An Update on Encrypting Backups

A couple weeks ago, I finally pulled the trigger and upgraded to Lion.

One of the best parts about Lion is FileVault 2.  This has completely eliminated the need for my (hacky and unsupported), prior backup encryption method.

Encrypting your backup drives is now not only fully supported, but is downright easy.  When you plug in a drive to set up Time Machine for the first time, it simply asks you if you’d like to encrypt it.  Bam!  Done.

There has been a security exploit, unfortunately, but it’s easy to mitigate.  Good enough for my uses anyway.

technology

Comments (0)

Permalink

Encrypting a Time Machine Backup

Update for Lion (10.7+), please read!

I use Time Machine.

It’s not perfect1, but it’s automatic. Set it, forget it, and you have incremental backups. As I’m very serious about backing up, it is only one prong in a multi-tiered backup strategy—albeit, one of the easiest prongs.

In my office, I have an internal hard disk plugged into a Rosewill USB dock2. This works great, but I worry about one thing: it would be very easy to walk away with.

By default, Time Machine backups are not encrypted. The only Apple Supported method of having an encrypted Time Machine backup is to use FileVault to encrypt your home directory. Unfortunately, this has a serious downside—you must be logged out to back up. Since this defeats the purpose of set it and forget it, I tried to figure out another way to accomplish this. This is the method I have found through a variety of sources3. Note, as of writing this I have only done this under 10.6 (Snow Leopard). There are slightly different steps for Leopard.

Disclaimer: This method is unsupported by Apple. It’s working fine for me, but you do so at your own risk!

Starting a Fake Time Machine Backup

You will need access to a writeable AFP shared folder on another computer. This is easy if the other computer is also a Mac, but it can be accomplished in Linux too4. There might be a way to get this to work using a single computer, but as I have access to more than one Mac, I didn’t bother to attempt it. This process will go much faster if this other computer is on your local network. Below, I will use “computer two” to refer to this other computer.

  1. On computer two, set up a shared folder and give yourself write permissions.
  2. Back on computer one, mount the shared folder.
  3. Go into the Time Machine settings and set that mount as your backup disk.
  4. Go to the Time Machine menu item or Dock icon and select “Back Up Now.” Time Machine will start running and the status bar will say “Preparing…” for a bit. Do not cancel it until it switches from saying “Preparing…” to “Backing up [X] items.”
  5. Once it switches to saying “Backing up [X] items,” stop the backup. Time Machine will take a minute to cleanly finish. Once it is done, use the Time Machine preferences to turn Time Machine off (just to prevent it from trying to backup before we are ready).
  6. In the mounted shared folder on computer two, there will now be a file called [Computer Name].sparsebundle (where [Computer Name] is your computer’s name). Copy this to your computer somewhere temporary. You can now disconnect from computer two (and don’t forget to clean up and remove the shared folder if you created it just for this task).

Creating the Sparsebundle

  1. Fire up Disk Utility, and go to File > New > Blank Disk Image.
  2. In the Save As field, enter the same [Computer Name].sparsebundle that Time Machine created above, however save this to top level of your external hard drive.
  3. In the Name field, enter “Time Machine Backups”.
  4. In Size, go to “Custom…”. Here, enter the max size you would like to the Time Machine Backup to take. Ideally this should be at least twice the size of your primary volume and can be as big as your external drive. If you want to just set it to the size if your external drive, you can simply set it to something bigger than the external drive (e.g., 2TB if it’s a 1TB drive). Disk Utility will automatically scale it to the max size.
  5. In Format, select “Mac OS Extended (Case-sensitive, Journaled).”
  6. In Encryption, select “256-bit AES encryption (more secure, but slower).”
  7. In Partitions, select “Single partition – GUID Partition Map.”
  8. In Image Format, select “sparse bundle disk image.”
  9. Hit “Create”. It will then prompt you to create a password. Make it a good strong password, but also make sure you have it saved somewhere! If you lose this password, your backup will be unusable. Let Disk Utility finish creating the bundle. Once it completes, it will automatically mount the new disk image. Eject the disk image and then you can quit Disk Utility.
  10. Navigate to both disk images—the one Time Machine created and the one you created. On both, right-click (or ctrl-click) and go to “Show Package Contents.” In the disk image Time Machine created, there is a file called “com.apple.TimeMachine.MachineID.plist”—copy this file to the disk image you just created.

A Few Final Steps

  1. Open Keychain Access. Search for [Computer Name].sparsebundle that you created. Right-click (or ctrl-click) that key and go to ‘Copy “[Computer Name].sparsebundle”.’ Then go to the “System” keychain, and right-click (or ctrl-click) in the right pane and go to ‘Paste “[Computer Name].sparsebundle”.’ You’ll probably need to enter an admin password.
  2. Finally, go back into Time Machine preferences and select your external hard drive as your backup disk. Turn Time Machine back on. You can also trash the sparse bundle that Time Machine created at the beginning of this process.

If you have followed all of these steps, you should now be backing up to an encrypted sparse bundle. To determine if it’s backing up right, when Time Machine backs up, there should be another mounted drive on your computer (other than the external drive) called “Time Machine Backups.”

Note, that due to a bug in Time Machine, you will no longer be able to go to “Enter Time Machine” to browse your backups using the slick Time Machine UI. If you want to get around this, mount the sparse bundle. Once it is mounted, go to the Time Machine menu item and hold the option key. This will make an option appear called “Browse Other Time Machine Disks.” Click it (while holding option). A menu will pop up that allows you to enter the Time Machine interface.


  1. I have had problems with the backups becoming corrupted, backup drives tanking, and spent extensive time trying to get a wireless backup solution working (nothing reliable yet). All said, Time Machine does what it advertises.
  2. Exactly what I use:

  3. While researching this, I came across a single article that contains all the steps. The author used a few different steps, but it’s basically the same. I went ahead with my post anyway just for reference (as this other site may or may not be live when I need to do this again). Encrypted Time Machine Backups (Quarter Life Crisis)

    In addition, I found the following useful:

  4. In the past, I found the following article pretty useful in configuring a Linux server to share over AFP. It’s specifically catered to Ubuntu, but it works just as well on Debian—with a few tweaks. HowTo: Make Ubuntu A Perfect Mac File Server And Time Machine Volume

technology

Comments (0)

Permalink

YouTube – Ratt-Round and Round Official Music Video

Remember when a rock band’s lead singer could wear a leopard print leotard and still be taken seriously?

YouTube – Ratt-Round and Round Official Music Video.

music
web finds

Comments (0)

Permalink

Self-Enforcing Protocols

Bruce Schneier:

Self-enforcing protocols are safer than other types because participants don’t gain an advantage from cheating. Modern voting systems are rife with the potential for cheating, but an open show of hands in a room — one that everyone in the room can count for himself — is self-enforcing.

This is exactly why I believe Vermont’s ‘town meeting day’ style of democracy is so successful. People are far less corrupt when they are held accountable by their peers/neighbors.

(via daring fireball)

web finds

Comments (0)

Permalink

A car, a gorge and a wedding: Our trip to Vermont

3:43:08 PM man, you went after her like she was made of bacon!

My friend Ray commenting on this video.

Thanks to Ryan for making it!

Uncategorized

Comments (0)

Permalink

New Modest Mouse Video – “King Rat” Directed By Heath Ledger

In honor of Modest Mouse’s new EP check out Heath Ledger’s disturbing and awesome video for the track “King Rat.” Well worth a view.

(via Stereogum)

music
web finds

Comments (0)

Permalink

Choosy out of beta

Choosy v1.0 has finally come out! You may recall I’ve mentioned my need for a hyperlink manager tool before.1

I’ve been using Choosy for over 6 months at this point and it has become an indispensable part of my workflow. Especially since George has added functionality for advanced rules.

My setup is as follows: I use Safari as my primary browser, however, my company has a number of internal web apps that have been built with Firefox in mind. This means at work I leave Firefox open all the time. So, using Choosy, I’ve set up some advanced rules for the web apps that make their URLs automatically route to Firefox.

I also have a few SSB instances in Fluid (Gmail, Fever, and others) and so I can direct links meant for these apps directly to them.

Everything else asks from the list of open browsers, defaulting to Safari when no browsers are open or if it’s the only open browser.

It’s fast, elegant, optimized for either mouse or keyboard users. The best part? It’s only $12.

Well done and congrats George!



1. Hyperlink Manager
Hyperlink Manager Followup: 2 Options

technology

Comments (0)

Permalink

Free NIN|JA EP

NIN keeps the free music coming, this time with Jane’s Addiction along for the ride!

NIN|JA 2009.

music
web finds

Comments (0)

Permalink

Crocodile eats shark and attack of the ninja kangaroo

YouTube – Crocodile eats shark and attack of the ninja kangaroo!.

web finds

Comments (0)

Permalink

Hulu is shutting down Boxee, taking two steps backwards

Hulu Blog: Doing hard things.

Our content providers requested that we turn off access to our content via the Boxee product, and we are respecting their wishes. While we stubbornly believe in this brave new world of media convergence — bumps and all — we are also steadfast in our belief that the best way to achieve our ambitious, never-ending mission of making media easier for users is to work hand in hand with content owners. Without their content, none of what Hulu does would be possible, including providing you content via Hulu.com and our many distribution partner websites.

Apparently doing the right thing in this situation is simple: screw the users.

Wrong

The right thing to do here is keep the users happy while working out the hard details. Ads are still being shown; revenue is still being generated.

When will these content producers realize that they can’t possibly “own” any content—without an audience to watch it? Keep screwing customers, but don’t come crying when they are compelled to steal the content instead.

Any company that feels safe enough to screw their customers rather than innovate deserves to lose.

business
technology
web finds

Comments (0)

Permalink