Archive

Posts Tagged ‘encrypted’

Encrypted Time Machine Backups on Time Capsule (Mountain Lion)

July 30, 2012 Leave a comment

The [first pass] Mountain Lion update to the Encrypted Time Machine Backups on Time Capsule post: the script (mostly) works, as do the backups themselves (mostly).

Unfortunately, the script fails to properly detect the Wifi adapter’s Mac address (which I think has to do with changes to the output of system_profiler, something that should be fixable).

Mountain Lion makes visible changes to the process, namely, it will detect that the sparse bundle is present and encrypted:

It will furthermore ask and automagically remember both the TimeCapsule password and the encrypted disk image password. which means we no longer need to fiddle with Keychain Access:

But wait, I said “mostly”. It turns out Time Capsule will resize the sparse bundle image to (it seems) the size of the physical media hosting the image. While this can be changed back with hdiutil, I don’t yet know if Mountain Lion will simply resize it back in the next backup iteration.

Take some, lose some.

Categories: macos, sysadmin Tags: , , ,

Encrypted Time Machine Backups on Time Capsule

June 18, 2012 1 comment

With Lion, Mac OS X gained the ability to encrypt Time Machine backups on directly-attached disks, but this is not supported on Time Capsule. An additional potential issue is that Time Machine backups will consume all available space on a device, which in my particular case is undesirable. So I wanted a way to both encrypt said backups and limit the amount of space they can consume. There are a number of good resources on this topic, such as Michael “Nozbe” Sliwinski’s Mac OSX Lion Secure Backup to Time Capsule with Size Limit and Jason Discount’s Encrypted, Rotating Time Machine Backups on Snow Leopard (which works on Lion as well). But, since I have a small herd of Macs to shepherd, I prefer a script to do most of the work for me (see below).

You have to perform these steps from the admin user account on your system (not root, and no sudo).

First, mount your Time Capsule disk. You can do this from the Finder and ask it (if you haven’t already) to remember the password in your keychain. Second, edit the Time Capsule’s name in the script below. The real magic of the script happens in the highlighted lines with hdiutil).

#!/bin/bash

TC="TimeCapsule"

UUID=`system_profiler SPHardwareDataType | egrep 'Hardware UUID' \
      | awk '{print $3}'`
echo "UUID: $UUID" >&2
NAME=`system_profiler SPSoftwareDataType | grep 'Computer Name' \
      | awk '{print $3}'`
echo "Name: $NAME" >&2
APMAC=`system_profiler SPNetworkDataType | grep 'Hardware: AirPort' -A 25 \
      | grep 'MAC Address' | awk '{print $3}' | sed -e 's/://g'`
echo "Mac Address: $APMAC" >&2

SPRSBNDL_NAME="/Volumes/${TC}/${NAME}_${APMAC}.sparsebundle"
echo "Sparse Bundle: $SPRSBNDL_NAME" >&2
if [ -z "$UUID" ] || [ -z "$NAME" ] || [ -z "$APMAC" ]; then
   echo "error: unable to determine uuid, name or mac address" >&2; exit 1
else
   echo "creating sparsebundle $SPRSBNDL_NAME" >&2
   if hdiutil create -encryption AES-128 -size 500G -type SPARSEBUNDLE \
                     -nospotlight -volname "${NAME}TM@${TC}" -fs "HFS+J" \
              ${SPRSBNDL_NAME}; then
      (
       cat <<ENDPLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backupd.HostUUID</key>
    <string>$UUID</string>
</dict>
</plist>
ENDPLIST
      )>${SPRSBNDL_NAME}/com.apple.TimeMachine.MachineID.plist
   fi
fi

Finally, you still have to manually move the keychain entries for the Time Capsule disk and your encrypted image from the Login keychain to the System keychain with the Keychain Access app, but everything else is handled for you. Note that the script assumes you are connecting to your Time Capsule over WIFI, not via wired ethernet, and since the output from System Profiler isn’t the most parseable, it may not grab the right MAC address if you, for instance, have multiple network interfaces. The above has proven to work well on laptops. In any event, you can always enter the correct MAC address into the scripts (remove colons).

If you are currently performing backups to your Time Capsule unencrypted, the creation of the encrypted image may not work, as a non-encrypted sparse bundle probably already exists and is set to be used with Time Machine. You have to delete the existing non-encrypted image.

Finally, one of the nice things about this approach is that you can resize the resulting image whenever is convenient with hdiutil resize, as long as you have not used up the allotted space. Also, I have successfully Time Machine Scheduler to change Time Machine’s scheduling (since I don’t really need Time Machine cranking up every hour).

Follow

Get every new post delivered to your Inbox.