Hello!
I just bought my identity key, looking forward to making QRecall part of my backup strategy.

I've been reading through the help guides (which are great and have answered a lot of my questions, thanks). I do still have a few questions and this seems like a forum full of experts on the subject, so if it's ok to ask this question here, I'd like to get some advice on my new backup strategy. In terms of backing up data, QRecall is a huge improvement to what I have done in the past. But I'd like to understand better its limitations (if any) when restoring the entire start up volume.

Some background info: I just bought a new Macbook Pro and it's my first new computer since the early 2000s (Windows XP). Back in those days I was using a combination of disk imaging (PowerQuest Drive Image iirc) and manual back ups of important documents to an external drive (easily done in Windows Commander, later known as Total Commander). But my windows days mostly ended after XP and I've been a Mac user the last 15 years or so, although most of my time was spent working on machines administered by others. So, in other words, this is the first time I get to be in charge of my own backup solution on a Mac.

In my XP days I would keep the OS, applications, and all preference files on the main start up volume and then I would keep all of my data, documents, photos, music, audio and video projects, etc. on a separate partition. [Plus one more partition to make disk images of the first partition?the latest image was also backed up to the external disk.] I loved this set up back in the day because I don't love it when the OS (Windows or Mac OS) tries to manage my photos, music, documents, etc. I haven't done this yet on my new Mac but I think I would like to.

But so much has changed since last I did any of this that I feel a little lost.

As far as I can tell, there's not an easy way to create/restore static images on an APFS volume. Is there some utility that can boot from an external drive and then create/restore static images while the OS is not active? Is this not necessary anymore? What are recommended ways to be able to recover completely in the event of malware or some other failure to the start up disk?

I see that APFS supports snapshots but they seem limited to me: 1) the snapshot is stored on the local disk, so in the event of failure that snapshot doesn't exist anywhere else. 2) Is there a risk that some malware finds a way to escalate privileges and then mark itself as part of a previous snapshot? Perhaps that is a baseless concern. 3) The OS seems to have all the control over snapshots, so even if I make what I consider to be the perfect snapshot, OS X may at some point in the future decide that snapshot is old and delete it (keeping, perhaps, newer ones that it made itself but are not useful to me).

One of my concerns is for my software licenses. I do audio work, and I own quite a few audio plugins. Many of them are registered by a key and often that key is single use. So once the key has been applied, it can't be applied again without contacting the company and requesting a reset. So, ideally, a restore solution for the start up volume should not upset that apple cart, otherwise it's a whole day of work going online and requesting re-activations, etc. Bleh.

My other concern is about backing up while the OS is running. Are there any risks for doing live captures of Catalina? Would there be any benefit to making a bootable clone (with CCC or Super Duper or something?I've never used either) and running the initial QRecall capture from the clone so that the internal start up volume is not active at the time?

Sorry for such a long post. Just trying to wrap my head around 15 years of changes (plus I'm 15 years older than I was back then) so I appreciate your advice. Hopefully the answer is just run QRecall and be happy.

Steven Haver wrote:Hello!

Greetings!

That's a lot of questions, but I'll see what I can do...

As far as I can tell, there's not an easy way to create/restore static images on an APFS volume.

There are, but I wouldn't call them easy. Apple's asr command-line utility was extensively modified to make and transfer copies of APFS volumes and containers. And I believe tools like Carbon Copy Cloner has some of this functionality baked in. I sometime use these during testing (to quickly create a freshly installed operating system, for example), but these days I'm not a fan of trying to preserve copies of your system volume for later restoration (I'll explain later).

I see that APFS supports snapshots but they seem limited to me: 1) the snapshot is stored on the local disk, so in the event of failure that snapshot doesn't exist anywhere else. 2) Is there a risk that some malware finds a way to escalate privileges and then mark itself as part of a previous snapshot? Perhaps that is a baseless concern. 3) The OS seems to have all the control over snapshots, so even if I make what I consider to be the perfect snapshot, OS X may at some point in the future decide that snapshot is old and delete it (keeping, perhaps, newer ones that it made itself but are not useful to me).

1) Snapshots are not backups
2) This is impossible. Ignoring how the malware would get these privileges in the first place, snapshots are read only. There is nothing in APFS that allows code to modify a snapshot once it's been taken, so no ... malware can't use a snapshot to "fly under the radar" as it were.
3) Again, snapshots are not backups.

Snapshots are used for versioning, and are a tool for making clean backups. But they are not backups nor are they substitutes for backups.

Backups (including QRecall) use snapshots to "freeze" the state of the volume so that it can leisurely backup all of the data as it existed at a particular instant in time. macOS also uses multiple snapshots on laptops, when mobile, to persevere the state of the volume at different times so, when the laptop is later reunited with it's backup volume, all of those snapshots can be transferred to the backup. But then all of the snapshots are discarded. So think of snapshots as a temporary vessel for a backup, but it isn't a backup and they aren't persistent.

One of my concerns is for my software licenses. I do audio work, and I own quite a few audio plugins. Many of them are registered by a key and often that key is single use.

QRecall (like all competent backup programs) will persevere, and later restore, all of the files on your system volume. If your software license keys are based on the data and metadata of those files you should be fine. However, some licensing enforcement schemes use other information (like taking a fingerprint of your hard drive or saving the inode of a file) and that's beyond the scope of backup software. I remember once adding memory to my computer, only to find that Photoshop wouldn't launch anymore because it was convinced I had copied it to another computer. QRecall can't protect against that.

My other concern is about backing up while the OS is running. Are there any risks for doing live captures of Catalina?

Returning to snapshots, Catalina, system volumes, and QRecall.

Catalina splits your startup volume into two different volumes. A read-only System volume containing the entire core operating system, and a read-write Data volume that contains all of your data and anything that changes (preferences, cache, history, ...). This fact is hidden from the casual user (and most software) with some slight-of-hand that makes these two volume appear to be a single volume. The idea is that malware can't modify or corrupt any system file because the volume it's on can't be modified.

Because the System volume is read-only and can only be created by Apple's macOS Installer, QRecall no longer backs up the System volume. It only captures the read-write Data volume. Following some catastrophe, you can restore your entire system by restoring all of data from your archive to a (newly created APFS) volume, then run the macOS Installer to turn that volume into a bootable System+Data pair.

Having a minimal system and a copy of QRecall on a thumb drive makes this simple: Boot from external USB thumb drive, use Disk Utility to create/format an empty APFS volume, open QRecall archive and restore entire startup volume, run macOS Installer, and you're back in business. (Note if your archive is stored on a bootable hard drive you can simply install an emergency copy of QRecall and the OS on the same volume.)

The advantages here are: (a) minimal archive size because QRecall isn't backing up system software it can't restore on it's own anyway and (b) a clean operating system is always reinstalled from a safe, reliable source.

Would there be any benefit to making a bootable clone (with CCC or Super Duper or something?I've never used either) and running the initial QRecall capture from the clone so that the internal start up volume is not active at the time?

No advantage because of snapshots. Again, every QRecall capture starts by making a temporary snapshot of your volume and then it captures that snapshot.

And in closing, I'm not a fan of partitions ... they're soooo 1990's. All modern filesystem (ZFS, APFS, ...) treat a "volume" as a fluid, flexible, entity that can dynamically resize itself and span multiple physical devices. Making partitions just makes your life harder. That's my opinion, at least.

James Bucanek wrote:That's a lot of questions, but I'll see what I can do..

Thank you so much! I'm much clearer on everything now and I hope others will find your response here on the forum and it will answer their questions as well.
Now that I understand about Catalina's read-only system volume that clears up a lot of confusion and I don't feel the need to back up that volume.

A clean operating system is always reinstalled from a safe, reliable source.

Ok, this makes sense. It's tough only because half the year I have 300Mbps internet and the other half of the year I only have 5Mbps. In the first case, doing a fresh install via the internet is a breeze. In the second case, it's an overnight ordeal at best. But the future is bright. Either fiberoptic or Starlink will make its way here soon enough.

I remember once adding memory to my computer, only to find that Photoshop wouldn't launch anymore because it was convinced I had copied it to another computer.

Ha! And I imagine the new memory was largely to help with Photoshop. That's how they get you!

James Bucanek wrote:partitions ... they're soooo 1990's

Haha! I love this. Yes, I won't be adding any partitions to my Mac but I probably will add a second volume within the same volume container for my projects drive. It's just neater and easier for me to navigate when I can see all my folders right on the root of the volume.

Can QRecall capture two different volumes to the same archive? If so, are there any obvious advantages or disadvantage to doing it that way? Would it be better to keep them as two separate archives?

Thanks again for all of your time!

Steven Haver wrote:It's tough only because half the year I have 300Mbps internet and the other half of the year I only have 5Mbps. In the first case, doing a fresh install via the internet is a breeze. In the second case, it's an overnight ordeal at best. But the future is bright.

You can prepare for this in advance in several ways. One is to set up that external emergency boot volume with a copy of QRecall on it, and also download the Catalina installer. The downloaded installer is self contained and it will be ready to go when you need it.

An even more surgical approach is to download the Catalina installer then use the command-line tool to build a stand-alone Catalina installer volume (again, a modest sized USB thumb drive is perfect for this). When when disaster strikes, simply boot from the stick and start the reinstall.

Can QRecall capture two different volumes to the same archive? If so, are there any obvious advantages or disadvantage to doing it that way? Would it be better to keep them as two separate archives?

QRecall lets you do whatever you want. You can capture multiple volumes, from multiple systems, to the same archive or split up your captures to separate archives, in whatever combination makes sense.

The advantage of a single archive is that you take full advantage of data de-duplication across all files and volumes. The disadvantage is that the archive can ge pretty big, which makes verify, compact and such more time consuming.

Great. Thank you so much.

There should be very little duplication between the two volumes, so I'll start with separate archives to start and then adjust over time if needed. Really looking forward to it and really appreciate all of your advice!