[!1Password] FileVault Encryption and Time Machine

kop48kop48 Junior Member
edited December 1969 in Lounge
Hi guys,

I'm not really sure where to post this, but Agile seems to have a community focused around this, so this seems like a good place!

I'm looking to enable FileVault encryption on my Macbook, but by default this means that Time Machine will not backup the volume unless I'm logged out. Additionally, I'd like to encrypt my Time Machine backup both at home and at work as it contains a fair bit of sensitive information.

I've found some articles describing how to enable Time Machine backups while logged in, and a little bit of information on how to encrypt the TM volume itself.

What I'd like to know is: is this the right approach? I'm wondering if I'm maybe just using the wrong tools...

Cheers,

Comments

  • BenBen AWS Team

    Team Member
    edited December 1969
    kop48 wrote:
    Hi guys,

    I'm not really sure where to post this, but Agile seems to have a community focused around this, so this seems like a good place!

    I'm looking to enable FileVault encryption on my Macbook, but by default this means that Time Machine will not backup the volume unless I'm logged out. Additionally, I'd like to encrypt my Time Machine backup both at home and at work as it contains a fair bit of sensitive information.

    I've found some articles describing how to enable Time Machine backups while logged in, and a little bit of information on how to encrypt the TM volume itself.

    What I'd like to know is: is this the right approach? I'm wondering if I'm maybe just using the wrong tools...

    Cheers,


    My opinion on the matter is that Time Machine is a GREAT tool because it makes backup so EASY. It enables people who would have never backed up otherwise to have an easy to use accessible interface to backing up and restoring files (and even the entire system). I use Time Machine on non-mission critical things, or as an addition to other backup solutions. I think if you are concerned about encryption of backups, Time Machine is probably not the right tool for you.

    What I do:
    Everything is stored on Dropbox. Things that are sensitive are stored in Knox encrypted vaults or otherwise encrypted (ie, Agile Keychain is already encrypted). This serves both as a sync tool and a poor-man's-backup.
    I use FileVault on both of my Macs
    I SuperDuper! clone the hard drive of my stationary Mac at least once per day
    and I turn Time Machine on and have it backup to a Time Capsule

    So far I've never lost a file I didn't intend to lose. Knock on wood.

    The most important part of choosing a backup solution is making sure you will be able to restore from it in a timely fashion (as defined by you). If you can't restore, what is the point in having a backup? IMO convenience and security concerns are tied for 2nd place. If it isn't convenient, I'm not going to remember/take the time to do it. If it isn't done regularly, it's pointless. Encryption may or may not be as important. Where is the backup being stored? What is contained in it? What would you have to do if that backup were lost or stolen (beyond creating a new backup)? For me, the backups are locked in my room which is locked in my house. They don't travel with me. Any data I save while on the road is synced to my home machine and then backed up from there. The likelihood of loss or theft is very low. Anything sensitive is already otherwise encrypted. So an encrypted backup is not so important to me. To you, it may be.
  • kop48kop48 Junior Member
    edited December 1969
    Hmmm that's some things to consider. I may be looking at this the wrong way. Yes, my need to encrypt is more closely related to the theft of my laptop than it is of my home backup. I was considering using Knox, but I use a PC at home and hence would not be able to mount the volumes! :(

    The reason I wanted to encrypt my TM volume is that I also keep a backup at work. If I think about it, however, since I now use Dropbox, there's not really any need to maintain the second backup. Enabling TM backups with FileVault enabled doesn't seem to be too hard, so I might just go down that path.

    Cheers for the help!
  • kop48kop48 Junior Member
    edited December 1969
    bwoodruff wrote:
    and I turn Time Machine on and have it backup to a Time Capsule.

    Do you enable the hack for it to backup to a sparse bundle, or do you just log out and let it back up your encrypted FileVault volume?
  • BenBen AWS Team

    Team Member
    edited December 1969
    kop48 wrote:
    Do you enable the hack for it to backup to a sparse bundle, or do you just log out and let it back up your encrypted FileVault volume?


    Neither.
    I wasn't aware of a hack.
  • kop48kop48 Junior Member
    edited December 1969
    Oh, how does TM work with FileVault enabled then? It just does? I'm about to try it, so I guess I'll know the answer soon enough. :P
  • kop48kop48 Junior Member
    edited December 1969
    Looks like you can encrypt TM backups, but you need to hack it a bit. I found the useful info here:
    http://forums.macosxhints.com/showthread.php?t=94173&page=2
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited December 1969
    kop48 wrote:
    Looks like you can encrypt TM backups, but you need to hack it a bit. I found the useful info here:
    http://forums.macosxhints.com/showthread.php?t=94173&page=2


    I looked at exactly that discussion a few months back, and what concerned me (to put things very mildly) was that the person reported that they couldn't browse their TM backup and that they had never tested restoring from their encrypted backup. Once can always have a very "secure" backup by backing up to /dev/null (in Unix-speak), but that is only if we forget that security of a backup needs to include the ability to restore data from the backup. If we can't restore from it, it is completely useless.

    My intuition here is that it is probably a mistake to try to coerce Time Machine into something that it is not designed to do. As I said, I would love it if Apple had designed Time Machine for encrypted backups (with reliable restore from those backups), but that hasn't happened (yet).

    Also, do consider Bob's suggestion seriously. If you put the things that you need encrypted into Knox Vaults, the vaults will be efficiently backed up to Time Machine and will remain encrypted in those backups. Doing something simple and reliable (but partial) is often better than seeking a complicated, fragile total solution.

    Finally, depending on how good your Unix-fu is, the approach I personally would explore if I really insisted that my entire backup be encrypted would be using rsync (via rsnapshot) to an encrypted volume. Again, it would take a fair amount of experimentation to verify that the restoring from the back-ups is possible. But again, what would work for me isn't what I recommend to everyone. I already use rsnapshot on my FreeBSD servers, so it's a tool I'm familiar with. And I'm an old Unix geek to begin with.

    http://dilbert.com/strips/comic/1995-06-24/

    (I no longer have the scruffy beard, but that's just because I've moved to a much warmer climate.)

    It should be noted that while rsync is clever about detecting changed files, it is not nearly has clever as Time Machine is, so while having Time Machine do backups hourly works quickly, with rsync I would recommend that it only be run a couple times a day at most because each run will involve more disk reading. (Again, this will require some experimentation which I haven't done.)

    Again, though the lesson here should be that while it can be fun to think about "ideal" solutions, it is often just better to go with more direct ones. So using regular Knox Vaults and just doing normal Time Machine backups should get your 95% of what you are looking for with only 5% of the effort and complexity of completely encrypted Time Machine backups.

    As always, it is great talking with you.

    Cheers,

    -j
  • kop48kop48 Junior Member
    edited December 1969
    I can't use Knox, as my Documents folder is synced back to my Windows box too!

    I've done a full backup using this, and it seems to be able to browse fine. TM appears to use a folder structure when mounting a local drive, and a sparse bundle when mounting a network share. If you create a sparse bundle on the local drive, it just operates as if it was over the network. I was able to browse my previous backups, knowing I'd deleted files. You just need to make sure that the system keychain has the sparse bundle's key, and TM can mount it fine. I haven't tested restoring, but it should be fine using the Migration Assistant after having done a clean OS X install. I'll try restoring a single file when I get back to work tomorrow.
  • BenBen AWS Team

    Team Member
    edited December 1969
    kop48 wrote:
    Oh, how does TM work with FileVault enabled then? It just does? I'm about to try it, so I guess I'll know the answer soon enough. :P


    It doesn't. :P
    That's what the SuperDuper! backup as well as Dropbox is for.
  • thightowerthightower T-Dog Agile's Mascot Community Moderator
    edited December 1969
    Been following the discussion, thanks for that post Ben. Answered a question in the back of my head.
  • kop48kop48 Junior Member
    edited July 2010
    bwoodruff wrote:
    It doesn't. :P
    That's what the SuperDuper! backup as well as Dropbox is for.


    Not quite! It DOES work, but only when you're logged out.

    You CAN make it work, however, using these instructions: http://www.macosxhints.com/article.php?story=20100123173425191
    WARNING: I haven't tried this yet!! I will give it a go once I can work out how to get FV working on an existing install.
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited December 1969
    kop48 wrote:
    I can't use Knox, as my Documents folder is synced back to my Windows box too!


    Ah, that's right. You mentioned that earlier in this thread.



    I've done a full backup using this, and it seems to be able to browse fine. TM appears to use a folder structure when mounting a local drive


    That is outstanding news! Thank you for testing this out.

    Cheers,

    -j
  • kop48kop48 Junior Member
    edited December 1969
    Ok, bad news. The TM interface doesn't work properly. You need to restore files by browsing manually. It's not too bad a tradeoff...
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited December 1969
    kop48 wrote:
    Ok, bad news. The TM interface doesn't work properly. You need to restore files by browsing manually. It's not too bad a tradeoff...


    Again, thanks for testing. The value of the trade-off depends highly on ones circumstances and tastes. If you ever need to do a full restore this might be a problem. But it's great that you can browse and do individual file restoration.

    It really is great that you'd figured this out. I had been wanting to test all of this myself at some point, but never got around to it.

    Cheers,

    -j
  • BenBen AWS Team

    Team Member
    edited December 1969
    kop48 wrote:
    Not quite! It DOES work, but only when you're logged out.


    ah, but I never log out. I just lock my laptop. I realize this largely defeats of the purpose of FileVault.
  • kop48kop48 Junior Member
    edited December 1969
    bwoodruff wrote:
    ah, but I never log out. I just lock my laptop. I realize this largely defeats of the purpose of FileVault.


    haha after all that talk about string recovery etc. ;-)
  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member
    edited December 1969
    I haven't really looked at locking and FileVault. If anyone knows off-hand how difficult it is to get around a screensaver lock (without rebooting) that would be great. If not, I'll try looking that up.

    Cheers,

    -j
  • brentybrenty

    Team Member
    Maybe I'm misunderstanding something, but (unless you're intent on encrypting everything for some reason) you can easily create encrypted disk images with Disk Utility as a separate filesystem for your sensitive files, which can then be backed up by Time Machine along with everything else on the disk. It's not nearly as elegant as Knox, but it's built into the filesystem support in OS X, and therefore ubiquitous (without having to install additional software to access it).

    If you're serious about full disk encryption, I've heard good things about TrueCrypt.
  • khadkhad Social Choreographer

    Team Member

    If you're serious about full disk encryption, I've heard good things about TrueCrypt.


    I don't think TrueCrypt supports system encryption (whole disk encryption on the startup volume) under Mac OS X: http://www.truecrypt.org/docs/?s=sys-encryption-supported-os

    I wish it did. :-(
  • brentybrenty

    Team Member
    Doh. I dun look'd at the wrong thing: http://www.truecrypt.org/docs/?s=supported-operating-systems

    Additionally, I wasn't even aware that it was unsupported on 64-bit Snow Leopard, as I use it on an external drive on my mini running 10.5.

    That's a shame.
  • khadkhad Social Choreographer

    Team Member
    As much as they tout it as "cross-platform" TrueCrypt barely adds more than the existing encrypted disk image functionality in OS X. :-(

    On Windows it's pretty sweet, though. :-)
  • brentybrenty

    Team Member
    khad wrote:

    As much as they tout it as "cross-platform" TrueCrypt barely adds more than the existing encrypted disk image functionality in OS X. :-(

    On Windows it's pretty sweet, though. :-)


    Indeed. The 'cross-platform' aspect comes into play when you need to access your Mac's TrueCrypt volume with a Windows (or Linux) PC. It isn't a perfect, all-encompassing solution, but it's getting there. :)
This discussion has been closed.