How to encrypt your Time Machine backups

TimeMachineIconXWhen you enable FileVault on your Mac, you in effect prevent anyone from accessing your data without your password. Without encryption, someone can remove your Mac’s hard drive or boot to an alternative mode such as Target Disk mode and then access your data from another system; however, with encryption these efforts will be fruitless since your data is encrypted. This may be desired, but if you back up your Mac, then unless your backups are also encrypted you might undermine the purpose of using FileVault in the first place.

If your backup drive is not encrypted, then this makes it far easier for a thief to simply steal the drive and have all of your data. Therefore, if you use Time Machine, then unless your backup drive is in a locked and secure location (e.g., a Time Capsule locked in a closet), be sure to encrypt your backups.

Checking your backup encryption status

First check if your backups are already encrypted. There are several ways to do this, but it can be most easily done by attaching your backup drives and then going to the Time Machine system preferences where you will see your backup destinations listed. In this list, if a drive states “encrypted” next to it then it is encrypted. If not, then it is not encrypted.

Time Machine encryption status in OS X

The encryption status of your Time Machine backups will be shown here in the Time Machine system preferences.

How to encrypt a Time Machine backup

If your Time Machine drive is USB, Firewire, or other direct connection to your Mac, then you can simply right-click the drive in the Finder and choose the option to encrypt it. When you do this, the Finder will show a password prompt where you will enter your password twice, followed by supplying an optional hint.

When done, this will start the encryption process, which may take a while to complete for large mechanical drives. You can check the progress of this encryption in several ways, with the easiest being to open the Time Machine menu (enabled in the Time Machine system preferences) where you will see a percent value indicating the status of the encryption.

What is Time Machine doing during encryption?

The data encryption is supported in Apple’s CoreStorage routines, and by enabling encryption you are converting the drive to a CoreStorage volume and then allowing it to go through the collection of data on your drive and scramble it according to the AES-128 encryption algorithm used. The drive has to do this for all data so nothing can be read without the key to unlock this algorithm, and needs to do so for every storage block of your drive.

This takes a while longer than simply reading or writing to the drive, and for a 500-1000GB hard drive may take about half a day to complete. Meanwhile, data can still be added to the drive, but the data will not be completely secured until the drive is 100% encrypted. Keep in mind the drive can be ejected from your system, and otherwise used as a normal drive during this encryption, but will only progress with the encryption when it is attached and mounted. Therefore, be sure you keep your drive attached until the encryption is 100% complete.

An alternative method for encrypting a drive is to set it up from scratch. Use Disk Utility to erase the drive, and when you add it as a backup destination in the Time Machine system preferences, you will be given an option to encrypt the drive. This will wipe all data on the drive, and then prompt you for a password to use for encrypting it. Unlike encrypting a drive that already has data on it, this will start from zero data so the encryption will be complete almost immediately. Now any new data copied to it (ie, your first full backup) will be fully encrypted.

Encrypting networked backups

If your backup destination is a networked system such as a Time Capsule, then you can most easily encrypt it by removing it as a backup destination in the Time Machine system preferences, and then setting it up again from scratch. As with setting up a locally-attached disk, this will give you the option to encrypt your backups with a password, which will ensure if the Time Capsule is stolen then no files in your backups can be recovered.

2 thoughts on “How to encrypt your Time Machine backups

  1. Feanor

    Time Machine includes its own backup option that seems to be different to FileVault. I’ve been told by someone on a forum that FileVault prevents usage of Recovery Mode but TM’s own encryption doesn’t.

    It’d be useful if you could discuss and explain the difference between these two methods of encrypting a Time Machine backup.

    1. Topher Kessler Post author

      Time Machine’s encryption and FileVault both use the same underlying drive management technology called CoreStorage. FileVault is the name for this implementation that is specific for your Mac’s boot drive, since it manages the recovery partition and includes features such as the drive unlock prompt at bootup (which looks like the standard OS X login window). In contrast, external drives like Time Machine do not need this login prompt. Instead, they are unlocked from within a booted OS. This is the only real difference, but they are both drives that are set up with CoreStorage, and the encryption is the same.

Comments are closed.