Encrypt existing Time Machine backups?

[Ant]

Hello.

I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
already encrypted the new SSD last weekend, but the external USB2 HDDs
are not encrypted. I'd like to encrypt them too.

Thank you in advance. :)
--
Quote of the Week: "The eyeless ant asked God, 'Give me eye-lashes.'" --Georgian Proverb
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://antfarm.home.dhs.org (Personal Web Site)
/ /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net
| |o o| |
\ _ / Please nuke ANT if replying by e-mail privately. If credit-
( ) ing, then please kindly use Ant nickname and AQFL URL/link.

[Jolly Roger]

Ant <ANT...@zimage.com> wrote:
> Hello.
>
> I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
> already encrypted the new SSD last weekend, but the external USB2 HDDs
> are not encrypted. I'd like to encrypt them too.
>
> Thank you in advance. :)

System Preferences > Time Machine > Options > Encrypt backup disk.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[Alan Browne]

On 2015-10-11 13:45, Jolly Roger wrote:
> Ant <ANT...@zimage.com> wrote:
>> Hello.
>>
>> I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
>> already encrypted the new SSD last weekend, but the external USB2 HDDs
>> are not encrypted. I'd like to encrypt them too.
>>
>> Thank you in advance. :)
>
> System Preferences > Time Machine > Options > Encrypt backup disk.

No option for that there that I see ... OTOH, mine are already encrypted
so maybe the option is removed.

[Ant]

> >> Hello.
> >>
> >> I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
> >> already encrypted the new SSD last weekend, but the external USB2 HDDs
> >> are not encrypted. I'd like to encrypt them too.
> >>
> >> Thank you in advance. :)
> >
> > System Preferences > Time Machine > Options > Encrypt backup disk.

> No option for that there that I see ... OTOH, mine are already encrypted
> so maybe the option is removed.

Yeah, I don't see it too even if TM backups are unencrypted. :(

[Jolly Roger]

Looks like the option was removed, so instead you remove and re-add the
volume:

<https://support.apple.com/kb/PH14202?locale=en_US>

[Ant]

> >>> I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
> >>> already encrypted the new SSD last weekend, but the external USB2 HDDs
> >>> are not encrypted. I'd like to encrypt them too.
> >>>
> >>> Thank you in advance. :)
> >>
> >> System Preferences > Time Machine > Options > Encrypt backup disk.
> >
> > No option for that there that I see ... OTOH, mine are already encrypted
> > so maybe the option is removed.

> Looks like the option was removed, so instead you remove and re-add the
> volume:

> <https://support.apple.com/kb/PH14202?locale=en_US>

So basically, make a new TM backup from scratch? :(

[Jolly Roger]

Ant <ANT...@zimage.com> wrote:
>>>>> I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
>>>>> already encrypted the new SSD last weekend, but the external USB2 HDDs
>>>>> are not encrypted. I'd like to encrypt them too.
>>>>>
>>>>> Thank you in advance. :)
>>>>
>>>> System Preferences > Time Machine > Options > Encrypt backup disk.
>>>
>>> No option for that there that I see ... OTOH, mine are already encrypted
>>> so maybe the option is removed.
>
>> Looks like the option was removed, so instead you remove and re-add the
>> volume:
>
>> <https://support.apple.com/kb/PH14202?locale=en_US>
>
> So basically, make a new TM backup from scratch? :(

No. Removing a volume from the list does not erase backups already on the
volume.

[Ant]

> >>>>> I cannot seem to find this option anywhere in Mac OS X v10.8.5. I
> >>>>> already encrypted the new SSD last weekend, but the external USB2 HDDs
> >>>>> are not encrypted. I'd like to encrypt them too.
> >>>>>
> >>>>> Thank you in advance. :)
> >>>>
> >>>> System Preferences > Time Machine > Options > Encrypt backup disk.
> >>>
> >>> No option for that there that I see ... OTOH, mine are already encrypted
> >>> so maybe the option is removed.
> >
> >> Looks like the option was removed, so instead you remove and re-add the
> >> volume:
> >
> >> <https://support.apple.com/kb/PH14202?locale=en_US>
> >
> > So basically, make a new TM backup from scratch? :(

> No. Removing a volume from the list does not erase backups already on the
> volume.

Oh. I'll try that then.

[Neill Massello]

Ant <ANT...@zimage.com> wrote:

> Oh. I'll try that then.

Just be aware that doing so will convert the Time Machine disk into a
CoreStorage volume that can't be repartitioned with the Disk Utility
app. You'll have to use the diskutil command in Terminal.

[Alan Browne]

Be that as it may, I don't recall the last time I partitioned an
external drive. Possibly back when I had an iOmega enclosure with two
disks and I split one into two partitions for some reason now forgotten.

[Ant]

Um, this sort of went over my head. What did you mean by that? No
partitions for the whole external USB2 HDD? Currently, there are 2
partitions (HFS+ [TM backups] and FAT32 [portability to access files
on any devices]).

[Ant]

In comp.sys.mac.apps Neill Massello <nmas...@yahoo.com> wrote:

Also, is this true from
https://discussions.apple.com/message/29093757#29093757's post about
encrypted TMs making things harder to be portable, recover, etc.?:

"Potentially. Hard disks are glacial, which means the encryption isn't
that much of an added burden. The usual trade-offs are the loss of
keys, difficulties with portability across operating systems, and the
need for a long and random key for reasonable security."

[nospam]

In article <zZSdnYP6ecjTeofL...@earthlink.com>, Ant

<ANT...@zimage.com> wrote:

> > Just be aware that doing so will convert the Time Machine disk into a
> > CoreStorage volume that can't be repartitioned with the Disk Utility
> > app. You'll have to use the diskutil command in Terminal.
>
> Um, this sort of went over my head. What did you mean by that? No
> partitions for the whole external USB2 HDD? Currently, there are 2
> partitions (HFS+ [TM backups] and FAT32 [portability to access files
> on any devices]).

don't worry about it. it's wrong.

a core storage volume can be partitioned with disk utility, without
using terminal.

[Ant]

OK.

[John Somerset]

On 10/11/15 6:52 PM, Ant wrote:
> In comp.sys.mac.apps Neill Massello <nmas...@yahoo.com> wrote:
>> Ant <ANT...@zimage.com> wrote:
>
>>> Oh. I'll try that then.
>
>> Just be aware that doing so will convert the Time Machine disk into a
>> CoreStorage volume that can't be repartitioned with the Disk Utility
>> app. You'll have to use the diskutil command in Terminal.
>
> Also, is this true from
> https://discussions.apple.com/message/29093757#29093757's post about
> encrypted TMs making things harder to be portable, recover, etc.?:
>
> "Potentially. Hard disks are glacial, which means the encryption isn't
> that much of an added burden. The usual trade-offs are the loss of
> keys, difficulties with portability across operating systems, and the
> need for a long and random key for reasonable security."
>

Oh, I thought that encrypting a disk, as with Filevault, meant the whole
disk had to be unencrypted to work. If memory can grab only what it
needs, that sounds much faster.

I found the encryption option in the preferences of TM in El Capitan.
It was greyed, so I guess I'd have to do what JR said.

[Jolly Roger]

On 2015-10-11, Ant <ANT...@zimage.com> wrote:
> In comp.sys.mac.apps Neill Massello <nmas...@yahoo.com> wrote:
>> Ant <ANT...@zimage.com> wrote:
>
>> > Oh. I'll try that then.
>
>> Just be aware that doing so will convert the Time Machine disk into a
>> CoreStorage volume that can't be repartitioned with the Disk Utility
>> app. You'll have to use the diskutil command in Terminal.
>
> Also, is this true from
> https://discussions.apple.com/message/29093757#29093757's post about
> encrypted TMs making things harder to be portable, recover, etc.?:
>
> "Potentially. Hard disks are glacial, which means the encryption isn't
> that much of an added burden. The usual trade-offs are the loss of
> keys, difficulties with portability across operating systems, and the
> need for a long and random key for reasonable security."

All they mean is since Time Machine is an Apple product, you can't
decrypt encrypted Time Machine backups on a Windows computer. Naturally.

[Neill Massello]

nospam <nos...@nospam.invalid> wrote:

> a core storage volume can be partitioned with disk utility, without
> using terminal.

Not in 10.8, which is the OP's OS version.

[Neill Massello]

Ant <ANT...@zimage.com> wrote:

> Um, this sort of went over my head. What did you mean by that? No
> partitions for the whole external USB2 HDD? Currently, there are 2
> partitions (HFS+ [TM backups] and FAT32 [portability to access files
> on any devices]).

Read the thread "TM volume supposed to have a second partition" from
comp.sys.mac.system in October 2012. I don't know how 10.8.5 will handle
TM encryption on a disk that also contains a FAT32 partition; but for a
standard Mac disk (GUID scheme with an HFS+ partition), you won't be
able to use 10.8's Disk Utility to repartition the disk after you have
enabled encryption on it. This flaw in Disk Utility seems to have been
fixed after 10.8.

[Alan Browne]

On 2015-10-11 19:56, John Somerset wrote:
> On 10/11/15 6:52 PM, Ant wrote:
>> In comp.sys.mac.apps Neill Massello <nmas...@yahoo.com> wrote:
>>> Ant <ANT...@zimage.com> wrote:
>>
>>>> Oh. I'll try that then.
>>
>>> Just be aware that doing so will convert the Time Machine disk into a
>>> CoreStorage volume that can't be repartitioned with the Disk Utility
>>> app. You'll have to use the diskutil command in Terminal.
>>
>> Also, is this true from
>> https://discussions.apple.com/message/29093757#29093757's post about
>> encrypted TMs making things harder to be portable, recover, etc.?:
>>
>> "Potentially. Hard disks are glacial, which means the encryption isn't
>> that much of an added burden. The usual trade-offs are the loss of
>> keys, difficulties with portability across operating systems, and the
>> need for a long and random key for reasonable security."
>>
> Oh, I thought that encrypting a disk, as with Filevault, meant the whole
> disk had to be unencrypted to work. If memory can grab only what it
> needs, that sounds much faster.

When FileVault is started it encrypts every known file on the disk, it
does not encrypt unused disk space. This happens quietly in the background.

If you're encrypting a re-purposed disk that had deleted files that you
want to be sure cannot be recovered, then you should 'erase' the disk in
disk utility first. The lowest level of security is adequate.

If you're encrypting a disk with data on it that you don't want to use,
and it has deleted files on it, then you could random fill the empty
space to be sure old deleted files are actually written over (empty the
trash first).

[Alan Browne]

On 2015-10-12 08:58, Alan Browne wrote:
> On 2015-10-11 19:56, John Somerset wrote:
>> On 10/11/15 6:52 PM, Ant wrote:
>>> In comp.sys.mac.apps Neill Massello <nmas...@yahoo.com> wrote:
>>>> Ant <ANT...@zimage.com> wrote:
>>>
>>>>> Oh. I'll try that then.
>>>
>>>> Just be aware that doing so will convert the Time Machine disk into a
>>>> CoreStorage volume that can't be repartitioned with the Disk Utility
>>>> app. You'll have to use the diskutil command in Terminal.
>>>
>>> Also, is this true from
>>> https://discussions.apple.com/message/29093757#29093757's post about
>>> encrypted TMs making things harder to be portable, recover, etc.?:
>>>
>>> "Potentially. Hard disks are glacial, which means the encryption isn't
>>> that much of an added burden. The usual trade-offs are the loss of
>>> keys, difficulties with portability across operating systems, and the
>>> need for a long and random key for reasonable security."
>>>
>> Oh, I thought that encrypting a disk, as with Filevault, meant the whole
>> disk had to be unencrypted to work. If memory can grab only what it
>> needs, that sounds much faster.

Doh. I really misread what you wrote when I replied with the stuff below.

But yes, the drive remains encrypted and the data from the FileVaulted
drive is decrypted in memory on your Mac as needed, file by file (or
probably block by block)

[nospam]

In article <1mc5lk5.1qzvm1un3cxhcN%nmas...@yahoo.com>, Neill Massello

<nmas...@yahoo.com> wrote:

>
> > a core storage volume can be partitioned with disk utility, without
> > using terminal.
>
> Not in 10.8, which is the OP's OS version.

yes in 10.8. i've done it.

however, it's limited to two partitions.

[nospam]

In article <1mc5l5c.8g814yuc3xhsN%nmas...@yahoo.com>, Neill Massello

false.

it's very easy to partition an encrypted volume with disk utility. i've
done it several times.

the only issue is it's limited to two partitions.

[John Somerset]

On 10/12/15 9:54 AM, Alan Browne wrote:
> On 2015-10-12 08:58, Alan Browne wrote:
>> On 2015-10-11 19:56, John Somerset wrote:

>>> Oh, I thought that encrypting a disk, as with Filevault, meant the whole
>>> disk had to be unencrypted to work. If memory can grab only what it
>>> needs, that sounds much faster.
>
> Doh. I really misread what you wrote when I replied with the stuff below.
>
> But yes, the drive remains encrypted and the data from the FileVaulted
> drive is decrypted in memory on your Mac as needed, file by file (or
> probably block by block)
>

Am I correct that if I encrypted a folder, I couldn't get at any file
without decrypting the whole folder?

Correct or not, that was my concept of it. That's why I assumed
Filevault needed to decrypt a disk to get access to any of it. It
sounded time-consuming, with disaster always lurking.

[Jolly Roger]

On 2015-10-12, John Somerset <some...@nospam.com> wrote:
> On 10/12/15 9:54 AM, Alan Browne wrote:
>> On 2015-10-12 08:58, Alan Browne wrote:
>>> On 2015-10-11 19:56, John Somerset wrote:
>
>>>> Oh, I thought that encrypting a disk, as with Filevault, meant the whole
>>>> disk had to be unencrypted to work. If memory can grab only what it
>>>> needs, that sounds much faster.
>>
>> Doh. I really misread what you wrote when I replied with the stuff below.
>>
>> But yes, the drive remains encrypted and the data from the FileVaulted
>> drive is decrypted in memory on your Mac as needed, file by file (or
>> probably block by block)
>>
> Am I correct that if I encrypted a folder, I couldn't get at any file
> without decrypting the whole folder?

It's my understanding that with FileVault 2 full disk encryption, it is
not folders and files, but individual *blocks* of the volume. FileVault
encrypted disks are CoreStorage logical volume groups that work with the
LVM built into OS X. Encryption and decryption work at the logical
volume level rather than the file system level.

> Correct or not, that was my concept of it. That's why I assumed
> Filevault needed to decrypt a disk to get access to any of it. It
> sounded time-consuming, with disaster always lurking.

FileVault 2 in particular is extremely simple, reliable, and safe, and
is used by millions of Apple customers daily.

[Alan Browne]

On 2015-10-12 16:15, John Somerset wrote:
> On 10/12/15 9:54 AM, Alan Browne wrote:
>> On 2015-10-12 08:58, Alan Browne wrote:
>>> On 2015-10-11 19:56, John Somerset wrote:
>
>>>> Oh, I thought that encrypting a disk, as with Filevault, meant the
>>>> whole
>>>> disk had to be unencrypted to work. If memory can grab only what it
>>>> needs, that sounds much faster.
>>
>> Doh. I really misread what you wrote when I replied with the stuff
>> below.
>>
>> But yes, the drive remains encrypted and the data from the FileVaulted
>> drive is decrypted in memory on your Mac as needed, file by file (or
>> probably block by block)
>>
> Am I correct that if I encrypted a folder, I couldn't get at any file
> without decrypting the whole folder?

As I understand it no. When you access the folder using the password it
decrypts what you're "reading" for display or use but doesn't write an
unencrypted version of the folder or files to disk.

JR or others can correct or clarify.

> Correct or not, that was my concept of it. That's why I assumed
> Filevault needed to decrypt a disk to get access to any of it. It
> sounded time-consuming, with disaster always lurking.

Nope. I've been using it for many years (previous version and current
File Vault 2 version) w/o issue. Naturally my system (Filevault2) disk
is also backed up very regularly with Time Machine and other static
backups as warranted for things I want in read-only completely offline
backup (DVD's).

[Alan Browne]

On 2015-10-12 17:32, Jolly Roger wrote:
> On 2015-10-12, John Somerset <some...@nospam.com> wrote:
>> On 10/12/15 9:54 AM, Alan Browne wrote:
>>> On 2015-10-12 08:58, Alan Browne wrote:
>>>> On 2015-10-11 19:56, John Somerset wrote:
>>
>>>>> Oh, I thought that encrypting a disk, as with Filevault, meant the whole
>>>>> disk had to be unencrypted to work. If memory can grab only what it
>>>>> needs, that sounds much faster.
>>>
>>> Doh. I really misread what you wrote when I replied with the stuff below.
>>>
>>> But yes, the drive remains encrypted and the data from the FileVaulted
>>> drive is decrypted in memory on your Mac as needed, file by file (or
>>> probably block by block)
>>>
>> Am I correct that if I encrypted a folder, I couldn't get at any file
>> without decrypting the whole folder?
>
> It's my understanding that with FileVault 2 full disk encryption, it is
> not folders and files, but individual *blocks* of the volume. FileVault
> encrypted disks are CoreStorage logical volume groups that work with the
> LVM built into OS X. Encryption and decryption work at the logical
> volume level rather than the file system level.

I took that question to be for a given folder encrypted into a DMG.
Otherwise agree with what you wrote.

[Jolly Roger]

On 2015-10-12, Alan Browne <alan....@freelunchvideotron.ca> wrote:
> On 2015-10-12 16:15, John Somerset wrote:
>> On 10/12/15 9:54 AM, Alan Browne wrote:
>>> On 2015-10-12 08:58, Alan Browne wrote:
>>>> On 2015-10-11 19:56, John Somerset wrote:
>>
>>>>> Oh, I thought that encrypting a disk, as with Filevault, meant the
>>>>> whole
>>>>> disk had to be unencrypted to work. If memory can grab only what it
>>>>> needs, that sounds much faster.
>>>
>>> Doh. I really misread what you wrote when I replied with the stuff
>>> below.
>>>
>>> But yes, the drive remains encrypted and the data from the FileVaulted
>>> drive is decrypted in memory on your Mac as needed, file by file (or
>>> probably block by block)
>>>
>> Am I correct that if I encrypted a folder, I couldn't get at any file
>> without decrypting the whole folder?
>
> As I understand it no. When you access the folder using the password it
> decrypts what you're "reading" for display or use but doesn't write an
> unencrypted version of the folder or files to disk.
>
> JR or others can correct or clarify.

If we are talking about encrypted disk images, then I believe the
decryption happens in memory as needed to access the file system on the
mounted virtual volume.

>> Correct or not, that was my concept of it. That's why I assumed
>> Filevault needed to decrypt a disk to get access to any of it. It
>> sounded time-consuming, with disaster always lurking.
>
> Nope. I've been using it for many years (previous version and current
> File Vault 2 version) w/o issue. Naturally my system (Filevault2) disk
> is also backed up very regularly with Time Machine and other static
> backups as warranted for things I want in read-only completely offline
> backup (DVD's).

FileVault 1, the previous version which placed the user's home folder
contents into an encrypted disk image, was much more problematic and way
less secure.

[Ant]

> > Also, is this true from
> > https://discussions.apple.com/message/29093757#29093757's post about
> > encrypted TMs making things harder to be portable, recover, etc.?:
> >
> > "Potentially. Hard disks are glacial, which means the encryption isn't
> > that much of an added burden. The usual trade-offs are the loss of
> > keys, difficulties with portability across operating systems, and the
> > need for a long and random key for reasonable security."

> All they mean is since Time Machine is an Apple product, you can't
> decrypt encrypted Time Machine backups on a Windows computer. Naturally.

Or any non-Apple devices like Linux. :P FYI, no problems after
encrypting that took several hours and doing more backups today. :)

[Jolly Roger]

Ant <ANT...@zimage.com> wrote:
>>> Also, is this true from
>>> https://discussions.apple.com/message/29093757#29093757's post about
>>> encrypted TMs making things harder to be portable, recover, etc.?:
>>>
>>> "Potentially. Hard disks are glacial, which means the encryption isn't
>>> that much of an added burden. The usual trade-offs are the loss of
>>> keys, difficulties with portability across operating systems, and the
>>> need for a long and random key for reasonable security."
>
>> All they mean is since Time Machine is an Apple product, you can't
>> decrypt encrypted Time Machine backups on a Windows computer. Naturally.
>
> Or any non-Apple devices like Linux. :P

Apple doesn't support Linux.