Questions about File Vault and backup routine?

[Fallinangel]

Hi everybody,

I'm planning on turning File Vault, but I don't know if it will mess up my backup routine.

Currently, I do 4 backups a week of my entire macOS partition to an encrypted sparse image on an external drive, which gets backed up to another encrypted sparse image on my NAS on Sundays.
I use Carbon Copy Cloner and everything's setup to work on a schedule, without me having to worry about anything.

If I encrypt the main drive, will I still be able to do backups like this?
Will every file be encrypted on macOS or is it more like an encrypted volume that once logged in everything's decrypted?
It would be redundant for me to backup encrypted files to an encrypted volume.

Thanks.

 

[MarineBand5524]

It shouldn’t. I always use and suggest file vault. I’ve never had an issue.

 

[Fallinangel]

@MarineBand5524 Thanks.

I'd still be interested to know how File Vault works. Does it encrypt each and every file and decrypt them on the fly as needed, or is everything decrypted once you login to your account?

 

[solouki]

Hi Fallinangel. I believe that FileVault uses a 256-bit key encryption to perform "on-the-fly" encryption/decryption of Apple volumes. Thus when the OS attempts to access a file on the volume for any reason, the encrypted file on the volume is decrypted. When written back to the volume, the file is encrypted.

Thus, when performing your backup, each file on your FileVault source volume will be decrypted, transferred to your FileVault backup volume, and encrypted by FileVault for that backup volume as it is written.

I'm pretty sure that FileVault does not decrypt the entire volume when you login to your account. Rather it only decrypts files as the OS asks for them. Solouki

 

[Fallinangel]

Thanks for the detailed explanation, @solouki.

Thus, when performing your backup, each file on your FileVault source volume will be decrypted, transferred to your FileVault backup volume, and encrypted by FileVault for that backup volume as it is written.

Ah, that's another thing to consider then. I don't really want File Vault to encrypt my entire, external hard-drive, since it will render it useless if I want to share data with other family members. As mentioned above, Carbon Copy Cloner encrypts the backup volume on the external hard-drive, but not the rest of the drive.

 

[solouki]

Ah, that's another thing to consider then. I don't really want File Vault to encrypt my entire, external hard-drive, since it will render it useless if I want to share data with other family members. As mentioned above, Carbon Copy Cloner encrypts the backup volume on the external hard-drive, but not the rest of the drive.

You can partition a single disk drive into separate "volumes", some encrypted and some not encrypted. I suspect that this is precisely what CCC does for its own encrypted backups (I don't have CCC, so I'm not positive that this is how CCC works, but I suspect it works this way since this would be the most efficient way of implementing an encrypted backup), while leaving the rest of the disk unencrypted.

 

[NoBoMac]

I'm pretty sure that FileVault does not decrypt the entire volume when you login to your account. Rather it only decrypts files as the OS asks for them.

This.

Throw a minor twist in all this: Macs with M processors or Intels with TouchBars (aka has a T chip in it), all files are encrypted via the M/T chip by default, like iOS devices. FileVault is used to encrypt the encryption keys: only allow permitted users to boot the machine. If FileVault is off, anyone can fully start the machine.

On Intels without T chips, FileVault does enable file encryption, but as mentioned, on the fly.

 

[Fallinangel]

This.

Throw a minor twist in all this: Macs with M processors or Intels with TouchBars (aka has a T chip in it), all files are encrypted via the M/T chip by default, like iOS devices. FileVault is used to encrypt the encryption keys: only allow permitted users to boot the machine. If FileVault is off, anyone can fully start the machine.

On Intels without T chips, FileVault does enable file encryption, but as mentioned, on the fly.

In my weekly routine, I backup the entire macOS volume to an encrypted sparse image (disk image that can be grown/shrunk) with Carbon Copy Cloner, which does the encryption and since my 2016 MacBook Pro has a touchbar, you're telling be that it did file encryption on the macOS volume the entire time?

Now, I'm questioning whether my backup could be mounted on another mac, if necessary, and the files accessed?
I guess I'll see once the Mac Studio arrives.

 

[chabig]

Now, I'm questioning whether my backup could be mounted on another mac, if necessary, and the files accessed?

The drive will ask for the volume password when you try to mount it. Once you provide that, it'll act like a normal drive.

 

[Fallinangel]

The drive will ask for the volume password when you try to mount it. Once you provide that, it'll act like a normal drive.

Ah, that would be what I expected. Thanks.