If I'm using FileVault, do I need to encrypt Time Machine backups?

No, there is no need to encrypt TM back ups when your Mac has FileVault enabled.

TM encryption is separate and is sort of like FileVaulting your TM back ups. If you feel you want your back ups as secure from prying eyes as you have done with your MBP, then you can turn on encryption. I do network back ups to a Mac Mini running OS X Server and have never encrypted them. I can, I just elected not to.

If you're asking whether the backups are automatically encrypted, the answer is no.

No, as I wrote above, the backups are not encrypted. They are exactly the same as if you had not activated FileVault. They have no security against physical attack. If you are confident that the backup drives will always be safe, then you don't need to encrypt the backups. Otherwise, you do.

GaryFL1 wrote:

So the encryption on my drive data (via FileVault) is not passed through to the backup?

Correct on your first question.

This is why I said above in my prior post "If you feel you want your back ups as secure from prying eyes as you have done with your MBP, then you can turn on encryption".

I don't think there's an issue with non-encrypted TM back ups especially if someone tries to look at the data. Why? because if they are not using the userID/password that created the back up they should see a red circle with a dash on each folder except the Public folder. So, they can't get into those because of Access Denied.

You can test this out by trying to open another Mac user's back up with YOUR logged in userID. So, the scenario you provided where someone steals your TC, they can't even open the sparse bundle file.

I can only view the far right back up since I'm currently logged in as the userID/password who created it. I can't access the other two.

I may be incorrect or maybe the thief would have to be a super-geek with good hacking skills before they can view unencrypted TM back ups. 🙂

Also, this link might help explain TM encryption.

Arggh nooooo!

While there is no technical need to encrypt a Time Machine backup even if your MacBook Pro is itself encrypted, there is a very, very important logical case for your Time Machine backup also being encrypted.

• Your MacBook Pro is encrypted = good 🙂
• Lets say the worst happens you either lose your MacBook or it is stolen, because it is encrypted the miscreant will not be able to access your files = good 🙂
• Lets say you have a portable hard disk you use to backup your MacBook and keep it with your MacBook in the same bag so you can do backups and restore them wherever you are, lets say this Time Machine backup drive is not encrypted, this laptop bag with both your MacBook and the Time Machine backup in it is again lost or stolen, not only have you lost the MacBook but you have also lost the backup, while the MacBook is encrypted preventing the miscreant from accessing it they will be able to access the backup on the Time Machine drive = bad 😟
• If however the backup drive is also encrypted then the thief will still not be able to access the contents = good 🙂
• Lets say you have a MacBook and it is (supposedly) safe in your house, and you have a Time Machine drive also in your house and once again the Time Machine drive is not encrypted, a thief could take just the Time Machine drive and still have all your unprotected data = bad 😟

For people working in roles that involve using customer data it does not matter where it is kept you have a moral and legal responsility for protecting that data. If this is just your own personal files then there is no absolute need to encrypt your laptop and equally no absolute need to encrypt the backup. However if you have the need to encrypt your laptop - which you obviously decided you have, then equally there will be an identical need to encrypt the backups.

Note: You can with Time Machine now have more than one backup drive defined, so for laptop users a drive left in the home/office and another one that you keep with you is a good approach. Remember to encrypt both though!

Apart from the above, the reason I feel so strongly about this is that some commercial Full Disk Encryption products do not have the ability to encrypt external drives. (I am looking at you CheckPoint and Sophos.) What hacks me off is a security products company making this same stupid mistake. It should be noted that both Apple and PGP do allow you to encrypt both the boot drive and external drives.

keg55 wrote:

I may be incorrect or maybe the thief would have to be a super-geek with good hacking skills before they can view unencrypted TM back ups. 🙂

You would only need to change file permissions. Here's an Apple support article on how to do that: OS X El Capitan: If you don’t have the permissions to open a file or folder