How secure is Time Machine/FileVault/Dropbox/Google?

A third party solution like Dropbox should always be considered insecure, as you leave your data in the hands of a company you cannot "see or touch". Such companies might operate under the laws of another country which permits/forbids differently than the country you live in, and therefore making any legal actions nearly impossible in case of abuse.

Furthermore, companies get sold and bought. A reputable provider offering an online solution can be bought, and the data can fall into hands of people whose main purpose with this trade is exploiting this opportunity.

I'm not trying to say that you should be paranoid, but use your common sense when choosing an online backup/file storage provider. Google the company name, read reviews about the service, etc.


I'm not sure what you mean by "system password". If you're talking about the password to an admin account, or even root, then it's not an issue; FileVault security is completely independent of overall OS security (well, with one exception: if someone subverts the box, installs something like a keylogger, then hands it back to you and captures your FV password as you log in...).

OTOH, if the "system password" you're talking about is what the Security prefs calls the "Master password", then anyone who guesses it has an easy backdoor into your FV. But it's not resettable with the install disc, or any other method that doesn't involve knowing it to begin with. So that's not really a worry.

Now, on to backup security: Time Machine's not a problem (with the caveat Arjan mentioned, that it can't back up your account while you're logged in) because it backs up the encrypted data, so it has essentially the same security that FV itself has. You do have some minor annoyance when restoring, because TM's slick restore interface can't see into the backed-up FV, so you have to manually mount the backed-up image and then root through it by hand. (Ok, one more minor qualification: since Time Machine will store multiple versions of the encrypted data, it may be possible to tell something about what's going on inside of FV by looking at how the encrypted version changes; I haven't seen anyone analyze FV for its resistance to this type of attack.)

TFM's basically right about backups you don't have control over, if you're backing up the unencrypted version of your files. If you're backing up the FV encrypted version, then you're back in the same situation as with TM: it's (mostly) automatically secure, but you've got the annoyance of only being able to back up while logged out, and restoring anything'll mean downloading an entire snapshot of the FV image, manually mounting, etc.

I'd recommend looking a program designed for encrypted online backup; done right, this encrypts everything before it leaves your machine (so you aren't dependent on the security of the repository) and is still easy to restore from. Unfortunately, I haven't done the necessary research to be able to recommend a specific solution that "does it right" (and I'm sure there are lots that do it wrong).


I know a little bit about DropBox's security. The data is encrypted on S3, but DropBox holds the encryption keys, not you. (so they could snoop if so inclined). If you want to hold the keys, you need JungleDisk or similar. Of course there is a downside to having the keys on your side... if you lose them you're screwed.