How to encrypt your Mac backups

How do you make sure the backups you take are as secure as your Mac itself? By encrypting the drives!

Encrypting backups is a controversial subject. For some people, it's the only way to make sure their data is secure and no one else can get to it. For others, it defeats the very purpose of backup, allowing any error or defect to render the data unrecoverable.

If saving your photos is more important to you then securing your financial data, skip encryption. If you have more valuable information on your desk than on your backups, skip encryption. If you worry that someone else will get access to your backups and your data then, by all means, encrypt away. Here's how.

Read more: Fail safe vs. fail secure: Backing up in the age of encryption

How to encrypt a Time Machine backup

Time Machine is Apple's built-in set-it-and-mostly-forget-it backup system for the Mac. Turn it on and it'll make a backup of your Mac and then keep it incrementally up to date over the hours, days, and weeks that follow. While it's not encrypted by default, you can enable encryption when you set it up.

If you're attaching a new drive, Time Machine might detect it and ask to use it. In that case:

1. Check the Encrypt backups box at the bottom left.
2. Click on Use as Backup Disk.

If it isn't detected or you want to use an already connected drive:

1. Click on the  (Apple) icon in the Menu bar.
2. Click on System Preferences.
3. Click on Time Machine near the bottom.
4. Click on Select Disk....
5. Click on the Disk you want to use for your backup.
6. Check the Backup Automatically box so you don't have to remember to do it manually.
7. Check the Encrypt backups box at the bottom left.
8. Enter a password to encrypt the disk.

If you have an existing, non-encrypted Time Machine backup on the same volume, you'll have to remove the disk first and then re-add it as an encrypted volume.

Make sure you copy off any old files or versions of files you might need before hand, though, because you'll lose it when the drive is reset for encryption.

(You can get a new drive but that would leave your old drive unencrypted and vulnerable.)

How to encrypt a clone backup

If you're using a clone backup like SuperDuper or Carbon Copy instead of or in addition to Time Machine, you can encrypt the drive you're cloning to. It's a two-step process to set up but, once you've gotten it up and running, it's just as easy to maintain as any other cloning system.

1. Boot from your cloned backup drive.
2. Re-install macOS Sierra (or whatever version you're currently using) to create a recovery volume on that drive.
3. Turn on FileVault in System Preferences.

Unless you have a recovery volume, you won't be able to boot reliably from the clone or turn on FileVault. Once that's done, you can boot back to your primary drive once FileVault gets started; you don't have to wait for it. And once the clone backup is encrypted, you'll be able to resume your regular, iterative backup process.

How to locally encrypt online backups

Online backup services like Backblaze, CrashPlan, and Carbonite are a different beast. You're not backing up to a drive under your physical control, where you can encrypt it yourself before transferring any data. You're backing up to someone else's servers in the cloud, typically using the encryption built into their client apps.

Some online backup services do let you set your own encryption password, though, as a way of adding extra privacy and protection. Though it carries the same recovery cost as local encryption.

BackBlaze:

You have the option with Backblaze to add an additional layer of privacy via a user-selected passphrase. This passphrase will be used to encrypt your private key. This passphrase is your responsibility to remember and safeguard. This is important: if you forget or lose this passphrase there is no way that anyone, including Backblaze, can decrypt, and thus restore, your data. When you choose to add your own passphrase there is no "forgot passphrase" mechanism as Backblaze does not know your passphrase.

CrashPlan:

If you choose the custom key security model, the encryption key generated by CrashPlan is replaced with a custom key. This is the most secure option, but it requires the most management because you must provide the full custom key when performing: Web restores, mobile restores, administrator restores, installation of CrashPlan on new devices.

With this option, you create your own data key that resides on your computer. The data key is never transmitted to any other locations, including the master server. Make sure to store a copy of the custom key someplace where it is accessible if you need to restore, even if the source computer has failed.

Carbonite:

option, Carbonite will not store your encryption key on our servers. Instead, Carbonite puts a file on your computer called Carbonite-Encryption-Key.pem, which is what Carbonite will reference to encrypt (scramble) your files before transmitting them to our servers. It is recommended that you keep your encryption key in multiple physical locations (e.g. safe deposit box).

Unless you are experienced at managing encryption keys, or have a special need to do so, we strongly recommend allowing Carbonite to manage your encryption key for you. If you choose to manage your own key and you lose it, there will be no way to recover your files. Managing your private encryption key provides an extra level of security.

If you use a different online backup service check with them about encryption passwords or encryption keys and you should find the options you need.

Do you even encrypt?

If you encrypt your backups let me know your strategy — what products do you use and how do you have your system set up?