Time Machine - Frequently Asked Questions

25.  Can I use Time Machine with File Vault?

Previous      Frequently Asked Questions        Home      Troubleshooting       Contact      Next  

 

Turning File Vault OFF:


Before turning File Vault off, all other users must log off. 


Be sure you have at least as much free space on the disk that contains your home folder as your home folder uses, as OSX needs two copies temporarily.


You turn it OFF the same place you turned it ON: System Preferences > Security > File Vault.


If the account isn’t an Admin account, you’ll be prompted for the name and password of an Admin account.





Then you’ll be prompted for the password for this user account.



Then you’ll see this confirmation window:


As it says, when you turn File Vault off, you’re logged out while your home folder is decrypted.  This can take a very long time for a large home folder.


The computer cannot be used while this is running;  ensure an adequate power supply so the process isn’t interrupted.





When confirmed, you’ll see this window while the process runs:



As noted above, it may take a very long time.





 
  1. Since it's a single disk image, it's treated as a single file for most purposes.  So you cannot see even the names of any of the files or folders in your backups via Time Machine, much less browse or restore them.  You can only restore the entire disk image if something's changed or deleted in error, lost, or somehow corrupted.

  2. Think about that for a moment:  when you need something from a backup, you must restore your entire home folder!  If you have room, say on an external disk, you can restore it there and sift through it looking for what you want.  If you don’t know which backup has the desired item, you may have to do that over and over.

  3. You can use the Finder to open the backed-up sparse bundle directly, but that’s also one at a time, and not recommended, as you must enter the password each time, and accidentally moving, changing, or deleting anything can corrupt your backups.

  4. Although Time Machine backups will continue to run hourly, this home folder is only backed-up after you log out of it.  So if you're logged-on all day, making lots of changes, none of those changes are backed-up;  only the final contents when you log out . . . if  you log out.   Thus if you make a mistake during the day, there are no previous copies to recover.   

  5. When you do log out, Time Machine will first "recover" unused space, then much of the disk image may need to be saved, often much more than the amount of the changes, so the backup may take a long time, and you cannot log on to any account while it’s in progress.

Also, the entire encrypted home folder is backed-up, even if Time Machine has been told to exclude things inside it (see question #10).

For most folks, encrypting the entire home folder (all your preferences, browser history, bookmarks, photos, music, videos, etc.), is vast overkill anyway.

One alternative is to use Disk Utility (in your Applications/Utilities folder), to create your own sparse bundle disk image, and put only your sensitive documents in it.  Then the rest of your home folder will be backed up normally, and you can browse and restore individual items in your backups.  See How to create a password-protected (encrypted) disk image in Mac OS X 10.3 or later, or look in Disk Utility's help.

Another alternative is one of the 3rd-party Whole Disk Encryption products.  They’re not cheap (this one is $150:  PGP Whole Disk Encryption).  A few users have found it to be a good fit, and here's a positive review:  http://www.securemac.com/pgp-10-wde-review.php;  some others have had negative experiences.


But if you want to use File Vault, here’s how:

Turning File Vault ON:


Before turning it on, be sure you have at least as much free space on the disk that contains your home folder as your home folder uses, as OSX needs to have two copies temporarily.


To turn File Vault on, go to
System Preferences > Security and click the FileVault tab.  It is strongly recommended that you set a Master Password, as explained there. 


Also as noted, it can take quite a while to encrypt a large home folder.


When you click Turn On File Vault for a non-Admin user, you’ll be prompted for an Admin user name and password.


Then you’ll be prompted for the password for this user account.


Next you’ll see this warning and selection window:


If Time Machine is already on, you’ll see the first warning. 


You can also select secure erase of the unencrypted version of your home folder, and/or to use secure virtual memory while using this account.


When you click Turn On FileVault, you’ll be logged-off while your home folder is encrypted.  This can take a long time if you have a large home folder, and much longer if you selected Use Secure Erase



After a few moments, you’ll see the Creating File Vault window:


When it’s done, you’ll see the normal Log On window.


While logged on, everything will appear and work normally.


Time Machine backups will continue normally, backing-up changes to things outside of this home folder as usual.

 

Viewing File Vault backups via Time Machine:



When you Enter Time Machine from your home folder, you can access only the NOW (Today) display, since your backups are encrypted in the sparse bundle:




If you enter from, say, your internal HD (or click it in the sidebar), you can navigate to a backup, and see everything else on the backups, but only the sparse bundle in the File Vault account:



You can see the sparse bundle, but you cannot open it, or even see the file and folder names within it.  If you double-click it, all you see is a QuickLook panel.


If you're having trouble understanding or navigating the display, see question #15A.

 

Logging Out:





  1. When you log out, OSX will recover

  2. unused space in the encrypted disk image  (that may take a while).

  3.       

  4.       

  5.         

  6.              

  7.           

  8.            
  9. Then Time Machine will back it up

  10. (that may take a while, too).

  11. You won’t see any of the usual messages here that normally appear on the Time Machine Preferences window, or via the TM icon in your menubar, like Calculating Changes or Copying xxx GB of yyy GB.

  12. All you’ll see is "Backing up" and a progress bar.

 

Previous         Frequently Asked Questions        Home        Troubleshooting       Contact       Next

Note that regularly scheduled Time Machine backups will continue while you're logged on to a File Vault account.  These will not back up anything in the File Vault account, but will back up any changes to your system files (including system-wide settings);  any Application updates;  changes to any other top-level folders you may have;  and any changes to other, non-File Vault home folders.  Normally, of course, these will be quite small.

Lion introduced a new feature, File Vault 2, "whole disk encryption" (it's actually whole partition encryption -- you can encrypt one partition and not others on the same physical disk).  Time Machine works normally with File Vault 2.

This is intended to replace the previous version of File Vault (now called File Vault 1 or Legacy File Vault in some places), which encrypts selected user home folders into a sparse bundle disk image.  That has some considerable downsides, especially in combination with Time Machine, as detailed below.

(If you're not sure what version of OSX you're running, click here).

Overall, it is a significant improvement, but of course there are some downsides, too:

  1. Since it's a new feature, you cannot read a FileVault2 partition from a Mac running an earlier version of OSX, even with the password.

  2. Once a partition is encrypted, you cannot alter any other partitions on the same disk with Disk Utility (users familiar with UNIX and Terminal may be able to use diskutil).

If you have home folders protected by FileVault1 and are upgrading or migrating to Lion or later, you have two options:

  1. Turn FileVault1 off  before upgrading or transferring, then turn FileVault2 on afterwards.  The encryption is done in the background, so while it may take quite a long time, you should be able to use your Mac normally in the meantime.  The harder you use it, the longer the encryption will take, of course.

  2. Transfer the home folders without turning FileVault1 off.  There will be an extra tab in System Preferences > Security on Lion, and FileVault1 is supported on Lion.  You can turn it off when desired, but you can't turn it back on for any home folder.

In either case, turning FileVault1 off requires considerable time and space, as there must be room for two copies of the home folder temporarily. 

Time Machine works seamlessly with FileVault2:  additions and changes to files in home folders are backed-up hourly, as with all other data, and you can view and restore individual items normally.  The backups are not encrypted by default, however.

Time Machine backups can be encrypted in many cases, whether you use FileVault2 on your system or not.  See question #31 for details.

See: OS X Lion: About FileVault 2 for details.


The remainder of this page relates to File Vault 1:

FileVault encrypts your entire home folder into a special container called a sparse bundle disk image.

That disk image is what's backed-up, of course, not the decrypted version you see when you log in.

There are three major downsides  to the combination: