Time Machine - "Encrypt backups" option when disk is already encrypted?

[usagora]

I'm wanting to take the HDD I used for Time Machine backups with my 2012 iMac and use it now for Time Machine backups on my 2019 iMac.
Both my internal SSD and two external HDDs (including the one I'm wanting to use for Time Machine) are encrypted. But when I go to System Preferences > Time Machine > Select Backup Disk and click on the HDD I want to use (named TimeMachine), there is a checkbox at the bottom that says "Encrypt backups." Ok, so i'm confused. If the HDD is already encrypted (which it is, as you can see in the screen shot below), why would I need to check that option ("Encrypt backups")? Isn't anything written to an encrypted volume encrypted by default? If I leave this option checked, is it going to be encrypting the data twice? If I uncheck it, wouldn't the backups still be encrypted, since they are being written to an encrypted volume?



P.S. Ignore the low remaining space shown for the drive - I'm aware of that - I need to delete old backups from the other iMac.

 

[IWT]

Hi Jonathan.

My understanding is the encrypting a HDD and encrypting a Time Machine BU are two different things.

For example, if I encrypt a an External Hard Drive (EHD), it simply acts as a "lock" to enter that Drive. The contents are not encrypted. This approach is not very secure.

When using Time Machine and "Encrypt backups", it is the contents that are encrypted - and it takes a longer time to encrypt and to un-encrypt. This is much more secure.

So the two "encrypts" are very different animals.

HTH

Ian

 

[usagora]

Ok, Ian, now i'm even more confused. My understanding was that formatting a disk with "APFS (Encrypted)" means that files are encrypted and decrypted on the fly as they are written to and read from that volume. In other words, if someone stole that HDD and was somehow able to "see" the data on the drive, it would all be encrypted unless they had either the password or encryption key to decrypt it. In other words, it works just like FileVault for your internal drive. It's not simply "password protection" where someone could easily bypass that gate to see unencrypted data behind it.

 

[usagora]

It just dawned on me that how I originally encrypted this HDD on the old iMac was not through Disk Utility but by checking that very box (Encrypt Backups) because I had already been using it for backups for some time, unencrypted. It then started encrypting everything already on the drive. So I guess the way to go is to keep the box checked to ensure everything remains encrypted.

 

[IWT]

Ah, now I understand better. Confusion is a shared phenomenon, Jonathan. I was fairly sure of the basics, as I posted; but now that you have recalled how you started the encryption process, I see your point. And I agree with your approach.

Sorry if I misled you.

BTW, FileVault is something else again.

Ian