2 minute read
Encrypt your Time Machine backups
Apple offers different ways to manage Time Machine encryption for local and network backups. Glenn Fleishman reports
Concerned about your Mac’s start-up SSD or hard disk drive falling into someone else’s hands? Encrypting the start-up volume prevents access to that drive unless they know an account’s password or, in some cases, possess the correct hardware to unlock the contents.
Advertisement
Apple automatically enables drive encryption for the start-up volume on any Intel Mac with a T2 Security Chip and on all M1-based Macs. For other
Intel Macs, when you enable FileVault the start-up volume becomes encrypted, too. (FileVault on all Macs also enables boot protection, which keeps your encrypted drive locked down until you validate your login with an authorized account.)
But what of backups? If you use Time Machine via a local or networked drive, your backed up files are easily accessible if someone detaches the drive and plugs it into another computer.
Time Machine encompasses data encryption in one of two ways:
Encrypt the backup: Time Machine lets you choose to encrypt a backup when you begin the backup process for the first time on a volume. After selecting a listed volume in the Time Machine preference pane’s Select Disk dialog, you can check ‘Encrypt backups’. When you click Use Disk, you’re prompted to enter a password. This can be useful if you want each backup to have a separate password, or each person backing up over a network wants to select and retain a private password. (If you want to enable encryption later, the backup has to start from scratch; Time Machine won’t encrypt a nonencrypted archive.)
Encrypt the partition: In the Finder, you can Control-click a Time Machine volume that’s formatted as HFS+ (Mac OS Extended) or APFS, select Encrypt, and enter a password, and the entire volume becomes encrypted. When you select the volume for a Time Machine backup, it automatically checks the ‘Encrypt backups’ box – because the volume is encrypted. You should not be prompted for the volume’s password as it’s already mounted.
In the Time Machine preference pane, the current backup volume or backup will show the word Encrypted
You can opt to encrypt an entire Time Machine volume.
Select a volume and check ‘Encrypt backups’ to encrypt a specific backup.
under the volume’s name when encryption is active.
The password you enter should be strong and you need to store it on your own – macOS doesn’t make a record in the system Keychain. You can use 1Password or another manager to keep a record. Or use another system that lets you keep encrypted notes. Even write it in a paper notebook you can keep secure – though it doesn’t help you if it’s lost, stolen, or destroyed.
Time Machine should secure the password to the volume or backup as long as you’re in the current session. After restarting and in some other cases, you may be prompted to re-enter the volume password. You may never be asked to re-enter for a local or networked Time Machine backup password unless you change your backup destinations for the Mac you’re backing up.