How to Encrypt Your Time Machine Backups

Protect your backups from prying eyes

Macs don't encrypt user files by default, but Apple provides the option to do so in the operating system using FileVault. Early FileVault 1 had some glitches, but FileVault 2, introduced with OS X Lion (10.7), was a significant improvement. There is just one problem; many Mac users use Time Machine to back up their data, and the Time Machine backup is not encrypted by default. That can be fixed.

Information in this article applies to FileVault 2 in macOS Catalina (10.15) through OS X Lion (10.7) and includes information regarding FileVault 1, which shipped with Snow Leopard (10.6) through OS X Panther (10.3).

About FileVault 2

FileVault 2 is true disk encryption, unlike File Vault 1, which only encrypts your home folder but leaves the rest of the startup drive alone. FileVault 2 encrypts the entire drive, making it a secure way to keep your data away from prying eyes. This is especially useful for portable Mac users who run the risk of a lost or stolen Mac. If the drive in your portable Mac is using FileVault 2 to encrypt the data, you can be assured that while your Mac may be gone, the data is fully protected and not available to those who are now in possession of your Mac; it's unlikely they can even boot up your Mac.

Why Encrypt Time Machine Backups

There is one important thing to consider with a Time Machine backup of your FileVault 2 encrypted drive: The Time Machine backup isn't automatically encrypted. Instead, the default is to store the backup in the unencrypted state.

You can change this default behavior easily using the Time Machine preference pane. Exactly how depends on whether you're already using a backup drive with Time Machine or are planning to use a new one.

Set Encryption in Time Machine for a New Backup Drive

If you aren't currently using a backup drive with Time Machine, you need to set up a new backup disk in the Mac's System Preferences. Here's how:

  1. Launch System Preferences by selecting System Preferences from the Apple menu or clicking the System Preferences icon in the Dock.

  2. Select the Time Machine preference pane.

    System Preferences on a Mac
  3. In the Time Machine preference pane, click Select Backup Disk.

    Time Machine preferences screen
  4. Select the drive you want Time Machine to use for its backups from the drop-down sheet that displays available drives.

    Time Machine preferences showing available drives on Mac
  5. Place a check mark in front of Encrypt backups at the bottom of the drop-down sheet to force Time Machine to encrypt the backup drive and then click Use Disk.

    Time Machine preference for enabling encryption
  6. Enter a backup password as well as a hint for recovering the password. When you're ready, select Encrypt Disk.

    If you forget your backup password, you can't restore or recover the Time Machine data.

Your Mac starts encrypting the selected drive. This can take quite a while, depending on the size of the backup drive. Expect anywhere from an hour or two to a whole day.

Set Encryption for Existing Time Machine Backup Drive

If you plan to change from unencrypted backups to encrypted backups on a drive you are currently using, you first have to remove your current backup drive and then set it up again with a password.

Time Machine erases the unencrypted backup before it starts the encrypted backup.

To remove the existing backup disk:

  1. Open System Preferences and select Time Machine.

  2. Click Select Disk.

    Time Machine screen for removing backup drive
  3. Choose your current backup drive from the list and click Remove Disk.

    Time Machine preferences on a Mac

Now, go through the setup process again as explained in the previous section to set up the disk as encrypted. In short:

  1. Click Select Backup Disk in the Time Machine preference pane.

  2. Choose a disk from the list of available disks.

  3. Place a check mark in front of Encrypt Backups.

  4. Click Use Disk.

  5. Type a backup password for the disk.

The encryption process can take a while; anywhere from an hour to a whole day is not uncommon, depending on the size of the selected backup drive.

Cautions Regarding FileVault 1

Macs that run OS X Panther (10.3) through OS X Snow Leopard (10.6) come equipped with FileVault 1. Time Machine and FileVault 1 work fine together, but there are a couple of complications you need to be aware of. Time Machine does not back up a FileVault 1-protected user account when you are logged in to that account. This means that a Time Machine backup for your user account only occurs after you log off or when you're logged in using a different account.

So, if you're the type of user who always stays logged in and lets your Mac go to sleep when you're not using it, rather than shut it down, Time Machine never backs up your user account.

If you want Time Machine to run and protect your user data, you must log out when you're not actively using your Mac.

The second oddity with Time Machine and FileVault 1 is that the Time Machine user interface doesn't work as you expect with the encrypted FileVault data. Time Machine correctly backs up your home folder using the encrypted data. As a result, your entire home folder appears in Time Machine as a single large encrypted file. The Time Machine user interface that would normally allow you to restore one or more files won't operate. Instead, you either have to perform a full restore of all your data or use the Finder to restore an individual file or folder.