8 Replies Latest reply: Jan 11, 2014 4:54 AM by Oliver von Quadt
Oliver von Quadt Level 1 Level 1 (35 points)

Hi,

 

My question is about encrypting a remote Time Machine backup on a Drobo 5D.


Setup:


  • Mac mini 2012, Drobo 5D (connceted via Tunderbolt)
  • Mavericks Server
  • Services: Time Machine Services, File Sharing, Caching Server

 

Before I begin:

Local Time Machine encryption to a locally connected Drobo drive (Thunderbolt or USB) is known to be fatal, because Drobo works with a virtual disk layer, pretending to the OS, that the maximum drive space is larger than the acutal disk array installed. That way, the volume can grow in size later on. If you select a locally connected Drobo as your Time Machine backup, OS X will try to encrypt the complete volume, which will corrupt the volume because of the virtualization going on there.

 

My question: is this also true on Time Machine Server service?

 

I have my Mac running OS X Server (10.9) with a 5D connected via Thunderbolt as the redundant data volume. The server provides Time Machine services to my clients. Clients are backing up via WiFi to the server. If a client is performing a Time Machine backup on the server, the server actually creates a Sparsebundle, instead of writing the data directly to the share.


So my thought is: if the remote Time Machine volume is actually a sparsebundle, shouldn't it then be possible to also enable encryption on it, as the encryption would only be applied to the sparse bundle instead of the complete Drobo volume?

 

 

Any experiences in this field would be most welcome!

 

 

 

PS: I know that this question would rather belong to a Drobo forum, however, I would like to double-check this question in this forum as well.




Mac mini, OS X Mavericks (10.9)
  • 1. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    Demetrios Level 2 Level 2 (200 points)

    <crickets>

     

    I'm curious to know the answer. Debating between a Drobo 5D and a 5N. Leaning towards 5D attached to our OS X Mavericks Server but it would have to be compatible with Time Machine.

     

    Hope someone with experience with these can chime in here…

  • 2. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    Rhodan_0x10 Level 1 Level 1 (10 points)

    I have the same configuration and can say it works.

     

    In TimeMachine-Server-Tab I choose a folder that is located at the Drobo 5D. On Client-site you see the share and choose this one as Destination, don't forget to tick the box for encryption.

     

    The Server than makes an encrypted sparsebundle, this one is on Serversite only accesible after you provide the right password.

     

    Greetings Rhodan

  • 3. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    Demetrios Level 2 Level 2 (200 points)

    Good to hear. Is the setup of for Drobo 5D to use Time Machine much different than what is shown in this PDF for the 5N?

  • 4. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    bobgeo Level 1 Level 1 (25 points)

    Note that I had an issue with other users being able to grab someone's sparsebundle (there was no little minus sign locking them out of being able to do that), and I am using a Drobo 5D connected via Thunderbolt. You can see the solution I finally randomly figured out here:  https://discussions.apple.com/message/24303161#24303161

     

    This may be helpful to you or others.

  • 5. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    Demetrios Level 2 Level 2 (200 points)

    Thanks for the link!

     

    So is your Drobo only used for backups?

     

    I'm considering purchasing a 5D but I'd like to use it partially for secure backups, for a handful of Macs, and partially as extra shared file storage space for the Mac mini server. Possible?

  • 6. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    bobgeo Level 1 Level 1 (25 points)

    The Drobo 5D has worked out great for us - once we realized that in order to use Time Machine in a network environment and have permissions respected, you only want to format it with Apple's Disk Utility which puts a permission group of Staff, I believe.

     

    But, yes, I believe it would work fine for your intended use; just partition it and off you go. I went into Disk Utility as if I was going to make some extra partitions and it seems like it would work fine. Note that I could not continue with making the partitions as we are actively using this as our company's backup disk.

     

    The backup and speed have been much faster compared to the Firewire disk we were using before and we have not had problems with it. Drobo has been good with putting out firmware updates here and there as well. This is our first Drobo and we have been pleased.

  • 7. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    Rhodan_0x10 Level 1 Level 1 (10 points)

    In my eyes there is a big different beetween this solution in this PDF for the 5N and providing a netshare via Server.app. On the one hand you provide a dedicated netshare with proper accessrights on the drobo, on the other hand any thing is handled by the server that functions as TimeMachine-Server and be able to provide with one selected "share" folder a destination for different clients.

    The backup destination in my environment is access limited to a special user tmservice that i created, additional user acount "everyone" has no access. This behavior is initial setuped by Server.app itself.

     

    Short to say: to provide an TimeMachine-Backup via Server.app is a self-configuration task instead of provide an normal net-share at which you have to set the proper user-rights.

     

    Hope this information will help, greetings Rhodan

  • 8. Re: Encrypt Time Machine backups on 10.9 Server with Drobo 5D
    Oliver von Quadt Level 1 Level 1 (35 points)

    I think, if you have individual Users set up at the server, then you shouldn't have the described sparse bundle "grab" problem, as every user is logging in separately and thus gets assigned his own bundle.

     

    This is in theory right now, as I have not tested it personally, but I will soon.

     

    My main concern was using encryption on a Drobo (they strongly advise against it). But since this is a server side time machine service, only the sparse bundle will get encrypted, and not the whole Drobo volume.

     

    If you would go with a plain network share (without a server side time machine service), and enable encryption when you select the shared Drobo, then the whole Drobo would be encrypted, which is very bad due to the Drobo-level virtualization of your Drobo drive.

     

    I also don't think, that creating a special volume on the Drobo is ultimately necessary. Since 10.9 server now supports maximum Time Machine sizes, you can soft-limit the size that way, while still using a single Drobo volume.