All of my backup and clone drives are encrypted. Encrypting my machine’s drive isn’t worth all that much if the backup drive sitting right next to it is unencrypted (even my notebook computers rarely leave the house) - so mine are not.
You should encrypt your CCC backup! It’s a bit of a pain initially, as you have to boot using the backup to turn encryption on. But once you’ve done that, it all works seamlessly (and the initial boot at least proves that your backup is bootable). Procedure explained here:
Further information here:
And as you acknowledged, you can (and should) enable encryption for your Time Machine backups, too.
I tried the steps at:
Soon after that article was released (2017). But then had trouble accessing the drive when I needed to restore (computer died). Can’t remember the exact circumstances. I’ll have another go, when I upgrade the backup to SSD. Thanks.
Thanks for that education, @Shamino. I had assumed that a “carbon copy” of an encrypted file would be encrypted. Live and learn.
Thank you for those pointers. I’m surprised that the procedure (boot from clone, turn on FileVault, boot from internal and go about life) works, but that is pretty clearly the procedure.
The procedure (make non-encrypted backup, boot it, enable FileVault) is to allow easy booting. When you enable FileVault on the startup volume, you can select users whose login will automatically unlock the volume. See also Use FileVault to encrypt the startup disk on your Mac.
If you create an encrypted volume and then backup to that volume, this association doesn’t happen. As I understand it, trying to boot that volume (assuming it’s even possible) will result in you seeing a pre-boot screen where you need to enter the password you used when creating the volume. Then the system will boot normally.
It’s not nearly as convenient as seeing your normal login screen as the pre-boot interface, and there’s a greater possibility that you’ll forget the volume’s password when you really need it in the future.
On my Mini M1 I had to switch off FileVault if I wanted to use a wireless keyboard connected to an external Bluetooth dongle. The latter I require until Apple fix the Bluetooth problems with their M1 systems.
I have just moved to FileVault on my iMac 2019 and then took the steps and encrypted the Time Machine disk. Everything running smoothly and no difficulties so far. Appreciate all the excellent posts here. Thanks.
I understand that FileVault is a machine-wide setting. In other words, if user1 turns it on, then user2 will also use it, eventually. If I got that wrong, please correct me.
The Apple help file leaves me with a couple of questions about multi-user machines.
When FileVault setup is complete and you restart your Mac, you will use your account password to unlock your disk and allow your Mac to finish starting up. FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.
Would user1 enter user1’s password and user2 enter user2’s password? If so, then apparently there are multiple passwords, although I assume the normal policies that prevent user1 from seeing user2’s files would still apply. Does it matter if one or both of user1 and user2 do not have administrator privileges (but do have an administrator’s username and password, if needed)?
Yes…when you setup Filevault you tell it which accounts (admin or not) are authorized to unlock the drive. I recall some issue when I created some more user accounts after the fact 3 or 4 macOS versions back…but figured out how to solve them…I think it was a matter of disabling and reenabling Filevault but can’t remember.
Thanks, @neil1. It sounds like I can authorize every account to unlock the drive and that would cause minimal operational change for each user.
My basic understanding of the situation is that when you turn on FileVault, you set a password that encrypts the drive. This password is then somehow encrypted with the passwords of the users you authorise to unlock the drive. So none of the authorised users need to know the drive’s password – their normal login password will unlock the password that will unlock the drive (if that makes any sense).
Correct. After a reboot, you’ll get to the login screen more quickly than normal, because it’s actually a pre-boot login screen. After providing a user ID and password that’s authorized to unlock the drive, the rest of the system will boot and you will log in to the account.
Subsequent logins (after logging out without rebooting) will be exactly as without FileVault.