How to Back Up FileVault-Encrypted Disks With Time Machine

Encrypting Time Machine Backup

Coyote M00n, Inc.

No matter which version of FileVault you're using, you can use Time Machine to back up your data, it's just that the Time Machine backup process for FileVault 1 is a bit complicated, and has some security issues.

If you have the option, try upgrading to FileVault 2, which requires OS X Lion or later.

Backing Up FileVault 1

Everyone needs an effective backup strategy, especially when using FileVault or any data encryption tool.

Time Machine and FileVault will work fine together, however, there are some niggling bits you need to be aware of. First, Time Machine will not back up a FileVault-protected user account when you are logged into that account. This means that a Time Machine backup for your user account will only occur after you log off, or when you're logged in using a different account.

So, if you're the type of user who always stays logged in, and lets your Mac go to sleep when you're not using it, rather than shut it down, then Time Machine will never back up your user account. And of course, since you decided to protect your data by using FileVault, you really shouldn't be staying logged in all the time anyway. If you're always logged in, then anyone who has physical access to your Mac will be able to access all of the data in your home folder, because FileVault is happily decrypting any files that are being accessed.

If you want Time Machine to run, and to adequately protect your user data, you must log out when you're not actively using your Mac.

The second little gotcha with Time Machine and FileVault 1 is that the Time Machine user interface won't work as you expect with the encrypted FileVault data. Time Machine will correctly back up your home folder using the encrypted data. As a result, your entire home folder will appear in Time Machine as a single large encrypted file. So, the Time Machine user interface that would normally allow you to restore one or more files won't operate. Instead, you'll either have to perform a full restore of all your data or use the Finder to restore an individual file or folder.

Backing Up FileVault 2

FileVault 2 is true disk encryption, unlike File Vault 1, which only encrypts your home folder, but leaves the rest of the startup drive alone. FileVault 2 encrypts the entire drive, making it a very secure way to keep your data away from prying eyes. This can be especially true for portable Mac users, who run the risk of a lost or stolen Mac. If the drive in your portable Mac is using FileVault 2 to encrypt the data, you can be assured that while your Mac may be gone, the data is fully protected, and not available to those who are now in possession of your Mac; it's unlikely they can even boot your Mac up.

FileVault 2 also offers improvements in how it works with Time Machine. No longer do you need to worry about having to be logged out for Time Machine to run and create a backup of your data. Time Machine now works just like it has always done with your Mac, encrypted data or not.

There is, however, one thing to consider with a Time Machine backup of your FileVault 2 encrypted drive: the backup isn't automatically encrypted. Instead, the default is to store the backup in the unencrypted state.

How to Force Time Machine to Encrypt Your Backups

You can change this default behavior very easily using the Time Machine preference pane or the Finder. It all depends on whether you're already using a backup drive with Time Machine.

Set Encryption in Time Machine for a New Backup Drive

  1. Launch System Preferences by selecting the System Preferences item from the Apple menu, or clicking the System Preferences icon in the Dock.

  2. Select the Time Machine preference pane.

  3. In the Time Machine preference pane, click the Select Backup Disk button.

  4. In the drop-down sheet which displays available drives that can be used for Time Machine backups, select the drive you wish Time Machine to use for its backups.

  5. At the bottom of the drop-down sheet, you'll notice an option labeled Encrypt backups. Place a checkmark here to force Time Machine to encrypt the backup drive, and then click the Use Disk button.

  6. A new sheet will appear, asking you to create a backup password. Enter the backup password, as well as a hint for recovering the password. When you're ready, click the Encrypt Disk button.

  7. Your Mac will start encrypting the selected drive. This can take quite a while, depending on the size of the backup drive. Expect anywhere from an hour or two to a whole day.

  8. Once the encryption process is complete, your backup data will be secure from prying eyes, just like your Mac's data.

Set Encryption Using the Finder for Existing Time Machine Backups

If you already have a drive assigned as a Time Machine backup, Time Machine will not let you encrypt the drive directly. Instead, you'll need to use the Finder to enable FileVault 2 on the selected backup drive.

  1. Right-click the drive you're using for Time Machine backups, and select Encrypt “Drive Name” from the pop-up menu.

  2. You'll be asked to provide a password and a password hint. Enter the information, and then click the Encrypt Drive button.

  3. The encryption process can take quite a while; anywhere from an hour to a whole day is not uncommon, depending on the size of the selected backup drive.

  4. Time Machine can continue to use the selected drive while the encryption process is running, just remember that until the encryption process is complete, the data on the backup drive isn't secure.