Encrypt Time Machine and Time Capsule backups
September 10th, 2008 at 10:53 pm (Administrating, Ramblings)
Today at work we got a Time Capsule for everyone’s backups. While this may not be the best answer for a company back up solution, it’s still better than what most companies I’ve worked for have for backup solutions (read nothing). With the the Time Capsule in plain sight of the glass door, and everyone’s files saved on them, it would be pretty easy for someone to break in, unplug it, and have a copy of every file on everyone’s computer.
There’s a solution to this. Encrypt the sparsebundle images.
- Set up Time Machine to back up to an AFP drive. I don’t think this will work with a local hard drive.
- Let Time Machine start backing up, then stop the back up. This will have created <machine_name>_<mac_address>.sparsebundle on the AFP drive.
- Disable Time Machine.
- Open a Terminal and run these commands:
$ cd /Volumes/<AFP Drive>/
$ mv name_mac.sparsebundle name_mac-old.sparsebundle
$ hdiutil convert -format UDSB -o name_mac.sparsebundle -encryption AES-256 name_mac-old.sparsebundle
It will ask you for a password. Type in a password you won’t forget. - Double click the sparsebundle in the GUI. You will be prompted for your password. Type that in and tick the “Remember password” check box.
- Open /Applications/Utilities/Keychain Access and find name_mac.sparsebundle. Right click it and select Copy name_mac.sparsebundle.
- Select System Keychain on the left hand side of Keychain Access and paste it in the main area. Allow this action if you are asked. Remember to lock the System Keychain when you are done.
- Time Machine should not have no problem backing up to the encrypted volume. If everything works as planned, feel free to delete the name_mac-old.sparsebundle
Your backups are now encrypted. How this all pans out in a restore, I don’t know. I reckon a fresh install + the migration assistant is the way you’ll have to restore your computer upon disaster.
Now that you’re all secure, don’t forget those passwords.
If you’re lacking a Time Capsule for yourself, you can get one from MacMall for cheaper than Apple sells them.
Mike D said,
November 21, 2008 at 9:09 am
Whoa – You had me until you said to enable FileVault. As soon as you enable FileVault, you won’t be able to use TimeMachine all the time. You will be limited to doing backups when you are logged out. If you stay logged in, no backups will occur. I do get the importance of filevault, but if you want to use timemachine and have encrypted files, you may be better off looking at some of the 3rd party encryption routines, like Checkpoint or PGP Total Disk Encryption.
jason said,
November 21, 2008 at 10:29 am
Mike: You’re right. I had actually noticed that my home directory wasn’t in the Time Machine backups anymore. I’ve removed that line. Thanks for that catch
Tom said,
November 29, 2008 at 12:37 am
Hi, I can’t seem to get to my Time Capsule Drive. I just get “No such file or directory” in terminal.
Heiko said,
February 7, 2009 at 1:42 am
Worked fine for me. However as you said, when I wanted to restore a crashed MB Air with a new empty system harddrive, I was asked whether I wanted to install from a TimeMAchine Backup. When I selected that, instead of prompting me for the password, it just said it couldn’t get access. So I had to first create a new account, then do mount the encrypted image and store passwords in the system keychain and then run migration assistant. However the next trouble then was, that the backup created another user and some MS-Office installation (that hadn’t been backed up) went weird when confronted with the restored account and kept whining about some missing database.
So what I did now is decrypt the whole backup again and retry to do a straigt restore without extra account ans stuff. I’ll see.
Just to let you know my ‘Case Study’.
Cheers – Heiko
Martin said,
March 31, 2009 at 9:33 am
Heiko
please let us know the command for decrypting the sparseimage
simply convert with the same command without
in the middle?
YES
just tested
hdiutil convert -format UDSB -o __new.sparsebundle __.sparsebundle
Martin said,
March 31, 2009 at 9:34 am
sorry commands not correctly displayed
command to decrypt should read
hdiutil convert -format UDSB -o name_macaddress_new.sparsebundle name_macaddress.sparsebundle
Sebastien Varrette said,
April 14, 2009 at 2:35 am
Hi,
For info, to limit the maximum size of the backup (100G in this example), the convert command is the following:
hdiutil convert -format UDSB -o name_mac.sparsebundle -encryption AES-256 -tgtimagekey size=100g name_mac-old.sparsebundle
Iteranium said,
April 25, 2009 at 5:08 pm
Hey, thanks for the tutorial. I got a backup HDD out of the house and I just took a 256 bit encrypted sparseimage from the disk util and then put my data in there with rsync. That way I don’t have to manipulate Apple software in doing what I want. Well, rsync does not have shiny interface, but it does what it is supposed to without any “hacks”.
John said,
October 16, 2009 at 3:20 pm
Hmm. It seems it does not work with SL anymore. Time Machine is not using the converted sparseimage, it always creates a new one called name_mac1.tmp.sparseimage and uses this.
Any ideas?
Richard said,
October 28, 2009 at 2:49 am
One glitch for me – when you double click the sparsebundle in the GUI (ie Finder) and the image is mounted. After you have created the keychain entries, but before you start TM on the bundle I needed to eject (unmount) the sparsebundle – otherwise TM seemed to think it was busy and failed to mount.
For me I was actually creating a new bundle from scratch on a remote NAS – following the instructions here: http://www.readynas.com/?p=253
With the extra steps above seems to work ok with encryption too…..
John said,
November 8, 2009 at 2:42 pm
Regarding Snow Leopard, I found a fix:
—
There are a few changes when creating an encrypted Time Machine backup under Snow Leopard:
1. The name of the sparse bundle no longer contains a (which was in fact the Ethernet adapter address). It is now simply named .sparsebundle.
2. The unique machine identifier is now hidden in the sparsebundle. After you create the encrypted image, open the contents of both sparsebundles (in the Finder, right-click on the sparsebundles, “Show Package Contents”) and move the file “com.apple.TimeMachine.MachineID.plist” from the old sparsebundle to the new one.
3. That’s it. Start the Time Machine Backup and it should work.
P.S. If you created your encrypted Time Machine backup under Leopard, it will still work unchanged when you upgrade to Snow Leopard. These changes apply only if you create a new Time Machine backup under Snow Leopard. Hope this helps!
—-
From: http://forums.macrumors.com/showthread.php?t=434960#8
Sebastian said,
May 3, 2010 at 10:36 am
Hmm, TM seems to backup just fine (no errors, …) and Back-In-Time shows the increments.
But: the Finder “Galaxy” view doesn’t work (makes no difference whether the encrypted sparse bundle is mounted or not): it only shows “Now” as available increment, and “Today” (greyed out). There are no older increments shown (although I can confirm that there are stored in the backup, using Back-In-Time).
Any ideas?
Sebastian said,
May 3, 2010 at 10:38 am
EDIT: I’m using 10.6.3, and created the encrypted sparse bundle with the same version.
Peter said,
July 17, 2010 at 11:25 pm
@Sebastian: Did you move the com.apple.TimeMachine.MachineID.plist from the unencrypted file to the encrypted one?
What, if you place the Time Machine.app into the dock? Then right click on the dock icon, choose ‘browse other time machine disks’ and select the encrypted file.