Jump to content
andyeb

Encrypting Time Machine backup

Recommended Posts

Does anyone know if it's possible to encrypt the disk used to hold a Time Machine backup?

 

I use my Mac for both my business (i.e. commercially sensitive stuff) and personal use; I'm worried about the commercially sensitive stuff, should my Time Machine external hard disk get stolen.

 

If there is a way to do this without loosing what's on the disk, that would be even better. I do have a few spare external HDs around though... I really don't want to loose my Time Machine history.

Edited by andyeb

Share this post


Link to post
Share on other sites

OS X doesn't by itself. There used to be some packages that did driver-level encryption of hard disk data - LaCie's SilverLining was one I used under OS9. It didn't allow you to encrypt an existing drive though - it had to be done when creating the partition. I don't know that it supports OSX, I haven't used it lately.

 

I use a different approach these days: I keep all sensitive data (personal finance, business & client data) in OS X encrypted disk images. (Create with Disk Utility, specifiy AES encryption, and they require a password to access, but once opened they behave pretty much like any external volume or folder. You can browse them in Finder, and open or save files to them like any other folder. You don't usually notice they are there (except when you supply the password that you didn't put on the Keychain.) OS X decrypts teh file content "on the fly", so there's no clear text copy of the data lying around if your laptop or compuer or disk drive is stolen.) If you wish, you can put the password(s) into the keychain, and they'll open themselves anytime you're logged in with the keychain open.

 

In this way, the encryted .dmg file is all that ever exists and all that ever gets stored on my mac or backed up - to my Time Machine drive, to my Carbon Copy Cloner backup, and to my more permanent DVD backups.

 

I go even further by putting my OS X Mail data on an encrypted disk image, too, since every now and then some email include personal info or passwords or "secret questions." But I leave the iTunes and iMovie and "ordinary" data alone.

 

Some disadvantages to consider:

- If you change any file in the encrypted disk image, it's the entire disk image that's changes, and your Time Machine backup will back up the whole thing, so you use a little more Time Machine space. (I minimize this by using a different disk image for each project or purpose - e.g. "Taxes2007, Taxes2008, etc.) I treat disk images as casually as folders.

- There's a minor performance hit since files are decrypted as they are accessed or written. Usually that's not noticable, unless you're using it for very hi-rez image editing or video.

- The .dmg files, and any backups of them, are only accessible from OSX. So in an emergency, you won't be able to take a backup over to a Windows PC and get to your data. (Depending on the data, there may not be a Windows program that can read it, anyway.)

 

There are other utilities for encrypting data in folders. I think the disk image encryption built into OSX is excellent, and the only reason to consider a different solution would be if you wanted somethign cross-platform that could access your encrypted data on a Windows or Linux PC.)

 

(BTW, back in the 80s I had an external SCSI HD for my original FatMac stolen during a burglary, so your concern is not unfounded.)

Edited by car1son

Share this post


Link to post
Share on other sites

Get PGP whole disk encryption. It will encrypt your internal hard drive as well as all external drives including flash drives. It's well worth the $120 or so. Victor C & George Starcher of the Typical Mac User Podcast did a show on PGP a few months ago. Listen to that for all the information that you need to know about setting this up. PGP is a highly regarded product.

Share this post


Link to post
Share on other sites

I used to use FileVault (the encryption technology built in to OS X), and use Carbon Copy Cloner to backup my laptop. But something kept bothering me, I couldn't understand how I could get a proper backup of my drive while logged in to the machine, knowing what I know about how (whole-disk) encryption works, so I checked the CCC website, and found my suspicions to be correct:

Working with FileVault home directories

 

FileVault protects the contents of your home directory by enclosing it in an encrypted disk image. When you log in, the encrypted disk image is unlocked via your login and password and mounted for use as your home directory. Mounted disk images pose an interesting problem to incremental backup utilities. By simply being mounted and accessed (e.g. via browsing the contents), the content of a disk image, and thus the disk image file itself, is modified. If you run CCC while logged in to a FileVault-protected account, there is a strong chance that the FileVault disk image will be modified while it is being backed up, resulting in a corrupted version of the disk image on your backup volume. Also, because the contents of your FileVault-protected home directory are technically on another volume, CCC will not back up the contents of your home directory when backing up your root filesystem (e.g. your boot drive).

 

For these reasons, you should either exclude your FileVault disk image file from your backup routine while logged into a FileVault-protected account (and set up a separate routine for backing up the contents of your home directory), or you should only run CCC while logged into an account that is not protected by FileVault.

http://www.bombich.com/software/docs/CCCHe...l?page=overview

It's worth noting that this will probably be an issue with other means of whole-disk encryption, as well as FileVault, as I belive they all use pretty much the same methods for encrypting the disk.

Share this post


Link to post
Share on other sites

Thanks for your help guys. So say I went with TrueCrypt, what would be the process I'd need to go through, starting with my existing Time Machine backup disk? I'm a little concerned about wiping out my existing backup history.

Share this post


Link to post
Share on other sites
Thanks for your help guys. So say I went with TrueCrypt, what would be the process I'd need to go through, starting with my existing Time Machine backup disk? I'm a little concerned about wiping out my existing backup history.

 

 

I'm not a Time Machine user so I'm not the person to ask.

 

Have you tried the True Crypt forums?

Edited by mobilexile

Share this post


Link to post
Share on other sites

By the way, if you are running Leopard, you can use encrypted sparse bundle disk images. These give you the benefit of using an encrypted disk image for your files, but they are stripped (http://en.wikipedia.org/wiki/Sparse_image) so that small changes don't lead to the entire disk image file changing, only the strip(s) affected by the change. That way, when Time Machine goes to back up the image, it should only need to back up the modified strips.

Share this post


Link to post
Share on other sites

For "stripped" you may wish to read "striped" - or "banded" as the Wikipedia article terms it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing

    No registered users viewing this page.

  • Who's Online (See full list)

    There are no registered users currently online

×