"the site for those who crave disappointment"

Sponsored Links

Cheap, Easy and Encrypted Backups With Time Machine on Leopard

31st Jan 2009, 14:56:17

By James Stocks

Time Machine Icon

I used Linux to make Time Machine work better than Apple intended. Read on for details of the wonders of iSCSI.

Most Leopard users agree that Time Machine is a great way to back up your Mac; it's easy to set up, it's automatic and it's easy to restore old files.

I have some special requirements (as usual!) which Time Machine can't meet in its standard configuration:

A bit about iSCSI

This is where iSCSI comes into the equation. Hopefully this diagram explains the mechanics of it:

The MacBook Pro is running an iSCSI initiator - think of this as an iSCSI client. It is used to connect to the iSCSI target (the 'share') on the Debian Linux box. When the MacBook connects to the iSCSI target for the first time it sees a blank disk which would be partitioned and erased in exactly the same way as any physical disk. Crucially, Time Machine can't tell the difference between an iSCSI disk and a real disk.

It is worth noting that iSCSI works at the block level, it is not a network share like AFP or Samba/CIFS is. If two machines were to mount the disk at the same time they would corrupt it - fortunately, this is impossible with the configuration I'm about to create.

Get on with it you fool

Yes, well all right. The first thing to do is find an old PC. Any old PC will do provided you can stuff big enough disks in it. I chose an old HP mini-tower and then bought a couple of extra 500GB SATA disks to go in it. I then installed Debian Etch on the first 80GB disk, leaving the 500GB drives untouched. Annoyingly, the iSCSI modules aren't available in Etch, so I dist-upgraded to Lenny. You could just as easily use the latest Ubuntu if you prefer.

So, by this point you should have a pristine Debian Lenny or Ubuntu install working on the PC.

At this point I will build a RAID array. If you don't require RAID, skip to the encryption part below.

Make sure the appropriate support is installed:

# apt-get install mdadm

Once you're sure you know the correct device names, instantiate the RAID:

# mdadm --create --verbose  /dev/md0 --level=raid1 --raid-devices=2 /dev/sd[cd]
mdadm: size set to 488386496K
mdadm: array /dev/md3 started.

We need to tell mdadm about the RAID so that it can check for problems. Find the RAID's UUID with mdadm:

# mdadm --examine --scan
ARRAY /dev/md0 level=raid1 num-devices=2 UUID=77004f79:3bc3c381:e72a2d57:3cde0288

Paste this line into /etc/mdadm/mdadm.conf. You may wish to set an email address for alerts while you're in there.


To fulfil the security requirements, I shall encrypt the device. This requires a package:

# apt-get install cryptsetup

Set a password for the new encrypted device:

# cryptsetup luksFormat /dev/md0

This will overwrite data on /dev/md0 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.

Decrypt and open the device:

# cryptsetup luksOpen /dev/md0 crypt-raid
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.

Note the decrypted data accessible to the OS is now /dev/mapper/crypt-raid - you can treat this exactly as though it were a physical drive.

We want the encrypted device to be decrypted each time the system boots, so we must add it to the /etc/crypttab file:

# vi /etc/crypttab

# <target name>	<source device>		<key file>	<options>
crypt-raid      /dev/md0            none        luks

As it stands, you will have to enter the password to decrypt the device each time the Linux machine boots. This might be what you want - but my machine has no monitor most of the time so I use a USB key instead. If I need to boot the machine I just insert the USB key to authenticate myself.

Create the following script:

# vi /usr/sbin/


# Part of passwordless cryptofs setup in Debian Etch.
# See:
# Author: Wejn 

if [ "x$1" = "x" -o "x$1" = "xnone" ]; then

echo "Trying" >&2
mkdir -p $MD
modprobe usb-storage >/dev/null 2>&1
modprobe vfat >/dev/null 2>&1
sleep 7
for SFS in /sys/block/sd*; do
	DEV=`basename $SFS`
	if [ 0`cat $SFS/removable` -eq 1 -a -f $F ]; then
		echo "> $DEV" >&2
		mount /dev/${DEV}1 $MD -t vfat -o ro 2>/dev/null
		if [ -f $MD/$KEYF ]; then
			cat $MD/$KEYF
			umount $MD 2>/dev/null
		umount $MD 2>/dev/null

if [ $OPENED -eq 0 ]; then
	echo "FAILED" >&2
	echo -n "Uh oh " >&2
	read -s -r A
	echo -n "$A"
	echo "I found the keyfile on the USB drive.  Hooray!" >&2

Don't forget to make it executable.

# chmod +x /usr/sbin/

Now choose a file on your USB drive to be your keyfile. The content of the file is not important, it could be a text document, an audio file, whatever. Just be aware that if even a single bit changes, the keyfile is no longer valid. Obviously this should look like some random file you carry around, 'keyfile.txt' would be a poor choice (duh)!

Use cryptsetup to add your keyfile:

# mkdir /keyfile
# mount /dev/sd-whatever /keyfile
# cd /keyfile
# cryptsetup luksAddKey key-file.ext
# cd
# umount /keyfile
# rm -r /keyfile

Edit your crypttab to take account of the keyfile:

# vi /etc/crypttab

# <target name>	<source device>		<key file>	<options>
crypt-raid      /dev/md0            keyfile.ext luks,keyscript=/usr/sbin/

Rebuild the initrd (not sure if update-grub is needed, but can't hurt!):

# update-initramfs -u all
# update-grub

Reboot (with USB drive in) and test. This concludes the encryption portion.

iSCSI itself

We now need to install the iSCSI tools and modules:

# apt-get install iscsitarget iscsitarget-modules-2.6-686

Now, edit /etc/ietd.conf:

# vi /etc/ietd.conf

IncomingUser made-up-user hard-password

# Target should be date YYYY-MM, fully qualified hostname (reversed) then, make up a disk name.
Target iqn.2009-01.spruce.san:disk2
	IncomingUser made-up-user hard-password
	# This is the device you just created with cryptsetup
	# can also be a 'normal' device like /dev/sdb if you didn't encrypt
	Lun 0 Path=/dev/mapper/crypt-raid,Type=fileio
	# This is the default anyway - but let's be explicit!
	MaxConnections 1

Now, restart the iSCSI service:

# /etc/init.d/iscsitarget restart

Believe it or not, that's all you have to do to the Linux box, head on over to the Mac.

Leopard doesn't have an iSCSI initiator, but GlobalSAN have created one and give it away for free, so download and install it.

Once your initiator is installed, go to System Preferences and configure it:

iSCSI initiator

In the Targets tab, add your iSCSI target.

iSCSI initiator

In the sessions tag, log in to your target.

If you open Disk Utility, you'll be able to see your iSCSI disk, you can erase it just as you would any other disk. When you do so, Time Machine will ask whether you want to use it as your Time Machine disk.

Time Machine

Enjoy your automated, encrypted resilient backups.


To change the password or keyfile on an encrypted volume:

What keys already exist?

# cryptsetup luksDump /dev/md0
LUKS header information for /dev/md0

Version:        1
Cipher name:    aes
Cipher mode:    cbc-essiv:sha256
Hash spec:      sha1
Payload offset: 2056
MK bits:        256
MK digest:      59 48 02 cc cd 91 37 ae 01 f5 ce 09 f6 09 dd 4f f2 84 0a 50 
MK salt:        89 7d fb a7 a5 e4 c2 dd a3 0b 2a ab 1f 01 cf 47 
                2c a7 dd 36 bf af 7f af 60 aa a0 a7 24 23 5c 96 
MK iterations:  10
UUID:           b3f577e7-c0d4-4f8b-a25b-a563ce9d8328

Key Slot 0: ENABLED
        Iterations:             55145
        Salt:                   5b a0 4c 54 99 99 99 99 4c 67 b8 58 5d 97 80 24 
                                67 8e e7 bc 35 5e d5 95 25 aa aa d0 42 8c 96 20 
        Key material offset:    8
        AF stripes:             4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: ENABLED
        Iterations:             54610
        Salt:                   5b 96 f9 21 92 84 2a 1a da 45 ae a6 14 8b be 64 
                                93 1e 42 b4 c2 c4 71 c2 ae 45 db 93 f0 fa b9 2a 
        Key material offset:    776
        AF stripes:             4000
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

There are keys in slots 3 and 0. The key in slot 0 is the password, don't remove that unless you really mean to.

Add the new keyfile

# cryptsetup luksAddKey /dev/md0 new-key-file.jpg

Delete the old one

# cryptsetup luksDelKey /dev/md0 3

If the keyfile has a different name, remember to edit /etc/crypttab

crypt-raid      /dev/md0           new-key-file.jpg luks,keyscript=/usr/sbin/

Rebuild initrd with the new settings

# update-initramfs -u all
# update-grub

New Comments

Some Rights Reserved