I bought a new SSD to be used as a time machine backup for my MacBook Pro. I formatted the SSD as ENCRYPTED APFS, but when I go to set up that SSD for time machine I also have the option to make the backup also be encrypted. Isn't that redundant if the drive itself is already encrypted?
MacBook Pro 16″
Mick_M wrote:
Thanks for your reply, however it appears I'm missing something fundamental. I thought that if an external drive was formatted as encrypted APFS then everything on it from that point onwards would also be encrypted. Is that a misconception?
No. That's accurate.
If somebody does steal the drive then surely at the very least they need the password to access it. You're saying that someone who has access to that backup drive would be able to access the files on it.
Remember that you are talking about two different drives here. Yes, the startup drive on your MacBook Pro is encrypted. If someone steals that device, they can't access your files.
But if you don't encrypt the backup drive, then anyone can access the copies of your files that are backed up there. If you want to keep them secure, you have to encrypt the backup too.
I think the disconnect is how the backup takes place. It isn't copying encrypted data to the backup drive. It is copying the files themselves, in their unencrypted form. If you want to keep them secure, you'll have to keep the backup drive encrypted too.
Mick_M wrote:
Thanks again. I just turned off the slider to encrypt the backup and that dialog box now indicates the backup won't be encrypted, yet it still "confirms" the drive itself is encrypted:
All that means is that my guess about the drive already being encrypted is more likely to be the explanation.
For backing up a lot of data, my concern is the potential double encryption overhead time slowing everything down.
There will be no double encryption. It doesn't work that way.
The only thing I'm going to check now is if I can take my 4TB SSD and make an unencrypted 3TB partition for a subsequently encrypted time machine, and also make a separate 1TB encrypted partition for general use. Hopefully that's possible.
Two things. First, you're still confused about encryption. I have no idea what you are talking about with respect to "an unencrypted 3TB partition for a subsequently encrypted time machine". That doesn't make any sense. I'm not sure if you are talking about your startup volume or the Time Machine volume. But it really doesn't matter. You're way overthinking this.
Do you want your data encrypted? Yes or no? Basic question. Forget partitions. Forget Time Machine.
If you want your data encrypted, then you should encrypt it. Pretty simple.
Do you want your backup encrypted? Yes or no? Again, basic question. You can answer either yes or no. It doesn't matter to me. If you are absolutely certain that no one will ever break into your house and steal the drive, that no authorized person will ever poke around in it, then you don't need to encrypt it.
But if you do want to encrypt the backup, the turn on the "encrypt the backup" button. It's that simple.
Do not assume that you can construct a custom filesystem with more security, performance, and/or reliability. You cannot.
If you want to create additional APFS volumes on your startup drive for some reason (other than encryption) fine. Go for it. Just make sure they are APFS volumes. All you need to do is click the "+" button in Disk Utility. If you attempt to create actual partitions on the hard drive, you will regret it.
Do not partition your Time Machine drive. You will regret that too. I guarantee it.
Mick_M wrote:
The only thing I'm going to check now is if I can take my 4TB SSD and make an unencrypted 3TB partition for a subsequently encrypted time machine, and also make a separate 1TB encrypted partition for general use. Hopefully that's possible.
One of the advantages of the APFS file system are the APFS Containers so you can create a new APFS volume within the same APFS Container. Each APFS volume is its own separate entity that behaves a lot like partitions, but will share the same storage pool of the parent Container. So there is no need to specify any size to any of the APFS volumes unlike partitions, although a quota can be declared to limit the size of an APFS volume (must be careful especially with quotas for TM backup volumes).
Add, delete, or erase APFS volumes in Disk Utility on Mac - Apple Support
These days I only upgrade to macOS N when macOS N+1 is released. It puts me a year behind the curve, but every upgrade is essentially stable at that point.
Yeah, while its never been safe to be on the cutting edge, it seems even riskier these days. I'm still on Ventura since I really don't like the changes with Sonoma & Sequoia. I won't have any choice soon. It is always a good idea to thoroughly test a new OS upgrade on a test machine or another boot drive to ensure all hardware & software are compatible, or to identify & deal with any issues before upgrading the main work system that you rely on.
Sigh, I'm still confused - I'm hoping you'll bear with me in the hopes that this is a teachable moment for others. Assuming it's fair to do so, let's leave the encryption state of the internal laptop's SSD out of the discussion (and FWIW I expect mine is encrypted).
You have agreed with me that if I format my external drive as encrypted APFS then every file placed on that drive will be encrypted. Good. My question pertains to the following dialog box when setting up that freshly formatted and encrypted external SDD to be my time machine backup drive. I see the following dialog box, which clearly shows the drive itself as already being encrypted, which gives me an option to further encrypt the backup data on an already encrypted drive. I hope I'm not wearing out your good will by persisting with this...
Thanks again. I just turned off the slider to encrypt the backup and that dialog box now indicates the backup won't be encrypted, yet it still "confirms" the drive itself is encrypted:
If you're saying I can't/shouldn't believe what the dialog box says then I think we're at a genuine stalemate. For backing up a lot of data, my concern is the potential double encryption overhead time slowing everything down.
Clearly encryption is important to me so I'll probably have to go the seemingly redundant route implied by this dumb, confusing dialog box.
This is still (for me anyway) an unresolved issue.
Thank you again for your time and help.
Thanks for your reply, however it appears I'm missing something fundamental. I thought that if an external drive was formatted as encrypted APFS then everything on it from that point onwards would also be encrypted. Is that a misconception?
If somebody does steal the drive then surely at the very least they need the password to access it. You're saying that someone who has access to that backup drive would be able to access the files on it.
Mick_M wrote:
I see the following dialog box, which clearly shows the drive itself as already being encrypted, which gives me an option to further encrypt the backup data on an already encrypted drive. I hope I'm not wearing out your good will by persisting with this...
OK. I get it now.
Here's my perspective. I wouldn't agree that this "clearly" shows the drive as already being encrypted. Sure, it does say that, but there are multiple interpretations. There are many places in the user interface where it "clearly" says something that is most definitely false.
Maybe the fact that the slider is already on means the UI says "encrypted". Maybe the drive is already encrypted and Time Machine is going to reformat it as a new encrypted drive. Maybe the drive is "technically" encrypted but the password is written in plain text. (That's how FileVault works. Turning encryption "on" merely deletes the plaintext password.)
I don't know the internals of what that "Encrypted" text means in this context. But in the grander scheme of things, there is only one encryption and this is it. There is no double encryption or anything like that. It's just a confusing UI, as many of them are these days.
Mick_M wrote:
If you're saying I can't/shouldn't believe what the dialog box says then I think we're at a genuine stalemate. For backing up a lot of data, my concern is the potential double encryption overhead time slowing everything down.
Clearly encryption is important to me so I'll probably have to go the seemingly redundant route implied by this dumb, confusing dialog box.
This is still (for me anyway) an unresolved issue.
Personally I would just erase the drive with APFS (top option) with no encryption. Then when creating the first TM backup make sure the checkbox for encrypting backups is checked. This is the safest option.
@etresoft is absolutely correct that macOS gets itself confused. You cannot always trust what macOS is presenting to you. It is very frustrating and confusing. Apple no longer seems to care about the user experience, they only care about rushing OS upgrades out every year & pushing new features instead of refining existing features.
You know, that's a good idea! I now feel dumb for not thinking of that myself :-). The only thing I'm going to check now is if I can take my 4TB SSD and make an unencrypted 3TB partition for a subsequently encrypted time machine, and also make a separate 1TB encrypted partition for general use. Hopefully that's possible.
These days I only upgrade to macOS N when macOS N+1 is released. It puts me a year behind the curve, but every upgrade is essentially stable at that point.
[Edited by Moderator]
No. It’s the opposite. If the backup isn’t encrypted, then all of your backed up files would be accessible by anyone who has your backup.
Why would I make an encrypted time machine if the drive itself is already encrypted
