hoakley March 10, 2021 Macs, Technology

iCloud Secure Backup comes to macOS

When you’re trying to sort out a problem, the Unified Log can be a real pain, with its endless chatter and repeated entries. But for exploration it can be a fascinating mine of tantalising glimpses into what your Mac is up to. When looking through Time Machine backup entries this week, I stumbled across what appeared at first to be a linked sub-system, SecureBackupDaemon (SBD). In fact, it’s something quite unassociated with Time Machine, and it was just by chance that on this occasion it ran at the start of an automatic backup, and its log entries were picked up by Mints.

SBD is quite reclusive too: you’ll find its LaunchAgent in /System/Library/LaunchAgents/com.apple.SecureBackupDaemon.plist, which in turn refers to the Universal Mach-O binary at /System/Library/PrivateFrameworks/CloudServices.framework/Helpers/com.apple.sbd. That isn’t an ‘.sbd’ file, but the binary containing the sbd daemon.

For once, Apple documents Secure Backup in its Platform Security Guide. It covers the databases containing personal information which are kept in and synced using iCloud: Contacts, Calendars, Photos, Messages, and most importantly the Keychain. A fuller listing comes from the log, where it includes:

AccessoryPairing
AppleTV
BackupBag
ContinuityUnlock
CreditCards
HomeKit
NanoRegistry
OtherSyncable
PCS-Backup
PCS-CloudKit
PCS-Escrow
PCS-FDE
PCS-Feldspar (Find My, perhaps?)
PCS-Maildrop
PCS-MasterKey
Notes
Photos
Sharing
iCloudDrive
iMessage (Messages)
Passwords
WatchMigration
WiFi
iCloudIdentity

Apple states that Secure Backup is run once daily, which could be shortly after you start your Mac up, as was the case when I happened to catch it at work. In that case, it’s one of the iCloud sync tasks responsible for the slowly-filling progress circle displayed next to your iCloud Drive in the sidebar of Finder windows. Unlike Time Machine backups, which can’t be started until five minutes after starting your Mac up, Secure Backup can start earlier, and doesn’t appear to be scheduled or dispatched by the DAS and CTS-XPC system. Macs which are left running overnight should then perform at least one Secure Backup each day.

For iOS and iPadOS devices, Secure Backup is only performed when a device is locked, connected to a power source, and has a Wi-Fi connection to the Internet. The macOS version of Secure Backup also seems to have a preference for Wi-Fi connections, although I expect that it’s also perfectly happy to work over ethernet instead. Neither do Macs need to be ‘locked’ or even idle.

As the name implies, Secure Backup transfers and stores your data securely: data to be backed up is encrypted, and transferred and stored in iCloud in that encrypted form. The keys used for encryption are stored in a special iCloud Backup ‘keybag’, which is itself encrypted and stored with the encrypted data in your iCloud storage. Your keychain, at least in iOS, is specially protected using what Apple terms a “UID-tangled key”, which allows restoration only to the same device from which it came, and prevents any third-party (including Apple) from reading its contents.

What’s strangest about this in macOS is that there appears to be no user interface to Secure Backup: in iOS, this is controlled in the Settings app, but I have so far been unsuccessful in finding any control, or a means to restore from a Secure Backup, in Big Sur. Perhaps this is a feature earmarked for future extension.

Log entries made during a Secure Backup contain many Apple internal names which can make them opaque. There’s considerable involvement with Octagon and OctagonTrust, for example, which refers to a Private Framework of that name. I also noticed an error report in the sbd code which reads “unable to fetch certificate (lakitu error)”, referring to creatures in Super Mario Bros. My favourite error message, though, is “iCloud gave us junk for metadata”, which I hope proves rare.

For iOS devices, Secure Backup is an important feature for many users. While it already appears to function in Big Sur, its role is unclear at present. Hopefully this will become more clear in the near future.

21Comments

Add yours

1

Joss on March 10, 2021 at 9:07 am

This may be slightly off-topic: I’m using BackBlaze as my remote backup solution, but I’ve always thought about using a directory on my iCloud Drive as the destination for an encrypted incremental & deduplicating remote backup. Is this already possible? (I’m not thinking about Apple’s own integrated solution, i.e. ~/Documents etc. in iCloud.) There are lots of free backup programs like Borg & Duplicacy, but I haven’t found any info yet if these also work with an iCloud Drive directory as the destination. (When I search for these tools with respect to iCloud, it’s always users who want to backup their iCloud content to another remote server, not local content to the iCloud drive.)

LikeLiked by 1 person
- 2
  
  hoakley on March 10, 2021 at 11:02 am
  
  I’m sorry – I don’t have a clue. I suspect this is a bit outside the realms of CCC or SuperDuper!, but wonder if ChronoSync might do the job better?
  You might like to pause a little to see if this Secure Backup develops into something more general and exposed to the user.
  Howard.
  
  LikeLike
  - 3
    
    Joss on March 10, 2021 at 11:04 am
    
    Thank you. Yes, definitely, and as long as BackBlaze is cheaper than Apple’s 2 TB iCloud plan, this is hypothetical anyway.
    
    LikeLiked by 1 person
4

Milo on March 10, 2021 at 12:13 pm

I’m a little bit confused by the name. Is this a backup seperate from the “regular” iCloud sync? Or does secure backup in this case refer to the actual sync service?

LikeLiked by 2 people
- 5
  
  hoakley on March 10, 2021 at 12:20 pm
  
  Thank you.
  No, this isn’t just a regular sync with iCloud data and files. If you have an iOS or iPadOS device which syncs with iCloud, you control the apps/data which it syncs through its iCloud settings, just as you do on a Mac. Secure Backup is a separate control within Settings, which you can enable or disable. This is an encrypted backup, not a data sync. However, it takes place during what is displayed in the Finder as an iCloud sync.
  Howard.
  
  LikeLike
  - 6
    
    Milo on March 10, 2021 at 12:47 pm
    
    Thank you for the explanation. I wasn’t aware that iCloud backups off the items mentioned in the article are all end-to-end encrypted. I only knew that iCloud sync of contacts, calendars, notes and photos are not.
    
    LikeLiked by 1 person
7

Dakotamoons on March 10, 2021 at 12:55 pm

Fascinating. This certainly is a lot to digest. I will refrain from commenting until I’ve had a chance to review Howard’s link to the Platform Security Guide, and then there’s the hundreds-of-pages long PDF Apple Documentation to absorb. I am feeling a little shock and awe, simultaneously, with a heavy dose of confusion. Will stay tuned for additional insights into this interesting development. Many questions, but need to do my own due diligence before asking irrelevant questions about all this which may be already documented at the Apple links. Thank you Howard for the heads up. Didn’t see this coming.

LikeLiked by 1 person
- 8
  
  hoakley on March 10, 2021 at 1:22 pm
  
  Thank you.
  Apart from the couple of pages in the Platform Security Guide, I know of no Apple documentation on this for macOS, only iOS.
  Howard.
  
  LikeLiked by 1 person
  - 9
    
    Dakotamoons on March 10, 2021 at 2:59 pm
    
    Ah, good point. I had followed the link in your article to Apple’s Platform Security Guide, and then to their PDF link https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf but did not have time to scrutinize the PDF as it’s literally hundreds of pages long. Again, a million thanks. Still dazed and confused, as always! But so appreciative of your alert of this new architecture.
    
    LikeLiked by 1 person
10

jeff abbott on March 11, 2021 at 3:23 am

Process: 1. Updated boot drive to 11.2.3 2. Restarted the computer holding the start key and changed security settings to the “new option” permissive security 3.. Made a CCC backup to a Rav Power USB-C drive 4.. Restarted the computer holding the start key, then installed the OS. Done..

Yea:) Jeff

>

LikeLiked by 1 person
- 11
  
  hoakley on March 11, 2021 at 10:15 am
  
  Thank you, but I’m sorry, you’ve lost me.
  Howard.
  
  LikeLike
12

reactorcontrol on March 11, 2021 at 9:05 am

It was always my understanding, that sbd does not backup any actual data, but only the CloudKit root keys with which those containers are encrypted. It ensures that you can regain access to your iCloud data after losing all of your devices. The system is described by Ivan Krstic in his BlackHat talk:

Here are my personal notes on the matter:
https://mroi.github.io/apple-internals/#SecureBackupDaemon

LikeLiked by 1 person
- 13
  
  hoakley on March 11, 2021 at 10:17 am
  
  Thank you.
  If you read the log, and the Platform Security Guide, I think that you’ll see that in macOS there’s now a bit more going on than that. Of course it may just be smoke with no fire, but this is a ‘proper’ secure backup in iOS already, according to Apple’s Guide.
  Howard.
  
  LikeLike
  - 14
    
    reactorcontrol on March 11, 2021 at 10:52 am
    
    OK, interesting. I have not read the new version of the guide yet. It’s on my todo list.
    
    LikeLiked by 1 person
    - 15
      
      hoakley on March 11, 2021 at 12:13 pm
      
      It’s an excellent and detailed account. There’s only a page or so about Secure Backup, but it’s all pretty explicit for iOS. Not a word about macOS, though, which makes me wonder if this is a new feature on its way.
      Howard.
      
      LikeLike
16

Nils on March 11, 2021 at 11:43 am

Is this always enabled and Big Sur transfers Data to iCloud I don’t want to be there? And what about the cases where Apple gave decrypted iCloud Backups to the FBI? Is this not possible anymore?

LikeLiked by 1 person
- 17
  
  hoakley on March 11, 2021 at 12:16 pm
  
  Yes, as far as I can see there’s currently no way to enable or disable it – it just happens. However, it’s far from clear whether it does transfer any data at present from Macs. It certainly goes through motions, but whether much/any gets transferred is another matter. From my reading of the Guide, Apple certainly doesn’t have access to any of the keychain info, and I don’t think it has to the rest either – it does appear to be truly secure.
  Howard.
  
  LikeLike
  - 18
    
    John Gilbert on March 24, 2021 at 3:13 am
    
    Not so sure about who has access to Secure Backup.
    
    The guide stalks about the iCloud Backup key bag being stored in the user’s iCloud account. That does not sound like end-to-end encryption me. Just a way to ensure that only the iCloud account can restore to a user computer.
    
    The guide explicitly says that the keychain is inaccessible by Apple because of the UID tangled key which prevent decryption on other devices.
    
    Further that messages (iMessage, SMS, etc.) are end-to-end encrypted. But the linked iCloud Security Overview https://support.apple.com/en-au/HT202303 says that “If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.” So end-to-encrypted but with Apple having the keys. I think this applies to other data which uses CloudKit end-to-end encryption.
    
    I am trying to get my head around the “Escrow security for iCloud Keychain” section. This seems mostly about protection against other users, not about protection from Apple being told to retrieve the keys and data they protect.
    
    What I get from all this is that the user’s computer keychain is fully protected by the UID on the computer, but that user data could be accessed.
    
    Certainly, in Australia, many government organisations can enforce requests for access to user data even when protected by encryption. To quote our last prime minister: “The laws of Australia trump those of mathematics”.
    
    LikeLiked by 1 person
    - 19
      
      hoakley on March 24, 2021 at 10:18 am
      
      Thank you. Until someone takes a deep dive into this, we can only take Apple’s word for it. Sure, governments can try to enforce “requests” for access to user data, but if Apple doesn’t have access, then there’s not much to be done, is there?
      Another important note here, as regards macOS: macOS can’t back up to iCloud (yet), but it does seemingly make Secure Backups to it. There’s a difference.
      Howard.
      
      LikeLike
20

Justin McMurtry on March 17, 2021 at 4:23 am

Hi Howard… apologies for the tangent, but if I may, I’d like to ask you whether it’s feasible to have a (potentially large) folder stored and synced in iCloud, when the canonical local copy of the folder and its contents is stored on a volume *other than* the one where one’s booted macOS, and/or one’s user home directory, resides — for example, an auxiliary storage device one uses to supplement the limited and non-expandable built-in flash storage of a 2018 or 2020 Mac mini (*ahem*). I’m assuming that mere Finder aliases or symlinks from the main drive to the auxiliary are not sufficient for this purpose. Short of migrating one’s entire user home folder to the auxiliary drive, is there any way to finagle macOS and iCloud into doing this? Thanks.

LikeLiked by 1 person
- 21
  
  hoakley on March 17, 2021 at 6:53 am
  
  I’m sorry, I don’t know any way of doing that. Because of the way that the stub files work, I think they defeat any attempts to substitute links of any kind, as do the folders themselves.
  Howard.
  
  LikeLike