IT Services



Backing up Mac Data Encrypted with FileVault


Contents



1. Introduction

FileVault is a Mac OS X feature which encrypts your home directory. How it interacts with TSM depends on the version of Mac OS X which you are running.



2. Mac OS X 10.7 (Lion) and 10.8 (Mountain Lion)

From Mac OS X 10.7 (Lion) onwards, FileVault (now at version 2) encrypts the whole Mac disk. When the Mac is booted up, the disk is unencrypted. This means that your data can be accessed and backed up by TSM without a problem. It does also mean that your data is backed up as if it were unencrypted data. On the matter of how secure TSM backup is, please see our page on TSM security. For how to encrypt files for TSM backup, please see our page on how to encrypt files for backup.



3. Mac OS X 10.6 (Snow Leopard)

In both Mac OS X 10.5 (Leopard) and OS X 10.6 (Snow Leopard), the earlier version of FileVault, FileVault 1, keeps data in sparse bundles, a series of files which are each 8MB in size. Users of this version of FileVault must choose whether to back up data encrypted or unencrypted, and then to exclude from TSM backup whichever type is not being backed up. The exclusion of one version of the data is important because otherwise this will lead to duplication on the HFS, which is a waste of resources.

Please note that if you wish to back up your data encrypted, then another option is to encrypt within TSM, on which see our page on how to encrypt files for backup.



3.1. Backing up data unencrypted

Your data will be backed up unencrypted if you run backups while you are logged in, because then TSM can access your files. If you only ever run manual backups then this is how your data will be backed up. Your data will also be backed up in this way if your scheduled backups run while you are logged in - whether this is because you are using your machine when it backs up, or because you leave it logged in overnight.

If you back up your data unencrypted, please make sure to exclude your FileVault encrypted files from backup, so that they are also not sent to the HFS, as this is a waste of resources. To do this, please see our page on excluding folders from backup. The exclude rule that you need to create will look like:

exclude.dir /Users/.user_name
where .user_name is the user name that you use to log on to the machine; so for a user fred this would be:
exclude.dir /Users/.fred
Note the initial '.' before the username is crucial: it is this that indicates that a FileVault directory is being excluded.



3.2. Backing up data encrypted

Your data will be backed up encrypted, i.e. in the form of 8MB sparse bundles, if backups are run while you are not logged in. This will happen if scheduled backups run and you did not leave the machine logged in; or, where a machine has two or more user accounts, if one user backs up another user's data.

This method has several ramifications, however:
  • You will not be able to restore individual files.
  • A different administrator account must be logged on when the sparse bundles are restored: you cannot restore your own.

If you back up your data encrypted, please make sure to exclude your unencrypted files from backup, so that they are also not sent to the HFS, as this is a waste of resources. To do this, please see our page on excluding folders from backup. The exclude rule that you need to create will look like:

exclude.dir /Users/user_name
where user_name is the user name that you use to log on to the machine; so for a user fred this would be:
exclude.dir /Users/fred
Note lack of an initial '.' before the username (in contrast to that shown in the previous section), which indicates that a home directory (not a FileVault one) is being excluded.