I bought three new 4T disk drives for my backup needs! Two of these will be used in rotation, one of them always at my wife’s office. I’d like to encrypt them. Do I use the Apple tools to do it? Maybe I should.
I think this is what I want to do:
1. I want to backup my laptop’s internal drive, of course.
2. Use one of the 4T disks as the new external disk, replacing the 1T disk I currently use (called “Extern”).
3. I also want to replace the other external disk we use for media (called “Movies”)
4. Backup my websites using rsync.
5. Use Time Machine for the two other 4T disks. This means that eventually, as the first disk starts to fill up, a complete backup will no longer be possible. But since all my backups are currently on 1T disks, this should be possible for quite a while.
And these are the steps I need to do:
1. Pick a nice long password.
2. Use Disk Utility to erase the first 4T disk and create a Mac OS Extended (Case-sensitive, Journaled, Encrypted) partition. Let’s call it “Data”.
3. Copy all the data from “Extern” to “Data” in archive mode. Can I use `cp -a` for this? I think I’m better off using what I know: `sudo rsync --archive --itemize-changes /Volumes/Extern/ /Volumes/Data`
4. Copy all the data from “Movies” to “Data” in archive mode. `sudo rsync --archive --itemize-changes /Volumes/Movies/ /Volumes/Data` should merge these without problems, as far as I can tell from the top level directories.
5. Fix the existing backupscript such that it downloads the sites and `/etc` to the new “Data” drive; remove the rsync invocations for the local drives.
6. Use Disk Utility to erase the second 4T disk and create a Mac OS Extended (Journaled) partition. Let’s call it “Time Machine 1”. Tell Time Machine to use it, and make sure the backup is encrypted. Send it off site.
7. Use Disk Utility to erase the third 4T disk and create a Mac OS Extended (Journaled) partition. Let’s call it “Time Machine 2”. Tell Time Machine to use it, and make sure the backup is encrypted, too.
Done?
☯
“About This Mac” reports:
1. macOS Sierra, Version 10.12.6
2. MacBooc Pro (13-inch, Mid 2010)
Disk Utility reports:
1. Hitachi HTS545025B9SA02 Media (the internal disk, 250GB)
2. TOSHIBA External USB 3.0 Media (”CANVIO for Desktop”, 4TB), twice
#Backup
(Please contact me if you want to remove your comment.)
⁂
Many hours later, I copied the contents of my old “Extern” disk and my old “Movies” disk (a hold over from the old sneaker net days when people would visit one another with hard disks in order to share) to the new “Data” disk.
So on to the next step: I plugged in the second disk, used Disk Utility to rename it to “Backup” and used Time Machine to set it up as an encrypted backup. I made sure to look at Options and removed the exclusion of the external “Data” disk. I want it included, after all.
I do wonder how good this Apple disk and backup encryption is.
– Alex 2017-09-05 13:28 UTC
---
Wow. Many hours later and we have 440GB of an estimated 1.8TB written. Time Machine is *slooow*.
– Alex 2017-09-05 19:38 UTC
---
OK, today I learned: one full backup takes more than 24h. The next laptop definitely needs USB 3.
– Alex 2017-09-06 13:29 UTC
---
Ok, disk “Backup” is done. Time Machine said “Encrypting Backup: 7%.” What is this? I thought it was all encrypted?
Oh well, since I was able to unmount it, I just went ahead and plugged in the third disk, erased it, called it “Backup 2”, and told Time Machine to use it without discarding the first Backup disk. So now it will backup to both. This is good.
And now that I have a new set of disks, I should definitely check the disks. But before doing all that, I will have to prepare:
1. install the SMART driver, check all three disks
2. much later, uninstall the SMART driver, mount all the old disks and wipe them
3. install the SMART driver again
Gah!
– Alex 2017-09-06 14:44 UTC
---
OK, second backup done. When I ejected the disk it said “Encrypting Backup 6%”. I still wonder what that means.
Just to get a feeling for how things work, I decided to put the first backup disk back in and clicked “Backup Now” in the menu. To be honest, I thought Time Machine should detect the old backup disk immediately, notice that the last backup was older than one hour and immediately do another backup. Not so, unfortunately.
“Preparing Backup...”
– Alex 2017-09-07 12:36 UTC
---
I am happy to learn that this new backup is “490MB of 28.38GB” done.
– Alex 2017-09-07 12:39 UTC
---
Sadly, this is where it remains. Currently: 492MB. The estimate is: 2h remaining.
– Alex 2017-09-07 12:54 UTC
---
Ugh, status unchanged. This is not cool.
– Alex 2017-09-07 14:06 UTC
---
I was unsure of what to do and so I turned to the age old trick: I rebooted the system.
– Alex 2017-09-07 14:32 UTC
---
Rebooting with the drives connected left me with the grey apple screen and ventilators at 100%. I disconnected the new USB drives and held down the power button until it powered down. I am not liking this!
– Alex 2017-09-07 14:53 UTC
---
After rebooting and reconnecting the drives I was asked for the two passwords and the icon for the backup drive turned into the petrol colored backup icon. Good!
Picked “Backup Now” from the menu. Current status: “Preparing Backup...”
– Alex 2017-09-07 14:58 UTC
---
Status:”Encrypting Backup Disk: 9%”
– Alex 2017-09-07 19:04 UTC
---
After a longer trip abroad I returned to this backup and find this: “Encrypting Backup Disk… (16%)” – I googled for *time machine status encrypting* and found this: “What you describe is completely normal. It will take the better part of a day to finish encrypting 48 GB with a rotating hard disk drive.” ¹ I have about 1.71 TB of data on this drive. This is a major pain.
And I still don’t understand what is happening. I have an encrypted disk (I get asked for a password when mounting it), and yet there seems to be a second layer of encryption that is applied later. This would seem to be ridiculous. The person maintaining the Time Machine FAQ says that this doesn’t happen. “*If I use the encrypted disk AND choose the Time Machine encryption option, will everything be encrypted twice?* No.” ²
I just wonder how to explain what I’m seeing and I wonder whether I should just switch to Carbon Copy Cloner.
– Alex 2017-10-22 06:07 UTC
---
Well, 24h later it’s still encrypting the backup disk, now at 35%. In short, about 20% per day. This will not do. What happens when I get an OS update?
I feel like I should try a restart: *If your disk is encrypting for an unbearably long time, cancel it, erase and encrypt the drive first, and than start the timemachine backup.*
– Alex 2017-10-23 05:23 UTC
---
And just as I opened up *Disk Utility*, picked the disk, clicked *Erase*, and unmounted the disk, but it had failed to erase it, and I check the progress monitor and it says: *Latest Backup to “Backup”: Today, 06:35” (i.e. 50 min ago).*
No more “Encrypting…” I guess I can just keep unmounting the backup disk mid-encryption.
– Alex 2017-10-23 05:26 UTC
---
Uaaaaagh. *Worst Case Scenario!*
I switched backup drives, so now I have “Backup 2” at home. Plugged it in, provided password: it is refused. WTF!
– Alex 2017-10-24 21:38 UTC
---
Erasing disk using *Disk Utility*, picking *Mac OS Extended (Case-sensitive, Journaled, Encrypted)*. Getting the message that *the identity of backup disk “Backup 2” has changed since the previous backup*. I answer *Use This Disk*.
– Alex 2017-10-24 21:46 UTC
---
Now it says it’s 4TB Unformatted and 4TB Backup 2. This partition map is confused.
– Alex 2017-10-24 21:48 UTC
---
Even erasing the disk from the command line doesn’t help. `diskutil eraseDisk jhfsx "Backup 2" /dev/disk1` results in the same extra partition when using *Disk Utility*. The only thing is that on the command line looks good:
alex@Megabombus:~$ diskutil list /dev/disk0 (internal, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *250.1 GB disk0 1: EFI EFI 209.7 MB disk0s1 2: Apple_HFS Macintosh HD 249.2 GB disk0s2 3: Apple_Boot Recovery HD 650.0 MB disk0s3 /dev/disk1 (external, physical): #: TYPE NAME SIZE IDENTIFIER 0: GUID_partition_scheme *4.0 TB disk1 1: EFI EFI 209.7 MB disk1s1 2: Apple_HFS Backup 2 4.0 TB disk1s2
I also saw something interesting in the *diskutil* manpage:
At this point, if no encryption was specified, all is done. Otherwise, the bytes-on-disk will begin to be encrypted in-place by CoreStorage automatically “in the background” while the PV/LVG/LVF/LV stack continues to be usable. Encryption progress may be monitored with diskutil coreStorage list.
When encryption is finished, a Disk passphrase will be required the next time the LV is ejected and re- attached. If the LV is hosting the boot volume, this passphrase requirement will thus occur at the next reboot.
Note that all on-disk data is not secured immedi- ately; it is a deliberate process of encrypting all on-disk bytes while the CoreStorage driver keeps publishing the (usable) LVG/LV.
I guess there’s no helping it, then.
– Alex 2017-10-24 22:10 UTC
---
So now I erased the disk, accepted the strange partition display in *Disk Utility*, told *Time Machine* to accept the disk even though its identity has changed (note that I erased it from the command line without providing a passphrase using `diskutil corestorage convert <device> -stdinpassphrase`. I wonder whether *Time Machine* will still encrypt it?
– Alex 2017-10-24 22:13 UTC
---
Hah, got a warning about backup up from an encrypted disk (Data) to an unencrypted disk (Backup 2). So now I ran `diskutil corestorage convert "Backup 2" -stdinpassphrase` and doing another backup.
– Alex 2017-10-24 22:29 UTC
---
More *Time Machine* sadness: if you use hard links on your system in order to save space, you will be sad to learn that the files will get duplicated in your backups. ³
– Alex 2017-10-25 15:07 UTC