file, paste the following text, and replace "$HostUUID" with your UUID.
<?xml version="1.0" encoding="UTF-8">
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.backupd.$HostUUID</key>
<string>YOURUUIDHERE</string>
</dict>
</plist>
- Save the file as com.apple.TimeMachine.MachineID.plist and put it in sparsebundle package. (In Finder, right-click on $computername.sparsebundle and go 'Show package contents.' Put it right there, next to 'Info.plist.'
Step 2: Set up Time Machine
- Double-click sparsebundle in the Finder, and tell it to store your password. The password's stored in your login keychain, encrypted with your keychain password. (This hint does not require you to transfer the password to the System keychain. Putting the password in the System keychain would mean your backed-up data can be read if your computer and backup drive are stolen together—see Notes below.)
- Open Time Machine, select your backup hard drive as your disk, and let it back up! It won't back up your FileVault folder yet.
- Switch Time Machine 'off.' (This only turns off automatic backups. Unfortunately, with the backup encrypted, Time Machine's automatic backups always fail.)
- In 10.6.7, automatic backups fail even with the password in the System keychain.
Step 3: Automate encrypted backups
Open AppleScript Editor, paste the following text, and replace the words starting with "$". Credit to llee for the shell script to launch TM.
if (do shell script "/usr/bin/whoami") is not "$username" then return
if "Passionfruit" is in (do shell script "/bin/ls /Volumes") then
<tell application "DiskImageMounter" to open file "Volumes:$backupdrive:$computername.sparsebundle"
<delay 10 --mine's never taken > 1 sec to mount
<do shell script "/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper >/dev/null 2> &1 &" -- Launches TM
end if
Save the AppleScript, and set it to run every hour, or however often you want. I did this using 'Alarm Clock S.E.' You can use launchd or try putting it in /private/etc/periodic/hourly.
Step 4: Add FileVault to the Time Machine backups
First, you probably have to resize the FileVault sparsebundle. Check by clicking on your Home folder in the Sidebar in the Finder and do a 'Get Info.' If its 'Capacity' is greater than your hard drive's true capacity, you should resize the sparsebundle. (Otherwise, your backups will fail, or have enormous wasted space, because it thinks it needs more room than it really does. For details, see the Notes below.)
Step 4a: Resizing the FileVault sparsebundle
- Log out of the FileVault account, and log into another admin account.
- Back up the FileVault account. To find its sparsebundle, go to /Users/$username and do a 'Get Info.' In Sharing & Permissions click the padlock to unlock, and change the owner to the username you're logged in as. DON'T FORGET: *CHANGE THIS BACK LATER!* Go to /Users/$username/$username.sparsebundle and 'Get Info.' Again, change the owner to yourself, and *CHANGE IT BACK* later. Now make a backup of the entire sparsebundle by copying it somewhere else.
- Resize the original sparsebundle by opening Terminal and running the following command, replacing $size with something less than the size of your hard disk. Perhaps its size minus combined size of other files in the hard drive (i.e. excluding the FileVault user's folder). Put a 'g' after this number, for gigabytes.
hdiutil resize -size $size /Users/$username/$username.sparsebundle
(For example: hdiutil resize -size 280g /Users/frank/frank.sparsebundle).
- *CHANGING BACK* Return to 'Get Info' on $username.sparsebundle and set the owner back to $username. Repeat for the /Users/$username folder.
- Log out of your other admin account, and log back into FileVault account.
Step 4b: Adding the FileVault sparsebundle to Time Machine
Follow m4x's great guide to "Let Time Machine backup File Vault while logged in".
Step 5: Streamline FileVault file restores
- In a Finder window, press Cmd+Shift+G. Type /Volumes in the Go To field. You now see the hidden 'Volumes' folder where disks and disk images are mounted.
- Open /Users in another Finder window, and click on the FileVault home folder. Make an alias and put it in the Volumes folder.
Now when restoring from 'Browse Time Machine,' it still thinks the FileVault home folder is another disk in the backup, but it also sees it as another disk on the current system. This alias persisted across rebooting for me, but if it disappears, just make it again.
Viewing Backups in Finder
- Mount the disk image.
- Go to 'Browse Other Time Machine Disks' (in the Time Machine menu, hold down the Option key) and select your disk image.
- The FileVault home folder will appear in your backups as another 'disk', next to your hard drive. It won't be in /Users
If anyone knows a way to use a script to initiate 'Browse Other Time Machine Disks,' please share! That would cut this two-step process in half. Unfortunately this technique doesn't help for viewing backups in other programs, like Address Book (see 'Notes').
Full restores
Easy way (with a clone backup): make sure you have another backup system, one which clones the hard drive. First restore from the clone, then use Time Machine to restore everything from your current backup (assuming your Time Machine backup is newer than the clone).
Hard way (without a clone backup): you may try using advice from apk5WEyJOQ at MacRumors.
This should work, except for FileVault. I suggest that before starting up the computer, you create a folder /Users/$username and an encrypted disk image inside it (as per Step 1), then copy the contents of FileVault backup folder into it. If anyone does this, please share.
I'm not sure what restoring through Time Machine will do with the $username alias in /Volumes -- I hope it won't follow the link and write the files in plaintext.
Notes
There is a known issue with certain files and folders not appearing in backups. I don't know if this applies to all Time Machine users, or only happens when using this technique for FileVault. In my experiments, these are files and folders anywhere inside the home folder, which start with the name of the home folder. E.g. in home folder jake any file or folder like 'jakes' or 'jakes story.rtf' will not be copied to the backup. The exception is files that have exactly the same name as the home folder (with or without an extension on the end). For example, a file or folder named 'jake' WILL be backed up, so will a file called 'jake.mov,' and even 'jake.'.
FileVault's raw .sparsebundle file will never be backed up with this setup, because Time Machine only tries to do it when the FileVault is logged out; but when it's logged out, the password in the keychain can't be accessed, so $computername.sparsebundle can't be opened automatically. You would need to mount the backup disk image manually, and manually start TM. If you want to do this, you can add your user folder to TM's special exclusions list if you want.
System keychain versus login keychain: A thanks to zegor for the hint "Create networkable and copyable Time Machine backups" which gave me the idea of storing the password in the keychain, and to mantrid who pointed out why it's insecure to store it in the System keychain. The problem is that another admin user can view the System keychain items. If a thief steals your Mac, they can reset an admin password, and access the System keychain. Then plug in your backup, and there are all your files.
FileVault sparsebundles 'Capacity': Big thanks to chunky23 for this. OS X sets a FileVault sparsebundle's 'Capacity' to twice the size of the hard drive. The 'Available' figure is either the amount of room left in the sparsebundle's 'Capacity,' or the amount of room left in the hard drive, whichever is smaller.
The 'Used' figure is simply 'Capacity' minus 'Available'. So when the sparsebundle's 'Capacity' is bigger than your hard drive's true capacity, the 'Used' figure is more (perhaps many times more) than the real amount of data used. Confusing? E.g. if 500 GB HD, then 1000 GB 'Capacity' FileVault sparsebundle. If 200 GB data in HD, with 100 GB in FV sparsebundle, then HD has 300 GB free, and FV sparsebundle has 900 GB free.
When beginning a backup TM calculates how much room it thinks it will need, partly based on this inflated 'Used' size of the sparsebundle (e.g. 700 GB). If this is larger than the backup hard drive, it refuses to back up. Otherwise, it starts to back up, but if it thinks the backup drive is too full, it deletes old backups to make room. The actual backup will take much less room than it expects (e.g. 200 GB), leaving many empty gigabytes (700 - 200 = 500 GB), but next time TM will again delete more backups to keep this large empty space (500 GB).
Restarting didn't cause a problem: Another user mentioned elsewhere that after restarting, his backup started afresh and backed up everything again rather than incrementally. I got a message in console saying com.apple.backupd[x] Event store UUIDs don't match for volume: $username, but the following backup was only small.
[crarko adds: OK, this is a very long and complicated process (and was quite a difficult edit). This procedure sounds pretty experimental, so I would be sure to have a full clone of my drive before attempting to do this. We've had hints about encrypted Time Machine backups before, but being able to handle FileVault is something of the Holy Grail of backups. Let's just be sure it's not the Monty Python version. If any of you are inclined to try this I'd love to hear how it goes, and please let me know if there are any errors in this. I won't be too surprised if there are.]
Comments (12)
Mac OS X Hints
http://hints.macworld.com/article.php?story=20110502044636108