This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
[!1Password] FileVault Encryption and Time Machine
Hi guys,
I'm not really sure where to post this, but Agile seems to have a community focused around this, so this seems like a good place!
I'm looking to enable FileVault encryption on my Macbook, but by default this means that Time Machine will not backup the volume unless I'm logged out. Additionally, I'd like to encrypt my Time Machine backup both at home and at work as it contains a fair bit of sensitive information.
I've found some articles describing how to enable Time Machine backups while logged in, and a little bit of information on how to encrypt the TM volume itself.
What I'd like to know is: is this the right approach? I'm wondering if I'm maybe just using the wrong tools...
Cheers,
I'm not really sure where to post this, but Agile seems to have a community focused around this, so this seems like a good place!
I'm looking to enable FileVault encryption on my Macbook, but by default this means that Time Machine will not backup the volume unless I'm logged out. Additionally, I'd like to encrypt my Time Machine backup both at home and at work as it contains a fair bit of sensitive information.
I've found some articles describing how to enable Time Machine backups while logged in, and a little bit of information on how to encrypt the TM volume itself.
What I'd like to know is: is this the right approach? I'm wondering if I'm maybe just using the wrong tools...
Cheers,
Flag
0
Comments
-
[quote name='kop48']Hi guys,
I'm not really sure where to post this, but Agile seems to have a community focused around this, so this seems like a good place!
I'm looking to enable FileVault encryption on my Macbook, but by default this means that Time Machine will not backup the volume unless I'm logged out. Additionally, I'd like to encrypt my Time Machine backup both at home and at work as it contains a fair bit of sensitive information.
I've found some articles describing how to enable Time Machine backups while logged in, and a little bit of information on how to encrypt the TM volume itself.
What I'd like to know is: is this the right approach? I'm wondering if I'm maybe just using the wrong tools...
Cheers,[/QUOTE]
My opinion on the matter is that Time Machine is a GREAT tool because it makes backup so EASY. It enables people who would have never backed up otherwise to have an easy to use accessible interface to backing up and restoring files (and even the entire system). I use Time Machine on non-mission critical things, or as an addition to other backup solutions. I think if you are concerned about encryption of backups, Time Machine is probably not the right tool for you.
What I do:
Everything is stored on Dropbox. Things that are sensitive are stored in Knox encrypted vaults or otherwise encrypted (ie, Agile Keychain is already encrypted). This serves both as a sync tool and a poor-man's-backup.
I use FileVault on both of my Macs
I SuperDuper! clone the hard drive of my stationary Mac at least once per day
and I turn Time Machine on and have it backup to a Time Capsule
So far I've never lost a file I didn't intend to lose. Knock on wood.
The most important part of choosing a backup solution is making sure you will be able to restore from it in a timely fashion (as defined by you). If you can't restore, what is the point in having a backup? IMO convenience and security concerns are tied for 2nd place. If it isn't convenient, I'm not going to remember/take the time to do it. If it isn't done regularly, it's pointless. Encryption may or may not be as important. Where is the backup being stored? What is contained in it? What would you have to do if that backup were lost or stolen (beyond creating a new backup)? For me, the backups are locked in my room which is locked in my house. They don't travel with me. Any data I save while on the road is synced to my home machine and then backed up from there. The likelihood of loss or theft is very low. Anything sensitive is already otherwise encrypted. So an encrypted backup is not so important to me. To you, it may be.Flag 0 -
Hmmm that's some things to consider. I may be looking at this the wrong way. Yes, my need to encrypt is more closely related to the theft of my laptop than it is of my home backup. I was considering using Knox, but I use a PC at home and hence would not be able to mount the volumes! :(
The reason I wanted to encrypt my TM volume is that I also keep a backup at work. If I think about it, however, since I now use Dropbox, there's not really any need to maintain the second backup. Enabling TM backups with FileVault enabled doesn't seem to be too hard, so I might just go down that path.
Cheers for the help!Flag 0 -
[quote name='kop48']Looks like you can encrypt TM backups, but you need to hack it a bit. I found the useful info here:
[url]http://forums.macosxhints.com/showthread.php?t=94173&page=2[/url][/QUOTE]
I looked at exactly that discussion a few months back, and what concerned me (to put things very mildly) was that the person reported that they couldn't browse their TM backup and that they had never tested restoring from their encrypted backup. Once can always have a very "secure" backup by backing up to /dev/null (in Unix-speak), but that is only if we forget that security of a backup needs to include the ability to restore data from the backup. If we can't restore from it, it is completely useless.
My intuition here is that it is probably a mistake to try to coerce Time Machine into something that it is not designed to do. As I said, I would love it if Apple had designed Time Machine for encrypted backups (with reliable restore from those backups), but that hasn't happened (yet).
Also, do consider Bob's suggestion seriously. If you put the things that you need encrypted into Knox Vaults, the vaults will be efficiently backed up to Time Machine and will remain encrypted in those backups. Doing something simple and reliable (but partial) is often better than seeking a complicated, fragile total solution.
Finally, depending on how good your Unix-fu is, the approach I personally would explore if I really insisted that my entire backup be encrypted would be using rsync (via rsnapshot) to an encrypted volume. Again, it would take a fair amount of experimentation to verify that the restoring from the back-ups is possible. But again, what would work for me isn't what I recommend to everyone. I already use rsnapshot on my FreeBSD servers, so it's a tool I'm familiar with. And I'm an old Unix geek to begin with.
[url]http://dilbert.com/strips/comic/1995-06-24/[/url]
(I no longer have the scruffy beard, but that's just because I've moved to a much warmer climate.)
It should be noted that while rsync is clever about detecting changed files, it is not nearly has clever as Time Machine is, so while having Time Machine do backups hourly works quickly, with rsync I would recommend that it only be run a couple times a day at most because each run will involve more disk reading. (Again, this will require some experimentation which I haven't done.)
Again, though the lesson here should be that while it can be fun to think about "ideal" solutions, it is often just better to go with more direct ones. So using regular Knox Vaults and just doing normal Time Machine backups should get your 95% of what you are looking for with only 5% of the effort and complexity of completely encrypted Time Machine backups.
As always, it is great talking with you.
Cheers,
-jFlag 0 -
I can't use Knox, as my Documents folder is synced back to my Windows box too!
I've done a full backup using this, and it seems to be able to browse fine. TM appears to use a folder structure when mounting a local drive, and a sparse bundle when mounting a network share. If you create a sparse bundle on the local drive, it just operates as if it was over the network. I was able to browse my previous backups, knowing I'd deleted files. You just need to make sure that the system keychain has the sparse bundle's key, and TM can mount it fine. I haven't tested restoring, but it should be fine using the Migration Assistant after having done a clean OS X install. I'll try restoring a single file when I get back to work tomorrow.Flag 0 -
Been following the discussion, thanks for that post Ben. Answered a question in the back of my head.Flag 0
-
[quote name='bwoodruff']It doesn't. :P
That's what the SuperDuper! backup as well as Dropbox is for.[/QUOTE]
Not quite! It DOES work, but only when you're logged out.
You CAN make it work, however, using these instructions: [url]http://www.macosxhints.com/article.php?story=20100123173425191[/url]
WARNING: I haven't tried this yet!! I will give it a go once I can work out how to get FV working on an existing install.Flag 0 -
[quote name='kop48']I can't use Knox, as my Documents folder is synced back to my Windows box too![/QUOTE]
Ah, that's right. You mentioned that earlier in this thread.
[QUOTE]
I've done a full backup using this, and it seems to be able to browse fine. TM appears to use a folder structure when mounting a local drive[/QUOTE]
That is outstanding news! Thank you for testing this out.
Cheers,
-jFlag 0 -
[quote name='kop48']Ok, bad news. The TM interface doesn't work properly. You need to restore files by browsing manually. It's not too bad a tradeoff...[/QUOTE]
Again, thanks for testing. The value of the trade-off depends highly on ones circumstances and tastes. If you ever need to do a full restore this might be a problem. But it's great that you can browse and do individual file restoration.
It really is great that you'd figured this out. I had been wanting to test all of this myself at some point, but never got around to it.
Cheers,
-jFlag 0 -
I haven't really looked at locking and FileVault. If anyone knows off-hand how difficult it is to get around a screensaver lock (without rebooting) that would be great. If not, I'll try looking that up.
Cheers,
-jFlag 0 -
Maybe I'm misunderstanding something, but (unless you're intent on encrypting [i]everything[/i] for some reason) you can easily create encrypted disk images with Disk Utility as a separate filesystem for your sensitive files, which can then be backed up by Time Machine along with everything else on the disk. It's not nearly as elegant as Knox, but it's built into the filesystem support in OS X, and therefore ubiquitous (without having to install additional software to access it).
If you're serious about full disk encryption, I've heard good things about TrueCrypt.Flag 0 -
[quote name='brenty (toromei)' timestamp='1283058888' post='10025']
If you're serious about full disk encryption, I've heard good things about TrueCrypt.
[/quote]
I don't think TrueCrypt supports system encryption (whole disk encryption on the startup volume) under Mac OS X: http://www.truecrypt.org/docs/?s=sys-encryption-supported-os
I wish it did. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_sadsmile.png' class='bbc_emoticon' alt=':-(' />Flag 0 -
As much as they tout it as "cross-platform" TrueCrypt barely adds more than the existing encrypted disk image functionality in OS X. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_sadsmile.png' class='bbc_emoticon' alt=':-(' />
On Windows it's pretty sweet, though. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />Flag 0 -
[quote name='khad' timestamp='1285611986' post='12136']
As much as they tout it as "cross-platform" TrueCrypt barely adds more than the existing encrypted disk image functionality in OS X. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_sadsmile.png' class='bbc_emoticon' alt=':-(' />
On Windows it's pretty sweet, though. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
[/quote]
Indeed. The 'cross-platform' aspect comes into play when you need to access your Mac's TrueCrypt volume with a Windows (or Linux) PC. It isn't a perfect, all-encompassing solution, but it's getting there. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />Flag 0