Is is possible to enable encryption for a Time Machine target disk with a script or using the command line?
Is an encrypted Time Machine disk really just the same as a normal disk, full-disk-encrypted using FileVault?
I'd like to automate as much as is convenient when installing a Mac for a new user. This includes backups. We're using OS X Mountain Lion.
Additional discoveries:
- You can ask a target to be encrypted from the Time Machine preferences GUI. This does not make it show up as such using the
fdesetup
command. It will however list as encrypted usingdiskutil cs list
- If first encrypting a drive, the Time Machine prefs GUI will say "Encrypt backups" for that entry. This would support the method suggested below by Rene (except he suggests doing it on an encrypted image placed on a disk).
Best Answer
No, sorry chickpee, I believe you're incorrect.
Yes. It is. This would be "FileVault 2" we are talking about, aka CoreStorage, Apple's newish logical volume manager. This is different that the previous TM and FileVault technologies, which are based on AES-encrypted sparse-bundle disk images (which are still used for network backups, etc.). The process that starts in System Preferences (these days) when you enable disk encryption (whether on an external disk, for Time Machine, or on the boot drive for FileVault), provided the disk is suitable, it does an online conversion from a traditional GPT Partition Table to a single monolithic data store, with a very small partition for the CS firmware. Logical volumes (in logical volume groups) are then carved out of this, and these (software) volumes are then HFS formatted and encrypted.
I believe the most straightforward method for doing this would be to:
diskutil cs create/convert
(wasn't/was formatted; unimportant) to initialize and add a new LVGdiskutil cs createVolume
, create a single LV. You could enable encryption at this point, withdiskutil cs encryptVolume
, if you know the passphrase you're going to use; if not, leave it unencrypted for now.diskutil partitionDisk diskX
-- see below -- CS volumes appear as if they are completely autonomous, separate disks, so you partitionDisk.Then: mount and unlock the volume on your new user's machine. Once the disk is unlocked, there shouldn't be any trouble 'adopting' it for use there. If you want to put it into a config script, I believe it's just something like
tmutil -a /Volumes/Foo
,tmutil startbackup -ad disk...
. This is the part I'm least sure about, but I'm also sure its easily doable. I haven't done this for Time Machine per se my self, but I pre-encrypt disks for FileVault like this all the time, and the OS sort of just knows what to do with if after that.A properly suitable CS-enabled-disk is going to appear like this in diskutil (although you might not have the third partition on disk0 if it's knows it's not going to be a boot drive:
disk0 will not appear as encrypted, ever, since this is what the volume manager basically has to 'boot' off of. disk1 will be encrypted and will require the passcode to mount.