Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5: Insure that Time Machine runs on FileVault accounts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 28, '07 03:58:08PM

I did several experiments to confirm this hint and found that its main conclusion is wrong, although the problem the hinter described does exist.

The hint states that Time Machine only backs up a FileVault user's home directory while the user is in the process of logging out and at no other time. Actually, Time Machine will back up FileVault directories whenever all of the following are true:

  1. Time Machine is enabled.
  2. The FileVault user is logged out.
  3. The backup USB disk is connected to the Mac and powered on.
  4. The computer is not asleep.
  5. Any other user is logged in (even a non-admin user or one running the screen saver).
  6. The logged-in user has not ejected the USB disk; i.e., the disk is mounted.
  7. The hourly time for a backup occurs or the user selects "Back Up Now."

So, while it is true that plugging in the USB drive at the Login prompt dialog will not allow backups, one can create a dummy non-admin account and log into it after plugging in the USB drive. This may be preferable to logging in and out of the FileVault account because, for the dummy account, you can have an easy/insecure password, turn parental controls up to the max, run the screen saver and lock the screen, and/or just walk away as soon as you enter the dummy username and password without fear of data theft from the FileVault account.

The worst thing to do is to leave the FileVault user logged in while transporting a laptop to its home site for USB disk connection and backup. If the laptop is lost during transport, the FileVault directory is left unencrypted and accessible by an admin user.

The time of the last backup of a FileVault directory is surprisingly hard to determine. Open your USB drive and /Backups.backupdb / machine_name. The modification time of the "Latest" alias is the last backup time, which may or may not include the FileVault directory. Open Latest / disk_name / Users / user_name directory. If you see a file with the ".sparseimage" extension, its modification time is the time of the last backed-up change to the user's home directory. If you see a file with the ".sparebundle" extension, right-click or control-click to select "Show Package Contents," then open the Bands directory. The modification time of the newest file is the time of the last backed-up change to the user's home directory (select list view and sort by Date Modified). Note that the time of last backed up change to the user's home directory must always be before the last backup, usually just before the user logged out.

[ Reply to This | # ]

10.5: Insure that Time Machine runs on FileVault accounts
Authored by: mofo@twobitblues on Nov 29, '07 11:56:55AM

what if i have firewire drive??



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Nov 29, '07 03:50:55PM

FireWire is the same as USB, as far as Time Machine is concerned.



[ Reply to This | # ]
10.5: Insure that Time Machine runs on FileVault accounts
Authored by: noworryz on Dec 03, '07 09:58:39AM

Several forum members have asked about "Safe Sleep" and what it means for FileVault. Safe sleep stores the entire contents of memory in the file /var/vm/sleepimage when the computer is put to sleep. With previous versions of the operating system, some people reported that cleartext FileVault passwords could be found in the file. More recently, the file appears to be encrypted but with the encryption key stored in the header of the file. Some file attributes have also been changed to make reading more difficult.

One difficulty is that the code for this is Apple proprietary so doing a security audit is very difficult. In any case, sleeping when logged into a FileVaulted account appears to be very insecure. Users may want to disable safe sleep using this hint. If not, logging out of the secure account and logging into a dummy account may help, especially if an application is then run that allocates large amounts of memory before putting the computer to sleep.

[ Reply to This | # ]