Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, May 30, 2012

Don't rely on Apple for sensible encrypted backups

Apple really confuses me sometimes. Let's review how they handle user data, especially with regard to backups and encryption.

In previous versions of the Mac OS, there was something called FileVault which could be applied to individual accounts. It would turn your home directory into an encrypted bundle which would then be mounted when you logged in. When you logged out, it was unmounted.

This had interesting ramifications if you were using their Time Machine backup product. It refused to back up mounted FileVault filesystems, presumably because they could change in scary and unpredictable ways. After all, it would see it as nothing but a file or series or files, and changes during the backup process could be disastrous.

So, back then, the standard operating procedure was to log out of your account every so often. This was no big deal: you just do a command-shift-Q with your left hand, hit ENTER with your right hand, and walk away. It would shut down your processes, log you out, unmount your partition, garbage-collect it, and then back it up as an encrypted bundle. Your data would wind up on the backup device in a safe state, and required a password for access.

Of course, this overall situation still had some holes in it, since the rest of your drive was left unencrypted, and it could have some tasty data on it. Other companies came out with things like whole disk encryption (WDE) which would intercept the boot process and demand a password before continuing.

Apple eventually got on the WDE wagon and decided to give us FileVault 2. This one stops the bundle-per-user scheme and instead encrypts the entire partition. It leaves just a little bit of the disk unencrypted for recovery purposes, and presumably enough to prompt for a password at boot time.

In this environment, when you power up your machine, you log in as a user who's allowed to decrypt the drive, it mounts the partition, and then it boots up and logs you in. From this point on, everything thinks it's just a normal drive, since it's all effectively wrapped for you.

Time Machine, too, runs inside this bubble, so it sees everything as unencrypted. It will fire up and run whenever it wants, and it will copy data straight across to the backup drive.

Have you spotted the problem yet? It's taking data from inside the encrypted environment and is writing it to the backup drive without any sort of protection.

You spent all that time encrypting your entire drive, and then it just goes and gives the data away to the backup device without protecting it!

"Just turn on the encryption option in Time Machine", you say.

"Ha ha ha", I respond.

Look at this!

Backup disk chooser

See, I'm using Time Machine -- Apple's software for backing things up -- with a Time Capsule, which is Apple's hardware for backing things up! It's a little box with a power cord, a network interface, and a bunch of disk space.

When I use this double-Apple-approved environment, it denies me the "Encrypt backup disk" option. It makes no sense at all.

Yes Apple, please let me take my data out of my nice safe encrypted partition and then store it on another unencrypted partition somewhere else in my office. Thanks a lot! You really make me feel secure here.

I understand that encryption option starts working when you plug in an external drive. Well, gee, this is a laptop. It's supposed to be portable! If I wanted it to be tethered all the time, I would just use a Mini or something instead.

Don't say "just plug in the external disk now and then". The whole point of the Time Machine + Time Capsule combo was that it would automatically run periodic snapshots without such fiddly nonsense.

So far, the one alternative I've seen to Time Machine was something that really did not fill me with confidence. I had to do a number of dubious steps to make it back up to an encrypted bundle on my Time Capsule, and then it threw a bunch of errors which makes me wonder if it worked at all. It's far from the "turn it on and leave it" that I expect here.

Someone must have already solved this in a way which doesn't involve piles of ridiculous shell scripts (or the equivalent in any other language, for that matter).

It needs to:

  1. Back up the entire machine so I could conceivably recover using it.
  2. Run these backups automatically at sensible intervals.
  3. Not complain just because the lid was closed while it was working.
  4. Complain visibly if it can't actually back up for an extended period.
  5. Just sit there and be quiet if all is well.
  6. Write to a Time Capsule without any funny stuff. Just let me pick the device and perhaps provide a password, and it figures out how to connect, create bundles, mount them, and all of that other stupid housekeeping stuff.
  7. Encrypt all backups!
  8. Not beat the machine to death with I/O while I'm trying to use it (Time Machine on Lion, I'm looking at you).
  9. Be smart about noticing idle time on the box, and take that as a hint to maybe wake up and get some work done while things are quiet.

One thing I definitely do not care about is the Time Capsule restore interface. I could probably live with a rotating set of snapshots, just like we used to do in the old days with weekly "fulls" and daily incrementals. I'm more concerned with being able to do a full restore than I am with being able to roll back any one file to arbitrary times.

As long as I can mount it from another Mac after supplying a password, I'll be very happy. It doesn't need to be anything fancier than that.

Is this going to be yet another situation where I have to go build own full-stack backup scheme in order to have both a sane client and a sane server? If it turns out that way, I am going to be rather annoyed.


July 29, 2012: This post has an update.