Concerned about your Mac’s startup SSD or hard disk drive falling into someone else’s hands? Encrypting the startup volume prevents access to that drive unless they know an account password password or, in some cases, possess the correct hardware to unlock the contents.
Apple automatically enables drive encryption for the startup volume on any Intel Mac with a T2 Security Chip and on all M1-based Macs. For other Intel Macs, when you enable FileVault the startup volume becomes encrypted, too. (FileVault on all Macs also enables boot protection, which keeps your encrypted drive locked down until you validate your login with an authorized account.)
But what of backups? If you use Time Machine via a local or networked drive, your backed-up files are easily accessible if someone detaches the drive and plugs it into another computer.
Time Machine encompasses data encryption in one of two ways:
- Encrypt the backup: Time Machine lets you choose to encrypt a backup when you begin the backup process for the first time on a volume. After selecting a listed volume in the Time Machine preference pane’s Select Disk dialog, you can check “Encrypt backups.” When you click Use Disk, you’re prompted to enter a password. This can be useful if you want each backup to have a separate password, or each person backing up over a network wants to select and retain a private password. (If you want to enable encryption later, the backup has to start from scratch; Time Machine won’t encrypt a non-encrypted archive.)
- Encrypt the partition: In the Finder, you can Control-click a Time Machine volume that’s formatted as HFS+ (Mac OS Extended) or APFS, select Encrypt, and enter a password, and the entire volume becomes encrypted. When you select the volume for a Time Machine backup, it automatically checks the “Encrypt backups” box—because the volume is encrypted. You should not be prompted for the volume’s password as it’s already mounted.
In the Time Machine preference pane, the current backup volume or backup will show the word Encrypted under the volume’s name when encryption is active.
The password you enter should be strong and you need to store it on your own—macOS doesn’t make a record in the system Keychain. You can use 1Password or another manager to keep a record. Or use another system that lets you keep encrypted notes. Even write it in a paper notebook you can keep secure—though it doesn’t help you if it’s lost, stolen, or destroyed.
Time Machine should secure the password to the volume or backup as long as you’re in the current session. After restarting and in some other cases, you may be prompted to re-enter the volume password. You may never be asked to re-enter for a local or networked Time Machine backup password unless you change your backup destinations for the Mac you’re backing up.
This Mac 911 article is in response to a question submitted by Macworld reader Bill.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.