This is an unofficial mirror of pondini.org by James Pond, who is unfortunately no longer with us.

All rights belong to James' beneficiaries.

No guarantee is made about the accuracy or completeness of this mirror.

 

Time Machine - Frequently Asked Questions

31.  How do I set up and use encrypted backups?

Previous      Frequently Asked Questions        Home      Troubleshooting       Contact      Next   

 

Previous            Frequently Asked Questions           Home           Troubleshooting         Contact     Next 

Effective with Lion 10.7.x, you can encrypt backups made to an internal or external HD, to prevent access by unauthorized users.   The disk must be directly-connected (not on a network) and have the GUID partition table.  If you're not sure about a drive, see the blue box below.

Effective with Mountain Lion 10.8.x, you can also encrypt network backups, such as on a Time Capsule or shared drive on another Mac.  If you're not sure what's on your Mac, see What version of OSX do I have?

You can start fresh with an empty volume on an internal or directly-connected external HD.  The fastest way to do that is to encrypt it by erasing it via Disk Utility and choosing one of the encrypted formats, per #3 below.

You can encrypt existing backups on an internal or directly-connected external HD, per #1 or #2 below, but that will take a very, very long time.  (A tiny test set of 6 backups using 12 GB took an hour via FireWire 800).  Note the Cautions in the pink box below.


Once a disk or partition is encrypted, there are some restrictions on what you can do with it, and it will appear rather differently in Disk Utility.  See the pink box in #8 of Using Disk Utility.


There are three ways to encrypt your backups:

Using encrypted backups:

Once encrypted, the backups can't be
accessed without the password. 

When your Mac starts up (or the disk is connected), you'll see this prompt:

Thereafter you (or any other user) can back up and restore from them without entering the password each time. 


  1. If you check the Remember this password . . . box, the volume will be mounted automatically when you log on or connect the disk.

  2. If you click Cancel, you can mount the volume later, either by disconnecting and reconnecting, or via Disk Utility.  An unmounted encrypted volume is shown in gray in Disk Utility's sidebar.  Select it in Disk Utility's sidebar;  the Mount/Unmount button changes to Unlock.  Click it and you'll get the password prompt.

  3. The password will also be required to access your backups to do a full system restore or to set up a new Mac via Setup Assistant or Migration Assistant.

 

  1. 1.The Select Disk dialog on the Time Machine Preferences window:

  2. When you select a destination, the Encrypt backup disk box won't be enabled if the disk isn't eligible to be encrypted.

 
  1. 2.The Do you want to use . . . dialog when you connect an external disk and Time Machine is not set up:
  2. As above, the box will only be enabled for volumes that support encryption.

 
  1. 3.Formatting or erasing a volume via Disk Utility.  If the disk you want to use doesn't have the GUID partition table, you must completely erase and reformat it.  See Question #5 for instructions.


However you do it, you'll be prompted
to enter a password:

If you forget the password, your backups are gone.  They cannot be recovered.

If you remove the checkmark from a volume that's already encrypted, you'll be prompted for the password, to turn encryption off.

You can also remove encryption via Disk Utility.  See  Question #5.

 

Cautions:

  1. If you forget the password, your backups are gone for good:  they cannot be recovered.   (That's kinda the point, after all.)

  2. These backups will not be available, even with the password, to Macs running Snow Leopard or earlier versions of OSX.

  3. If any partition on a disk is encrypted, no partitions on that disk can be altered with Disk Utility:   you can't add, remove, or resize them.  If you're comfortable with UNIX and Terminal, you may be able use the diskutil command for that.

What Partition Map Scheme does my drive have?


Use the Disk Utility app,
in your Applications/Utilities folder.  

When it starts, select the first line for the drive (with the size and make).  

The Partition Map Scheme will be shown at the lower right:

Changing that requires copying all the data elsewhere temporarily, then reformatting the drive, and copying the data back.   See question #5 for reformatting instructions.

 
  1. You can encrypt existing backups on an external or internal drive, but it will take a long time.  You'll get a prompt like the one below to create a password.  The disk will be prepared for encryption;  then the encryption will be done (and shown on the Preferences window with a progress bar);  then a backup runs.


  1. You cannot

  2. encrypt existing network backups. If you try, you'll get these choices: