1 2 3 Previous Next 41 Replies Latest reply: Jan 13, 2013 2:57 PM by Pondini Go to original post
  • 15. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    guy toronto wrote:

     

    Thanks for the explanation. Forgive me for being technologically dense. Are you saying that in the case of an encrypted disk image, my back-up (using Time Machine) will be encrypted?

    Yes.

     

    - when the disk is mounted (ie data unencrypted), it will not be backed up. Back-up of data will only occur when the disk is not mounted (ie when the data is encrypted). Hence backed up data is always encrypted.

     

    Am I getting this right?

    Yes.

  • 16. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    Thanks!

  • 17. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    Tony T1 wrote:

    ...but the OP is asking about encrypted disk images

    Yes, that's what I mean. You can create them with Disk Utility, via the New Image icon in the Toolbar:

     

    Screen Shot 2012-02-03 at 12.19.00PM.png

  • 18. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    Pondini wrote:

     

    Tony T1 wrote:

    ...but the OP is asking about encrypted disk images

    Yes, that's what I mean. You can create them with Disk Utility, via the New Image icon in the Toolbar:

     

    Then I don't understand your statement that "When an encrypted volume  (an actual disk partition or a disk image) is backed-up, the data is decrypted."  An encrypted disk image is not decrypted when backed-up.

  • 19. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    It really doesn't matter (the end result for this purpose is the same), but I believe it is.  Any time a user (or app) reads from it, the data is decrypted.   If the destination is encrypted, the data is re-encrypted.    

  • 20. Re: Understanding encryption using Disk Utility
    christopher rigby1 Level 4 Level 4 (2,080 points)

    I'm baffled. What's the point of encrypted images or FV if some crook could steal your TM drive and find your data unencrypted?

  • 21. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    christopher rigby1 wrote:

     

    I'm baffled. What's the point of encrypted images or FV if some crook could steal your TM drive and find your data unencrypted?

     

    WIth Lion, you can encrypt the TM Drive

    Anyway, even if you choose not to encrypt the TM Drive, any Encrypted Disk Images backed up to TM will remain encrypted

  • 22. Re: Understanding encryption using Disk Utility
    christopher rigby1 Level 4 Level 4 (2,080 points)

    Tony T1 wrote:

     

     

     

    WIth Lion, you can encrypt the TM Drive

    Anyway, even if you choose not to encrypt the TM Drive, any Encrypted Disk Images backed up to TM will remain encrypted

     

    Including FV accounts?

  • 23. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    Chris:

     

    I must admit to still being a little uncertain too. My take from some of the earlier postings is that encrypted data will remain encrypted in TM. But Pondini's latest posting seems to suggest that if an app (TM?) reads data, it becomes decrypted. Not sure this makes sense.

     

    Agree that goal needs to be that encrypted data remains encrypted, even when backed-up - otherwise no real sense.

     

    I'm not sure that I'm totally comfortable with answers to date - although Tony seems pretty categoric (and is giving the answer I was looking for).

     

    TM back-ups really go the essence of the question. Assume automatically scheduled backups through out the day. Assuming that during the day, there are times that the encrypted disk image is being used (ie a password has been entered), and other times not. What is happening in TM? Are all back-ups encrypted? Or are backups that occur while files are available(ie password entered) taking unencrypted data? The latter would certainly not be a desired outcome!

  • 24. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    Including FV accounts?

     

    Encrypt the Time Machine Drive:

     

         HT1427_TimeMachine_Start-001-en.png

  • 25. Re: Understanding encryption using Disk Utility
    Tony T1 Level 6 Level 6 (8,380 points)

    If in doubt, just encrypt the TM Drive

  • 26. Re: Understanding encryption using Disk Utility
    Pondini Level 8 Level 8 (38,720 points)

    guy toronto wrote:

    . . .

    But Pondini's latest posting seems to suggest that if an app (TM?) reads data, it becomes decrypted. Not sure this makes sense.

    Yes, that's exactly what happens.  The data is copied and decrypted "on the fly" so you can read it.  The original file (on disk) remains encrypted.  Only the copy made in memory (RAM) for you to read or edit is decrypted.

     

    When you then save, copy, export, the (unencrypted) data in memory, it may or may not be encrypted, depending on the destination.  If you just save it back to the encrypted drive (or disk image), it will be encrytped.  If you save it to an unencrypted drive (or disk image), it will not be encrypted.

     

    Part of the confusion here is the difference between encrypting an entire volume vs. encrypting a disk image.

    Agree that goal needs to be that encrypted data remains encrypted, even when backed-up - otherwise no real sense.

    Not always.  A laptop user who makes backups to an external HD may want the laptop's HD to be encrypted, so it's protected if the laptop is lost or stolen while the user is travelling, but may not want the backups to be encrypted, if the backup HD is in a secure place.

     

    An encrypted disk image, however, will always be encrypted on disk, regardless of the encryption status of the volume it resides on.

     

    Assume automatically scheduled backups through out the day. Assuming that during the day, there are times that the encrypted disk image is being used (ie a password has been entered), and other times not. What is happening in TM? Are all back-ups encrypted?

    If the disk image is encrypted, the backups of it will be encrypted.   But remember, the contents are only backed-up when the disk image is not mounted.

  • 27. Re: Understanding encryption using Disk Utility
    motrek Level 1 Level 1 (25 points)

    Hopefully this will clear things up:

     

    Let's say you have an encrypted volume (either a disk partition or a disk image). When you mount the volume and enter the password, it gives OS X the ability to present the volume as if it wasn't encrypted. Anything read from the disk is decrypted on-the-fly, and anything written to the disk is encrypted on-the-fly. To the user, and his applications, the volume might as well not be encrypted.

     

    This is the only way encrypted volumes can work, logically. If files weren't decrypted on-the-fly, then they would just appear as encrypted garbage to your applications and you wouldn't be able to open them.

     

    So to answer the OP's question, if you copy a file from an encrypted volume (for example, your Mac, if you're using FileVault) to an unencrypted volume (for example, an unencrypted Time Machine disk), the file will be decrypted on-the-fly as it's read off the encrypted volume and stored in unencrypted form on the unencrypted volume. This might not be as worthless as it sounds since maybe your Mac is a laptop with a non-trivial chance of being stolen, whereas your Time Machine backup disk might be stored in your relatively safe office or home.

  • 28. Re: Understanding encryption using Disk Utility
    guy toronto Level 1 Level 1 (0 points)

    Thanks for the clarification, Motrek. Ultimately, I suppose that this is all logical. But still a little uncertain regarding Pondini's comment that TM will only back up when a disk is not mounted. That would mean that backups (of an encrypted disk image) would always be encrypted (irrespective of whether the destination is itself an encrypted image). While I like that solution, I can't help wondering what makes TM skip info in a disk image that is mounted.

     

    If Pondini is correct, I would of course need to remember to make sure that my disk images are unmounted when making backups!

  • 29. Re: Understanding encryption using Disk Utility
    motrek Level 1 Level 1 (25 points)

    I don't want to start an argument but I don't see how what Pondini is saying could possibly be correct.

     

    First of all, you can certainly use TM to back up mounted volumes, since almost everybody uses TM to back up their main (boot) hard drive, and you can't be expected to unmount your boot drive in order to back it up. Also, one of TM's main features is file versioning, so you can access a file as it was an hour ago in case you accidentally mess it up (hence the name "Time Machine"). That wouldn't be possible if you could only back up unmounted volumes since it means you'd have to unmount and remount whatever volume you're using every hour, which people obviously don't do.

     

    Second, I don't believe TM backups are necessarily encrypted, even if they are backing up encrypted volumes, since there's a very prominent setting in TM that lets you choose whether or not your backup is encrypted. Presumably if this option is not checked, the backup is not encrypted. Otherwise, why have the option?

     

    So if you want everything encrypted, I think it's very easy. Just turn on FileVault on your boot drive and select the option in Time Machine to encrypt your backup and you should be covered.