Encrypted Backups

It is possible to use encryption to protect your data. Data which is encrypted may be more difficult for a third party to recover. However, keep in mind that it will also be equally difficult for you to recover the data if you forget the pass-pharse or lose the encryption key(s) required to decrypt your data.

There are many approaches to encrypting data with LBackup.

• Locally encrypt the backup snapshot tree or part of the tree. It is then possible to move the encrypted data to an off site location or onto another kind of storage media.
• Encrypt all the backup data all the time, on the fly to encrypted devices. The destination or source could be stored locally attached or alternatively accessed remotely.
• Keep both the user data and the backup encrypted all the time, on the fly to encrypted devices. The destination or source could be locally attached media or a remotely accessed media.

Share how you are encrypting your data with LBackup by visiting the contributions page.

Please keep in mind that if encryption is not preformed by dedicated encryption hardware the backup and restore times will likely increase. These increases will be particularly obvious if you are using software encryption on aging hardware. In general software encryption generally causes file operations to take slightly longer. If you require encryption and need to reduce your backup time to fit within your backup window hardware encryption may help. Many devices on the market support hardware encryption. Please check with the vendors for the encryption specifications of their products.

Also note that encrypted drives or devices inherently make data recovery more difficult, should anything go wrong.

_{Keep in mind that the backup times are not only depended upon encryption. There are various factors which involved in how long backups take to complete.}

The easiest way to setup encryption on OS X is to utilize the hdiutil utility. The latest version of TrueCrypt is also an option for encryption on Mac OS X. In addition, EncFS which leverages FUSE is also a possibility.

Data can be encrypted on the fly using an encrypted sparse disk image. The advantage of sparse images is that the storage initially required by the image file within the host file system is quite low. The image file then automatically expands in chunks, as files are added to the sparse image file system. This means you can set the disk to have 50GB of free space. Yet, initially the image file may only consume 500MB of space within the host file system.

Sparse disk images are more prone to developing issues than standard disk images, particularly if they are not unmounted correctly. You will need to decide for your self as to which kind of system is appropriate for your requirements.

In addition, there are knowen bugs with Mac OS X 10.4.4 and earlier when handling large disk images. Ensure that your system is updated to Mac OS 10.4.10 or a later if you are dealing with large disk images.

The easiest way of creating a sparse encrypted disk image under 10.4.x or later is to use the Disk Utility tool. If you would like to use the command line check out this article on Mac OSX Hints or skip below for the command.

• hdiutil create -size thesize -encryption -type SPARSE -fs HFS+ thename

The command below will allow you to grow a sparse encrypted image file under Mac OS X using the hdiutil tool to a total of 10GB.

• hdiutil resize -growonly -size 10g diskimage.sparseimage

Mac OS X 10.5 has a new kind of sparse disk image type called a “sparsebundle”. There are reports that it is possible to backup sparsebundle images while they are mounted. Although this is an option, Apple has not explicitly stated that they support the backup of mounted read/write disk images. TimeMachine is evidence of this, as it will currently only backup home directories with FileVault enabled when the FileVault user is not logged into the machine. Therefore, it is recommended that any backups made from read/write disk images only occur when it is unmounted. It is possible to use transfer and update a sparsebundle over the network with rsync.

If you want to make a backup of your home directory while you are logged in and you have FileVault enabled, it is currenlty recommend that any backups are made from the image mount point. Although, this will be more CPU intensive, it has been tested to result in a known good backup. This can be configured with a pre action script which ensures the user is logged into the system.

The ability to backup the actual bands (components of the image file) is very interesting. The LBackup team is currently preforming integrity tests on backups made from the bands of sparsebundle images, while the images are mounted and in use. In addition the LBackup team is in the process of identifying how to simplify the backup of FileVault home directories under Mac OS 10.5 and later. If you have experience with regards the backup of sparsebundle images then we would be interested in your opinions.
Finally, if you are upgrading from Mac OS 10.3 or later to Mac OS 10.5 and have FileVault enabled, you should check the Apple forums before commencing with your upgrade. It is also recommend that you check the LBackup known issues page before you reinstall LBackup.

There are a variety of encryption tools available for *NIX systems.

• TrueCrypt is similar to the hdiutil under Mac OS X. TrueCrypt has some additional features. One notable feature is the ability is that it supports various file system formats which means that it is possible to use file systems which are supported by various operating systems.

• If you are running LINUX then this page has an explanation of loop back file system encryption which may be useful.

• Many version of LINUX support full disk encryption as an installation option.

• BSD supports full disk encryption.

If you have used another kind of encryption system which you are using with LBackup, then please please let us know.

TrueCrypt also works on Microsoft Windows. If you have used another kind of encryption system which you are using in conjunction with LBackup, then please please let us know.

The following list of tips may be of assistance if you are deploying a remote backup.

• Backing Up to a Disk Image With an SSH Connection (Adam Knight)
• LBackup Network Backup
• LBackup Network Backups Screen Casts
• Synchronizing Disk Images Between Machines