What is the best way to encrypt backups made by Time Machine?
Add a comment
|
3 Answers
I can suspect that the easiest way would be to put the backup data onto some mounted encrypted container (whatever there is for that for Mac OS).
(Note: a pretty much relevant question right here is https://serverfault.com/questions/38405/recovering-from-a-time-machine-backup-encrypted-with-pgp-whole-disk-encryption )
Here's an article on Encrypted, Rotating Time Machine Backups on Snow Leopard -- the basic process is to create an encrypted disk image (sparse bundle format), put the encryption key in the System keychain (so backupd can read it), then create various indicator files & folders so backupd will think it's the type of image Time Machine creates when backing up to a server (/Time Capsule appliance). Restoring is a little more complex than normal; you have to use Browse Other Time Machine Disks feature to get to your backup.
The trickery in the article to get "Rotating" backups apparently broke in 10.6.5 and they haven't figured out how to get it working again. But you didn't ask about that part...
BTW, since this is posted on ServerFault, I presume you're talking about either backing up a server, or backing up TO a server. It you're talking about backing up the server itself, I wouldn't recommend Time Machine; it's not really what I'd consider a server-grade solution. It doesn't give you that much control over the backup strategy, no real auditing or reporting capability, and generally not as reliable as I want on a server. Read the saga of TidBITS.com's web server meltdown for an example. Also, I've seen discussions of some the AFP service failing due to Time Machine running on the server (this has supposedly been improved in recent updates of OS X, but I still don't entirely trust it). Basically, the point of Time Machine is to get you 90-95% of the protection of a "real" backup system, for 5% of the effort -- a great tradeoff for an end-user computer that otherwise wouldn't be backed up at all, but probably not right for a critical server.
On the other hand, if you're talking about encrypting the client backups stored ON the server, I have no such reservations and you can probably use roughly the procedure in the article I linked. But make sure you have the encryption keys recorded outside of the backups themselves, or you'll have serious trouble if you even need to do a full restore...
answered Jan 22, 2011 at 17:45
