All of my backup and clone drives are encrypted. Encrypting my machine’s drive isn’t worth all that much if the backup drive sitting right next to it is unencrypted (even my notebook computers rarely leave the house) - so mine are not.
2 Likes
You should encrypt your CCC backup! It’s a bit of a pain initially, as you have to boot using the backup to turn encryption on. But once you’ve done that, it all works seamlessly (and the initial boot at least proves that your backup is bootable). Procedure explained here:
https://bombich.com/kb/ccc5/working-filevault-encryption
Further information here:
https://bombich.com/kb/ccc5/frequently-asked-questions-about-encrypting-backup-volume#can_ccc_enable_encryption
And as you acknowledged, you can (and should) enable encryption for your Time Machine backups, too.
1 Like
I tried the steps at:
Soon after that article was released (2017). But then had trouble accessing the drive when I needed to restore (computer died). Can’t remember the exact circumstances. I’ll have another go, when I upgrade the backup to SSD. Thanks.
1 Like
Thanks for that education, @Shamino. I had assumed that a “carbon copy” of an encrypted file would be encrypted. Live and learn.
Thank you for those pointers. I’m surprised that the procedure (boot from clone, turn on FileVault, boot from internal and go about life) works, but that is pretty clearly the procedure.
2 Likes
The procedure (make non-encrypted backup, boot it, enable FileVault) is to allow easy booting. When you enable FileVault on the startup volume, you can select users whose login will automatically unlock the volume. See also Use FileVault to encrypt the startup disk on your Mac.
If you create an encrypted volume and then backup to that volume, this association doesn’t happen. As I understand it, trying to boot that volume (assuming it’s even possible) will result in you seeing a pre-boot screen where you need to enter the password you used when creating the volume. Then the system will boot normally.
It’s not nearly as convenient as seeing your normal login screen as the pre-boot interface, and there’s a greater possibility that you’ll forget the volume’s password when you really need it in the future.
1 Like
On my Mini M1 I had to switch off FileVault if I wanted to use a wireless keyboard connected to an external Bluetooth dongle. The latter I require until Apple fix the Bluetooth problems with their M1 systems.
I have just moved to FileVault on my iMac 2019 and then took the steps and encrypted the Time Machine disk. Everything running smoothly and no difficulties so far. Appreciate all the excellent posts here. Thanks.
1 Like
I understand that FileVault is a machine-wide setting. In other words, if user1 turns it on, then user2 will also use it, eventually. If I got that wrong, please correct me.
The Apple help file leaves me with a couple of questions about multi-user machines.
When FileVault setup is complete and you restart your Mac, you will use your account password to unlock your disk and allow your Mac to finish starting up. FileVault requires that you log in every time your Mac starts up, and no account is permitted to log in automatically.
Would user1 enter user1’s password and user2 enter user2’s password? If so, then apparently there are multiple passwords, although I assume the normal policies that prevent user1 from seeing user2’s files would still apply. Does it matter if one or both of user1 and user2 do not have administrator privileges (but do have an administrator’s username and password, if needed)?
Yes…when you setup Filevault you tell it which accounts (admin or not) are authorized to unlock the drive. I recall some issue when I created some more user accounts after the fact 3 or 4 macOS versions back…but figured out how to solve them…I think it was a matter of disabling and reenabling Filevault but can’t remember.
Thanks, @neil1. It sounds like I can authorize every account to unlock the drive and that would cause minimal operational change for each user.
My basic understanding of the situation is that when you turn on FileVault, you set a password that encrypts the drive. This password is then somehow encrypted with the passwords of the users you authorise to unlock the drive. So none of the authorised users need to know the drive’s password – their normal login password will unlock the password that will unlock the drive (if that makes any sense).
Correct. After a reboot, you’ll get to the login screen more quickly than normal, because it’s actually a pre-boot login screen. After providing a user ID and password that’s authorized to unlock the drive, the rest of the system will boot and you will log in to the account.
Subsequent logins (after logging out without rebooting) will be exactly as without FileVault.
Well, FileVault is working perfectly. Not so happy with encrypted Time Machine - it does a backup and then takes forever to encrypt again, I mean like over an hour! Got 1.85 TB on a 4 TB TM drive (my iMac has a 1 TB drive). This is after days of using the TimeMachine system. I just happened to look at the System Prefs screen and saw it was “encrypting” again and it said about 2 more hrs required - but it had already encrypted! Frustrating. Good way to burn out a drive?
I think it is relevant to ask:
How does an encrypted clone drive work, if attaching the drive to a new Mac computer?
Or a new Windows computer (with 3rd party apps to access the APFS drive).
Or… an old computer running an ancient macOS?
All of which are possible scenarios, if trying to get back to work after a computer dies.
If the drive was backed up with FileVault, it will ask for a password, and you can use the password for any account that was set up to unlock the encryption key. If it was just encrypted with a passphrase, you just need to enter the passphrase.
I didn’t realize there was such a thing as that.
For an HFS+ encrypted drive, it would be the same as above. FileVaiult 2 began with OS X Lion if I remember correctly, so Lion and later should be able to handle an HFS+ encrypted FieVault drive.
APFS requires High Sierra or later.
1 Like
It was also available (in pre-release form, and only via command-line tools) in macOS Sierra (10.12), but I don’t think I would trust that implementation if there is any other possible alternative.
I need to correct myself. It turns that when I was testing this, I did have FileVault on, and that was why I was getting the password prompts.
So yes, even on a T2 Mac, Target Disk Mode allows access to the internal drive unless FileVault is on.
The moral of the story is, turn on FileVault!
Sorry for the incorrect information.
1 Like