Understanding encryption using Disk Utility

motrek wrote:

. . .

First of all, you can certainly use TM to back up mounted volumes

Yes, of course. Nobody is saying anything different.

We're talking about disk images, not disks (or partitions).

Second, I don't believe TM backups are necessarily encrypted, even if they are backing up encrypted volumes, since there's a very prominent setting in TM that lets you choose whether or not your backup is encrypted. Presumably if this option is not checked, the backup is not encrypted. Otherwise, why have the option?

Again, it's the difference between a disk or partition vs. a disk image.

Whether your OSX drive is encrypted or not, the backups of it will or won't be encrypted depending on whether the backups are encrypted (either via the Encrypt backup disk option in TM prefs, or via Disk Utility).

If you have an encrypted disk image on your OSX (or other) drive or partition, the backup of that disk image will be encrypted regardless.

Ah, okay, I'm sorry, I wasn't reading clearly enough and there has been some ambiguity between "volumes" and "disk images" in certain posts.

You're right, it definitely makes sense that *DMGs* wouldn't be backed up by TM if they are mounted, encrypted or not.

Also, if TM is backing up an encrypted DMG, then yes, it will remain encrypted in the backup. Imagine this scenario--you boot your computer and never enter the password to mount the DMG. The operating system has no way of decrypting the DMG but it can still back it up since it's just a file with bits and bytes. So clearly the backup DMG will be encrypted just as much as the source DMG, since it's the same bits.

Sorry if I added to any confusion.

motrek wrote:

. . .

Sorry if I added to any confusion.

Not a problem. Anything that ends up clarifying things is good. 😎

I haven't used Time Machine in years but it would make sense that DMGs have to be unmounted to be backed up for the reasons Pondini went into.

Personally I found Time Machine to not be flexible enough for my backup needs. If I were in your shoes I would just occasionally unmount the encrypted DMG and drag and drop it to my backup drive.

If you buy a program like SuperDuper! you can make incremental copies of volumes, so you could have your encrypted DMG, and another encrypted DMG on a backup drive, mount both of them, and use SuperDuper! to copy the contents of one to the other, and it should be pretty quick. Much quicker than copying the entire DMG each time.

guy toronto wrote:

Thanks for the explanation. Forgive me for being technologically dense. Are you saying that in the case of an encrypted disk image, my back-up (using Time Machine) will be encrypted?

Yes, the backup of that disk image will be encrypted. The disk/partition it's on may or may not be, depending on whether the backup volume (disk, partition, or in the case of network backups, the sparse bundle disk image the backups are on) is encrypted.

Think of a disk image as kind of a disk-within-a-disk. It has it's own partiton map scheme, format, directory, etc., just like a "normal" disk or partition. It just "lives" on a normal disk/partition, which may have a different setup.

Disk images, of course, can also "live" on CDs/DVDs, etc.

- when the disk is mounted (ie data unencrypted), it will not be backed up. Back-up of data will only occur when the disk is not mounted (ie when the data is encrypted). Hence backed up data is always encrypted.

Am I getting this right?

For an encrypted disk image, yes.

If you have an unencrypted disk image, the backup of it will not be encrypted (and it won't be backed-up when mounted, either).

motrek wrote:

. . .

If you buy a program like SuperDuper! you can make incremental copies of volumes, so you could have your encrypted DMG, and another encrypted DMG on a backup drive, mount both of them, and use SuperDuper! to copy the contents of one to the other, and it should be pretty quick. Much quicker than copying the entire DMG each time.

Unless it's a sparse bundle disk image, it will be copied in it's entirety. The other types of disk images are treated as a single file, so if anything's changed, the whole thing is considered as changed.

I'm not sure whether SuperDuper or CarbonCopy cloner will copy just the changed "bands" of a sparse bundle disk image, or the whole thing. I've never experimented with that.

No, no, if you mount both DMGs then SuperDuper! can do a file-by-file incremental copy just as if you were copying one unencrypted disk to another.

Ah, yes, that's probably true - the difference is "mounted."

Have you actually tested that to be sure?

Yes, I back up my FileVaulted boot drive to an encrypted DMG every week or so. Works fine. SuperDuper works on the file level... all the reading/writing/encrypting/decrypting is done by the operating system below that level, so SuperDuper has no idea it's writing to an encrypted DMG instead of just another disk.

Ah, good. It makes sense, but sometimes things that seem to make sense don't actually work that way. 😉

Thanks for the confirmation.