Archive

Posts Tagged ‘time machine’

Encrypted Time Machine Backups on Time Capsule (Mountain Lion)

July 30, 2012 Leave a comment

The [first pass] Mountain Lion update to the Encrypted Time Machine Backups on Time Capsule post: the script (mostly) works, as do the backups themselves (mostly).

Unfortunately, the script fails to properly detect the Wifi adapter’s Mac address (which I think has to do with changes to the output of system_profiler, something that should be fixable).

Mountain Lion makes visible changes to the process, namely, it will detect that the sparse bundle is present and encrypted:

It will furthermore ask and automagically remember both the TimeCapsule password and the encrypted disk image password. which means we no longer need to fiddle with Keychain Access:

But wait, I said “mostly”. It turns out Time Capsule will resize the sparse bundle image to (it seems) the size of the physical media hosting the image. While this can be changed back with hdiutil, I don’t yet know if Mountain Lion will simply resize it back in the next backup iteration.

Take some, lose some.

Categories: macos, sysadmin Tags: , , ,

Encrypted Time Machine Backups on Time Capsule

June 18, 2012 1 comment

With Lion, Mac OS X gained the ability to encrypt Time Machine backups on directly-attached disks, but this is not supported on Time Capsule. An additional potential issue is that Time Machine backups will consume all available space on a device, which in my particular case is undesirable. So I wanted a way to both encrypt said backups and limit the amount of space they can consume. There are a number of good resources on this topic, such as Michael “Nozbe” Sliwinski’s Mac OSX Lion Secure Backup to Time Capsule with Size Limit and Jason Discount’s Encrypted, Rotating Time Machine Backups on Snow Leopard (which works on Lion as well). But, since I have a small herd of Macs to shepherd, I prefer a script to do most of the work for me (see below).

You have to perform these steps from the admin user account on your system (not root, and no sudo).

First, mount your Time Capsule disk. You can do this from the Finder and ask it (if you haven’t already) to remember the password in your keychain. Second, edit the Time Capsule’s name in the script below. The real magic of the script happens in the highlighted lines with hdiutil).

#!/bin/bash

TC="TimeCapsule"

UUID=`system_profiler SPHardwareDataType | egrep 'Hardware UUID' \
      | awk '{print $3}'`
echo "UUID: $UUID" >&2
NAME=`system_profiler SPSoftwareDataType | grep 'Computer Name' \
      | awk '{print $3}'`
echo "Name: $NAME" >&2
APMAC=`system_profiler SPNetworkDataType | grep 'Hardware: AirPort' -A 25 \
      | grep 'MAC Address' | awk '{print $3}' | sed -e 's/://g'`
echo "Mac Address: $APMAC" >&2

SPRSBNDL_NAME="/Volumes/${TC}/${NAME}_${APMAC}.sparsebundle"
echo "Sparse Bundle: $SPRSBNDL_NAME" >&2
if [ -z "$UUID" ] || [ -z "$NAME" ] || [ -z "$APMAC" ]; then
   echo "error: unable to determine uuid, name or mac address" >&2; exit 1
else
   echo "creating sparsebundle $SPRSBNDL_NAME" >&2
   if hdiutil create -encryption AES-128 -size 500G -type SPARSEBUNDLE \
                     -nospotlight -volname "${NAME}TM@${TC}" -fs "HFS+J" \
              ${SPRSBNDL_NAME}; then
      (
       cat <<ENDPLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backupd.HostUUID</key>
    <string>$UUID</string>
</dict>
</plist>
ENDPLIST
      )>${SPRSBNDL_NAME}/com.apple.TimeMachine.MachineID.plist
   fi
fi

Finally, you still have to manually move the keychain entries for the Time Capsule disk and your encrypted image from the Login keychain to the System keychain with the Keychain Access app, but everything else is handled for you. Note that the script assumes you are connecting to your Time Capsule over WIFI, not via wired ethernet, and since the output from System Profiler isn’t the most parseable, it may not grab the right MAC address if you, for instance, have multiple network interfaces. The above has proven to work well on laptops. In any event, you can always enter the correct MAC address into the scripts (remove colons).

If you are currently performing backups to your Time Capsule unencrypted, the creation of the encrypted image may not work, as a non-encrypted sparse bundle probably already exists and is set to be used with Time Machine. You have to delete the existing non-encrypted image.

Finally, one of the nice things about this approach is that you can resize the resulting image whenever is convenient with hdiutil resize, as long as you have not used up the allotted space. Also, I have successfully Time Machine Scheduler to change Time Machine’s scheduling (since I don’t really need Time Machine cranking up every hour).

TimeMachine and Logged Out Users

January 5, 2011 Leave a comment

With the deployment of the MacMini3,1 as an important box, I wanted to have timely backups and easy recovery, and that is one thing Snow Leopard does rather well with TimeMachine. Attach a disk, configure as a TimeMachine destination, and done, right? Not exactly: I noticed that TimeMachine was only backing up the system if there was a user logged in, something that’s rather rare on this box (in fact, there is generally no display or keyboard attached to it).

It turns out that this is normal behavior, as the system unmounts all external volumes when a user logs out, including TimeMachine volumes (this does not apply to network volumes, just volumes physically attached to the system). There are some edge cases that affect somewhat this behavior (such us when FileVault is in use), but it can be completely disabled:

defaults write /Library/Preferences/SystemConfiguration/autodiskmount \
     AutomountDisksWithoutUserLogin -bool true

I went ahead and rebooted the system. TimeMachine now works even when users are not logged in.

Categories: macos, sysadmin Tags: , , ,
Follow

Get every new post delivered to your Inbox.