You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MoiSoto
MoiSoto Author
User level: Level 1
8 points

Encrypted Time Machine Backup - Which is the best method?

This question is related to a previous question that's been locked @ https://discussions.apple.com/thread/4615317


I've decided to keep a time machine backup @ the office since I have a hub on my LG Ultrafine Monitor and will leave a drive connected permanently to it.


When selecting the disk there's a checkbox for encrypting the Time Machine Backup, this option actually encrypts the entire disk, and the way it does this is converting the disk to CoreStorage. This process is independent from the backup itself and will run in the background, encrypting the entire disk.


I've noticed that after the Time Machine finishes the status on the Time Machine Status Bar Icon will show the message "Encrypting" and will show the % of completion. This seems to be taking ages but I'm not sure how much time it will actually take.


I've also noticed that if I format the disk as encrypted before doing the backup it will not convert the disk and the background process will be shown as completed when using "diskutil cs list" command (see previous question that I linked). But also the backup takes really long (it says 21 hours).


Seeing how at the end both approaches seem to take 20+ hours, I'm curious about which method takes less time. My questions and concerns about this are the following:


  • If I use a non-previously-encrypted disk, will it encrypt the entire disk (even the empty blocks as suggested in one of the answers to the linked question)?
  • Would this mean the encryption will take much more time as opposed to using an already encrypted disk?
  • Would both methods take the same time? (which I guess would be the case if only the actual files were being encrypted)


If both methods take the same time, then I think it would be better to use a normal unencrypted disk and let the encryption take place in the background, because:


  • The actual backup will finish faster and then you can eject the disk and finish the encryption later.
  • You can reverse encryption if you wish later, since the disk was forward converted and this allows you to use the "diskutil reverse" command.


So far it seems that when using the already encrypted disk, files are encrypted on the fly when the backup is taking place and that's why it takes more. On the other hand, if the disk is not encrypted, a conversion process will take place but the backup will proceed to write non-encrypted files that will be encrypted later by the conversion process. But if the conversion process is actually encrypting every block of my disk, even empty ones, then it seems to me that it could take MUCH more time!


Any info regarding this will be very welcome, I'm currently doing the previously-encrypted-disk method (already regretting aborting the background encryption and re-formatting the disk as encrypted), so I'll come back after it finish and report the results...

MacBook Pro with Touch Bar

Posted on Oct 24, 2019 10:10 AM

Reply
Question marked as Top-ranking reply
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level 10
133,339 points

Posted on Oct 24, 2019 10:39 AM

The fastest and most reliable way to accomplish what you want is to encrypt the empty disk, then back up onto it. This will use 'on-the-fly' encryption to copy the files. The second and subsequent backups will take the same amount of time as un-encrypted backups.


The excessive time you are encountering is a side effect of Time Machine having to do a new full backup, which take a very long time -- mainly to determine what needs to be backed up, then copy a lot of files. Time machine is optimized to do its tasks in the background, and always in the same order, so this initial back will take far longer.


------

When you request a disk be encrypted, the process requires that two Volumes be maintained while the transition is ongoing. Data is read from the unencrypted Volume and encrypted on-the-fly to the encrypted Volume in a process that can easily take an entire day. If you say it creates a Core Storage wrapper partition while this is going on, that makes sense. The drive has to appear to be responsive while half its data are encrypted and half not encrypted.

View in context

Similar questions

2 replies
Question marked as Top-ranking reply
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level 10
133,339 points

Oct 24, 2019 10:39 AM in response to MoiSoto

The fastest and most reliable way to accomplish what you want is to encrypt the empty disk, then back up onto it. This will use 'on-the-fly' encryption to copy the files. The second and subsequent backups will take the same amount of time as un-encrypted backups.


The excessive time you are encountering is a side effect of Time Machine having to do a new full backup, which take a very long time -- mainly to determine what needs to be backed up, then copy a lot of files. Time machine is optimized to do its tasks in the background, and always in the same order, so this initial back will take far longer.


------

When you request a disk be encrypted, the process requires that two Volumes be maintained while the transition is ongoing. Data is read from the unencrypted Volume and encrypted on-the-fly to the encrypted Volume in a process that can easily take an entire day. If you say it creates a Core Storage wrapper partition while this is going on, that makes sense. The drive has to appear to be responsive while half its data are encrypted and half not encrypted.

Reply
User profile for user: MoiSoto
MoiSoto Author
User level: Level 1
8 points

Oct 24, 2019 1:36 PM in response to Grant Bennet-Alder

You are absolutely right!


I just came back to my office and to my surprise, the backup is finished, the completion time shows as 3:17pm, which means the backup took place in less than 4 hours since it began around 10:30AM. This time is quite similar to the time it took the actual backup to complete on the non-previously-encrypted disk.


Don't understand why it was estimating a completion time of 21 hours, but maybe this was because I was using the machine? Maybe once I locked the machine the process speed up?


Thanks for your reply, I didn't know that two volumes were maintained while the conversion was taking place. This makes a lot of sense and explains why the backup runs independently from the encryption process (the time machine even runs subsequents backups while the encryption is taking place since it takes a lot of time and time machine does hourly backups). This also explains why for some people the encryption process seems to never end, since time machine is doing additional backups while the encryption process is trying to catch up with new backup data.





Reply

Encrypted Time Machine Backup - Which is the best method?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up