Encrypted Disk Images without Filevault
When I upgraded my macbook to Leopard last year, I was really quite surprised to discover that Time Machine and FileVault really don’t work well together. The thought of having my laptop stolen is traumatic enough, without also having to worry about someone sifting through my finances, bank statements and other personal files. Until Leopard, FileVault had been a real boon for keeping all of those sensitive files locked safely away in a password protected, encrypted container. Unfortunately, Time Machine then treats my whole home directory as a single giant file, and backs up a new revision of the entire thing every time I make even the tiniest of changes to any of the files inside it: Another copy of my 60Gb of iTunes files and 10Gb of iPhoto files to fit on my overstuffed Time Machine drive!
All is not lost, however! The trick is to make a small mountable encrypted disk image of your own to securely store all your confidential files. Here’s how to make a 660MB image to do just that with the Disk Utility application, so that you can turn FileVault off entirely. As a bonus, as long as the files you need to store inside will fit into less than 660MB, you can also keep a password protected backup on an 80 minute CD-R:
- Select New -> Blank Disk Image from the File menu (or click New Image in the tool bar).
- Fill in the dialog box, to look something like this, making sure you select encryption (I always choose the strongest available, since I’ll only want to access the files inside a few times a week, and speed is less important than security):
- When prompted for a password, you’ll need to untick the option for saving to the keychain (otherwise, there’s no point encrypting the disk image in the first place, since your keychain is unlocked while you are logged in!). Make sure you choose a strong passphrase that you won’t forget — there’s no way to ever recover the files inside if you ever do forget it.
- Disk Utility will create the disk image and mount it for you. You can then copy any files that you want to keep inside by dragging them to the mounted disk icon in the Finder. Don’t delete the originals just yet…
- Unmount the image by dragging it to the Trash, and then remount it by double clicking the
Private.dmgfile. Of course you’ll have to enter your passphrase every time you mount it from now on. This step is to check that the passphrase is what you expect (i.e. you didn’t mistype it twice and lock yourself out), and that all the files you dragged in are present. - Optionally, put a blank CD-R in the drive and drag
Private.dmgto it to burn a physical backup. If anyone tries to mount the resulting CD, they’ll also need to supply that same passphrase. You might like to make one of these from time to time and mail it to a friend, incase your computer and Time Machine backups are all washed away in a flash flood or something. - Now you can delete the originals of any files you copied to the disk image, safe in the knowledge that you have copies safely tucked away in the encrypted image. Make sure that you drag those originals to the Trash, and then use the Empty Securely button to make it near impossible to recover the originals forensically from your harddrive.
[...] week, on the new MacHaxor site, I explained how to create an encrypted disk image on a mac, but there are similar tools available for Linux. TrueCrypt allows you to make all kinds of [...]
Personally i don’t have much of a problem using FileVault with Time Machine. I’ve found on the latest update with nothing ignored that it skips copying my encrypted home image and instead copies the folder seperately as another volume in the backup.
Only slight problem now is that my account backups are not encrypted, so if anyone finds my backup drive, i’m screwed.
Would be interesting if i could make an encrypted partition on the backup drive that Time Machine would like to use. Then i’d be ok.
gary -
time machine works reasonably well with file vault. the problem you’ve encountered is a known problem - if you upgrade a tiger system with an existing file vault to leopard, the file vault stays in the older “sparse image” format, which behaves as you say: any small change in it causes a complete new copy to be made in the backup. needles to say, that’s just stupid.
in leopard however, there’s a new format called “sparse bundle”. it’s compatible with time machine - only those parts of your file vault file that have changed are re-copied. and, the copy stays completly encrypted. the catch is that when you upgrade, you need to convert your file vault to the new format. in order to do that, you have to turn file vault off (unencrypting all your files) and then turn it back on again. this means you need to have enough free space on your hard drive for a complete unencrypted copy of your home folder. and, you should probably do a secure erase free space of the drive after you’ve got file vault turned back on again. it’s a kind of awkward process which i guess is why apple didn’t do it by default. but it’s really necessary if you’re going to use file vault and time machine. after that, the only big drawback with file vault and time machine is that time machine won’t back up your home folder while you’re logged in; you have to log out so that the file vault image is unmounted, before time machine will back it up. this really doesn’t work for me, because i almost never log out. personally i find the method you’ve describe above much better than file vault! so we’ve come to the same conclusion, but for different reasons.
@james urquhart - it’s not necessary to make an encrypted partition for time machine. it is fully compatible with making encrypted backups, as i described above. if time machine is making unencrypted backups of your file vault home folder, then something is seriously wrong…
Hi Jeffro,
Thanks for the tip! I wasn’t aware of that. Next time I do a nuke-&-pave install (probably when I upgrade my hard-drive next month) I’ll try switching File Vault back on.
Cheers,
Gary
[...] 2 votesCode Encryption Decryption - ASP .Net , C#>> saved by DigitalPathology 2 days ago3 votesEncrypted Disk Images without Filevault>> saved by tstrobel14 2 days ago4 votesAvoid Entering an SSL PassPhrase During Apache Startup with [...]