Skip navigation

Understanding encryption using Disk Utility

4005 Views 41 Replies Latest reply: Jan 13, 2013 2:57 PM by Pondini RSS
  • Pondini Level 8 Level 8 (38,710 points)
    Currently Being Moderated
    Feb 3, 2012 9:17 AM (in response to guy toronto)

    guy toronto wrote:

     

    Thanks for the explanation. Forgive me for being technologically dense. Are you saying that in the case of an encrypted disk image, my back-up (using Time Machine) will be encrypted?

    Yes.

     

    - when the disk is mounted (ie data unencrypted), it will not be backed up. Back-up of data will only occur when the disk is not mounted (ie when the data is encrypted). Hence backed up data is always encrypted.

     

    Am I getting this right?

    Yes.

  • Pondini Level 8 Level 8 (38,710 points)
    Currently Being Moderated
    Feb 3, 2012 9:23 AM (in response to Tony T1)

    Tony T1 wrote:

    ...but the OP is asking about encrypted disk images

    Yes, that's what I mean. You can create them with Disk Utility, via the New Image icon in the Toolbar:

     

    Screen Shot 2012-02-03 at 12.19.00PM.png

  • Tony T1 Level 6 Level 6 (8,105 points)
    Currently Being Moderated
    Feb 3, 2012 9:46 AM (in response to Pondini)

    Pondini wrote:

     

    Tony T1 wrote:

    ...but the OP is asking about encrypted disk images

    Yes, that's what I mean. You can create them with Disk Utility, via the New Image icon in the Toolbar:

     

    Then I don't understand your statement that "When an encrypted volume  (an actual disk partition or a disk image) is backed-up, the data is decrypted."  An encrypted disk image is not decrypted when backed-up.

  • Pondini Level 8 Level 8 (38,710 points)
    Currently Being Moderated
    Feb 3, 2012 9:54 AM (in response to Tony T1)

    It really doesn't matter (the end result for this purpose is the same), but I believe it is.  Any time a user (or app) reads from it, the data is decrypted.   If the destination is encrypted, the data is re-encrypted.    

  • christopher rigby1 Level 4 Level 4 (2,070 points)
    Currently Being Moderated
    Feb 9, 2012 6:22 AM (in response to Pondini)

    I'm baffled. What's the point of encrypted images or FV if some crook could steal your TM drive and find your data unencrypted?

  • Tony T1 Level 6 Level 6 (8,105 points)

    christopher rigby1 wrote:

     

    I'm baffled. What's the point of encrypted images or FV if some crook could steal your TM drive and find your data unencrypted?

     

    WIth Lion, you can encrypt the TM Drive

    Anyway, even if you choose not to encrypt the TM Drive, any Encrypted Disk Images backed up to TM will remain encrypted

  • christopher rigby1 Level 4 Level 4 (2,070 points)
    Currently Being Moderated
    Feb 9, 2012 6:37 AM (in response to Tony T1)

    Tony T1 wrote:

     

     

     

    WIth Lion, you can encrypt the TM Drive

    Anyway, even if you choose not to encrypt the TM Drive, any Encrypted Disk Images backed up to TM will remain encrypted

     

    Including FV accounts?

  • Tony T1 Level 6 Level 6 (8,105 points)

    Including FV accounts?

     

    Encrypt the Time Machine Drive:

     

         HT1427_TimeMachine_Start-001-en.png

  • Tony T1 Level 6 Level 6 (8,105 points)
    Currently Being Moderated
    Feb 9, 2012 7:30 AM (in response to guy toronto)

    If in doubt, just encrypt the TM Drive

  • Pondini Level 8 Level 8 (38,710 points)
    Currently Being Moderated
    Feb 9, 2012 8:19 AM (in response to guy toronto)

    guy toronto wrote:

    . . .

    But Pondini's latest posting seems to suggest that if an app (TM?) reads data, it becomes decrypted. Not sure this makes sense.

    Yes, that's exactly what happens.  The data is copied and decrypted "on the fly" so you can read it.  The original file (on disk) remains encrypted.  Only the copy made in memory (RAM) for you to read or edit is decrypted.

     

    When you then save, copy, export, the (unencrypted) data in memory, it may or may not be encrypted, depending on the destination.  If you just save it back to the encrypted drive (or disk image), it will be encrytped.  If you save it to an unencrypted drive (or disk image), it will not be encrypted.

     

    Part of the confusion here is the difference between encrypting an entire volume vs. encrypting a disk image.

    Agree that goal needs to be that encrypted data remains encrypted, even when backed-up - otherwise no real sense.

    Not always.  A laptop user who makes backups to an external HD may want the laptop's HD to be encrypted, so it's protected if the laptop is lost or stolen while the user is travelling, but may not want the backups to be encrypted, if the backup HD is in a secure place.

     

    An encrypted disk image, however, will always be encrypted on disk, regardless of the encryption status of the volume it resides on.

     

    Assume automatically scheduled backups through out the day. Assuming that during the day, there are times that the encrypted disk image is being used (ie a password has been entered), and other times not. What is happening in TM? Are all back-ups encrypted?

    If the disk image is encrypted, the backups of it will be encrypted.   But remember, the contents are only backed-up when the disk image is not mounted.

  • motrek Calculating status...
    Currently Being Moderated
    Jan 11, 2013 7:35 PM (in response to guy toronto)

    Hopefully this will clear things up:

     

    Let's say you have an encrypted volume (either a disk partition or a disk image). When you mount the volume and enter the password, it gives OS X the ability to present the volume as if it wasn't encrypted. Anything read from the disk is decrypted on-the-fly, and anything written to the disk is encrypted on-the-fly. To the user, and his applications, the volume might as well not be encrypted.

     

    This is the only way encrypted volumes can work, logically. If files weren't decrypted on-the-fly, then they would just appear as encrypted garbage to your applications and you wouldn't be able to open them.

     

    So to answer the OP's question, if you copy a file from an encrypted volume (for example, your Mac, if you're using FileVault) to an unencrypted volume (for example, an unencrypted Time Machine disk), the file will be decrypted on-the-fly as it's read off the encrypted volume and stored in unencrypted form on the unencrypted volume. This might not be as worthless as it sounds since maybe your Mac is a laptop with a non-trivial chance of being stolen, whereas your Time Machine backup disk might be stored in your relatively safe office or home.

  • motrek Level 1 Level 1 (25 points)
    Currently Being Moderated
    Jan 13, 2013 1:17 PM (in response to guy toronto)

    I don't want to start an argument but I don't see how what Pondini is saying could possibly be correct.

     

    First of all, you can certainly use TM to back up mounted volumes, since almost everybody uses TM to back up their main (boot) hard drive, and you can't be expected to unmount your boot drive in order to back it up. Also, one of TM's main features is file versioning, so you can access a file as it was an hour ago in case you accidentally mess it up (hence the name "Time Machine"). That wouldn't be possible if you could only back up unmounted volumes since it means you'd have to unmount and remount whatever volume you're using every hour, which people obviously don't do.

     

    Second, I don't believe TM backups are necessarily encrypted, even if they are backing up encrypted volumes, since there's a very prominent setting in TM that lets you choose whether or not your backup is encrypted. Presumably if this option is not checked, the backup is not encrypted. Otherwise, why have the option?

     

    So if you want everything encrypted, I think it's very easy. Just turn on FileVault on your boot drive and select the option in Time Machine to encrypt your backup and you should be covered.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.