Norbert Hartl

mostly brackets and pipes

Backup and Encryption II: Encryption

In the last article you could read how to do backups using time machine. This article adds encryption to the mix. Backing up and encrypting content are both option offered by Apple. Trying to combine them can be quite unsatisfying.

But as always you can make it work the way you want it with just a handful of tweaks.

FileVault

Apple offers you any easy way to encrypt your home directory. It is called FileVault and you can find it in System preferences -> security. If you enable it Mac OS will create an encrypted volume for you and moves your files into it. You will find your home directory replaced by the encrypted volume. I don’t know exactly what I will find because I never tried to use it. Asking friends or searching the internet unveiled that using FileVault is probably not the best idea. There are a lot of problem descriptions by people that have used it. A lot of the complaints seem to date back to a time when FileVault was still new but you can find still a lot of people that are not satisfied with it.

When it comes to encryption some things become really worse. By flipping a single bit inside an encrypted volume can loose easily 200GB of data. So it works reliable or you are in danger. And you are even more in need of a backup, right? Unfortunately there are also a lot of complaints about using FileVault in combination with time machine. It seems there are some nuts & bolts that do not work that well. This is all just speculation (I read everything I know in the internet and didn’t try a single bit on my own) but for me it is enough to decide not use FileVault.

disk images

FileVault uses an encrypted disk image to store its data. Disk images are not part of FileVault they are part of Mac OS. So you can just create your own disk image. You can create them encrypted or unencrypted, as image, as sparse image and sparse bundle image. For our purpose it is pretty clear that we want an encrypted disk image.

But what type? That is a question of style and what you are heading for. The word “sparse” means that you can create a 50GB disk image that will only use a few megabytes after creation. The image grows when you put data into it. A “sparse image” will be only one big file in the filesystem carrying all the volume data. A “Sparse bundle image” will be organized in whole directory hierarchy consisting of 8MB sized data files.

backuping up the disk image

Some people seem to solve to Encryption-TimeMachine problem in a way that they use a sparse bundle image inside their home directory for the encrypted volume. The rationale behind is that in a bundle image only a few stripes are updated if you write something to your encrypted volume. TimeMachine will pick up only the changed stripes and backups them. backing up the content of the disk imageThe previous approach is very pragmatic and will work most of the time. For sure TimeMachine will give you the right combination of stripes if you go back in time. I just cannot put enough trust into this approach. I suspect there is a good chance to flip that single bit.

I like to have my data encrypted on my Mac but unencrypted when backuped up. Or better if I think I need the backup encrypted then I like to encrypt it again at the location of the backup. This appears more reliable to me.

moving the disk image out of home

While we are not backing up the disk image itself, we don’t want TimeMachine to deal with the whole image. So we are just moving the encrypted sparse bundle image to another place on the disk.

adding the encrypted volume to TimeMachine

When you are using a disk image it is treated like another external drive that has been mounted on your system. Finder will display it side by side with your real harddisk and it will be accessible in the /Volumes/ folder. Unfortunately TimeMachine is ignoring everything in the /Volumes/ folder. With moving the disk images out of the home folder we just made everything being excluded from the backup.

TimeMachine itself lets you only specify excludes from the backup not includes. The configuration of time machine in

/Library/Preferences/com.apple.TimeMachine.plist

does not only contain the excludes you entered via the configuration dialog. It does contain the Volumes to be included, too. The section is called IncludeVolumeUUIDs (TextWrangler is a good tool to edit plist files btw.). In this post you can read how to get the Volume UUID and the the Volume key. After adding those two keys to the plist time machine includes your encrypted volume into the backup. Now you are backing up the files within your encrypted volume. You can browse the files in time machine just like any other file and you are able to restore individual files from the encrypted volume as well. I have this running for two month now and it works out well. After reboot I need to double-click the disk image to mount it. Sometimes I forgot to mount it immedialtely and time machine did a backup. As far as I can tell this isn’t a problem. TimeMachine just seems to ignore the volume “for this time”. There is no additional data backup through the presence/absence of the encrypted volume.