Monday, September 27th, 2010, at 11:15 am
Encrypting a Time Machine Backup
Update for Lion (10.7+), please read!
I use Time Machine.
It’s not perfect1, but it’s automatic. Set it, forget it, and you have incremental backups. As I’m very serious about backing up, it is only one prong in a multi-tiered backup strategy—albeit, one of the easiest prongs.
In my office, I have an internal hard disk plugged into a Rosewill USB dock2. This works great, but I worry about one thing: it would be very easy to walk away with.
By default, Time Machine backups are not encrypted. The only Apple Supported method of having an encrypted Time Machine backup is to use FileVault to encrypt your home directory. Unfortunately, this has a serious downside—you must be logged out to back up. Since this defeats the purpose of set it and forget it, I tried to figure out another way to accomplish this. This is the method I have found through a variety of sources3. Note, as of writing this I have only done this under 10.6 (Snow Leopard). There are slightly different steps for Leopard.
Disclaimer: This method is unsupported by Apple. It’s working fine for me, but you do so at your own risk!
Starting a Fake Time Machine Backup
You will need access to a writeable AFP shared folder on another computer. This is easy if the other computer is also a Mac, but it can be accomplished in Linux too4. There might be a way to get this to work using a single computer, but as I have access to more than one Mac, I didn’t bother to attempt it. This process will go much faster if this other computer is on your local network. Below, I will use “computer two” to refer to this other computer.
- On computer two, set up a shared folder and give yourself write permissions.
- Back on computer one, mount the shared folder.
- Go into the Time Machine settings and set that mount as your backup disk.
- Go to the Time Machine menu item or Dock icon and select “Back Up Now.” Time Machine will start running and the status bar will say “Preparing…” for a bit. Do not cancel it until it switches from saying “Preparing…” to “Backing up [X] items.”
- Once it switches to saying “Backing up [X] items,” stop the backup. Time Machine will take a minute to cleanly finish. Once it is done, use the Time Machine preferences to turn Time Machine off (just to prevent it from trying to backup before we are ready).
- In the mounted shared folder on computer two, there will now be a file called [Computer Name].sparsebundle (where [Computer Name] is your computer’s name). Copy this to your computer somewhere temporary. You can now disconnect from computer two (and don’t forget to clean up and remove the shared folder if you created it just for this task).
Creating the Sparsebundle
- Fire up Disk Utility, and go to File > New > Blank Disk Image.
- In the Save As field, enter the same [Computer Name].sparsebundle that Time Machine created above, however save this to top level of your external hard drive.
- In the Name field, enter “Time Machine Backups”.
- In Size, go to “Custom…”. Here, enter the max size you would like to the Time Machine Backup to take. Ideally this should be at least twice the size of your primary volume and can be as big as your external drive. If you want to just set it to the size if your external drive, you can simply set it to something bigger than the external drive (e.g., 2TB if it’s a 1TB drive). Disk Utility will automatically scale it to the max size.
- In Format, select “Mac OS Extended (Case-sensitive, Journaled).”
- In Encryption, select “256-bit AES encryption (more secure, but slower).”
- In Partitions, select “Single partition – GUID Partition Map.”
- In Image Format, select “sparse bundle disk image.”
- Hit “Create”. It will then prompt you to create a password. Make it a good strong password, but also make sure you have it saved somewhere! If you lose this password, your backup will be unusable. Let Disk Utility finish creating the bundle. Once it completes, it will automatically mount the new disk image. Eject the disk image and then you can quit Disk Utility.
- Navigate to both disk images—the one Time Machine created and the one you created. On both, right-click (or ctrl-click) and go to “Show Package Contents.” In the disk image Time Machine created, there is a file called “com.apple.TimeMachine.MachineID.plist”—copy this file to the disk image you just created.
A Few Final Steps
- Open Keychain Access. Search for [Computer Name].sparsebundle that you created. Right-click (or ctrl-click) that key and go to ‘Copy “[Computer Name].sparsebundle”.’ Then go to the “System” keychain, and right-click (or ctrl-click) in the right pane and go to ‘Paste “[Computer Name].sparsebundle”.’ You’ll probably need to enter an admin password.
- Finally, go back into Time Machine preferences and select your external hard drive as your backup disk. Turn Time Machine back on. You can also trash the sparse bundle that Time Machine created at the beginning of this process.
If you have followed all of these steps, you should now be backing up to an encrypted sparse bundle. To determine if it’s backing up right, when Time Machine backs up, there should be another mounted drive on your computer (other than the external drive) called “Time Machine Backups.”
Note, that due to a bug in Time Machine, you will no longer be able to go to “Enter Time Machine” to browse your backups using the slick Time Machine UI. If you want to get around this, mount the sparse bundle. Once it is mounted, go to the Time Machine menu item and hold the option key. This will make an option appear called “Browse Other Time Machine Disks.” Click it (while holding option). A menu will pop up that allows you to enter the Time Machine interface.