Carbon Copy Cloner Encrypted Backup

Can I back up an encrypted volume to a non-encrypted volume?

Carbon Copy Cloner Alternative

Whether your backed-up files are encrypted on the destination depends on whether encryption is enabled on the destination volume. If you want the contents of your backup volume to be encrypted, follow the procedure documented here to enable encryption. Will Carbon Copy Cloner enable encryption on my backup volume? Carbon Copy Cloner (CCC) is a Mac OS X application that can be used for creating file backups, complete images of your computer, or for cloning hard drives. In Carbon Copy Cloner, you can backup either a whole drive or part of the drive to an external hard drive at a scheduled time of your choosing (hourly, daily, weekly, monthly, etc.).


Carbon Copy Cloner Encrypted Backup

If I back up an encrypted volume to a non-encrypted volume, will the copied files be encrypted on the destination?

No, encryption occurs at a much lower level than copying files. When an application reads a file from the encrypted source volume, macOS decrypts the file on-the-fly, so the application only ever has access to the decrypted contents of the file. Whether your backed-up files are encrypted on the destination depends on whether encryption is enabled on the destination volume. If you want the contents of your backup volume to be encrypted, follow the procedure documented here to enable encryption.

Will Carbon Copy Cloner enable encryption on my backup volume?

No. You can enable encryption in the Security & Privacy preference pane while booted from your bootable backup, or in the Finder by right-clicking on your backup volume.

Do I have to wait for encryption to complete before rebooting from my production volume?

No. Once you have enabled encryption on the backup volume, you can reboot from your production startup disk and the encryption process will continue in the background.

What happens if I change my account password on the source volume? Does the encryption password on the backup volume get updated automatically?

Carbon Copy Cloner For Mac

The encryption password(s) on the backup volume will not be automatically updated when you change the password for an account on the source volume. When you boot from the backup volume, you may notice that your user account icon is a generic icon, and the text indicates '[Update needed]'. The update that is required is within the proprietary encryption key bundle that macOS maintains for your encrypted volume. This encryption key is not maintained on the backup volume, and it is Apple-proprietary, so it isn't something that CCC can or should modify. To update the encryption password on the destination volume:

  1. Choose the backup volume as the startup disk in the Startup Disk preference pane and restart your computer. You will be required to provide the old password to unlock the volume on startup.
  2. Open the Users & Groups preference pane in the System preferences application.
  3. Click on the user whose password was reset on the source volume and reset that user's password again. Resetting the password while booted from the backup volume will update the encryption key for that user on the backup volume.
  4. Reset the password for any other user accounts whose password was reset on the original source.

I enabled encryption on my 3TB USB backup disk. Why can't I boot from that volume any more?

Some versions of OS X have difficulty recognizing USB devices that have been encrypted with FileVault. The Western Digital My Passport Ultra 3TB disk, for example, works fine as a bootable device when not encrypted. In our tests, however, this device was no longer recognizable when FileVault encryption was enabled. This problem appears to be limited to OS X 10.11 El Capitan. The same volume was accessible using older and newer OSes, and also functioned fine as an encrypted startup device using older and newer OSes.

I formatted my destination as encrypted, and it's bootable. Why do you recommend cloning to a non-encrypted volume first?

We generally recommend that people establish a bootable backup on a non-encrypted volume, and then enable FileVault while booted from the destination. Some people have discovered, however, that a pre-encrypted volume can (will usually) function as a bootable device. So why do we recommend the former? There are a couple notable differences between pre-encrypting the disk vs. enabling FileVault after booting from the not-encrypted disk. When you enable FileVault via the Security Preference Pane:

  • You get a sanity check that a recovery volume exists (this avoids spending lots of time copying files only to find out that the volume might not be bootable)
  • You get the opportunity to store a recovery key with Apple
  • You can unlock the disk with selected accounts
  • You get a nicer UI on startup to unlock the disk (e.g. it's similar to the LoginWindow interface), vs. a less-polished looking Unlock Disk interface

One drawback to enabling FileVault via the Security Preference Pane, however, is that changes to account passwords on the source volume aren't immediately reflected on the backup as far as unlocking the disk is concerned. The old account passwords would be required until you boot from the backup and specifically re-enable those accounts in the Security Preference Pane (at which time the disk's EncryptionKey is remastered).

As far as the backups are concerned, there's no difference between these two methods. There is still an order-of-operations concern with pre-encrypting the disk. You'd want to approach it in this manner:

  1. Erase the destination device (unencrypted!)
  2. Click on the freshly-erased disk in CCC's sidebar and create a recovery volume on that disk
  3. Go back to Disk Utility and erase the volume now, not the whole disk (as was emphasized in the instructions above). Now you can choose the option to encrypt the volume. By erasing just the volume here, not the whole disk, the hidden recovery partition that CCC created won't be destroyed.
  4. Open CCC and configure your backup task

In general, either procedure is fine, it really is the same as far as the backup is concerned. We generally prefer the Security Preference Pane method, however, because it yields the same UI behavior you are expecting if you have enabled FileVault on your production startup volume. Many people become concerned when the Disk Utility-encrypted volume shows any behavioral difference at all with regard to unlocking the disk on startup, and that concern is best avoided by enabling FileVault in the Security Preference Pane.

Apple introduced a new filesystem in macOS High Sierra, so naturally you may be wondering how Carbon Copy Cloner deals with this and how this new change might affect your backups. You might even be wondering, 'What's a filesystem?', so we'll start with that, and gradually move into more technical details.

What's a filesystem?

The file system is perhaps the most important piece of software on your Mac. It’s also one of the most transparent, at least when it’s working correctly. Every user and every application uses the file system. The file system keeps track of and organizes all of the files on the hard drive, and also determines which users and applications have access to those files. The file system also keeps track of how many files you have and how much space they consume. Every time you look for a file, open a file, move a file, save a file or delete a file, it's the filesystem that is fulfilling that action.

Why is Apple introducing a new filesystem?

Apple’s legacy file system, HFS+, has worked well for almost 20 years, and Apple has made consistent improvements to it over that time. For example, Apple added support for extended attributes, file system compression, file system journaling, and full-disk encryption. All of these new features were added to keep pace with new operating system features and to make the file system more reliable. But that file system was created initially for Mac OS 8, and was designed for platter-based hard drives. Storage technology has changed a lot over the last 20 years, and modifying HFS+ to keep pace with those changes has proven increasingly difficult. To meet the challenges of new OSes and new storage technology, Apple introduced the Apple File System, or 'APFS' in High Sierra.

When I upgrade my Mac to High Sierra (or later), will my startup disk be converted to APFS?

When you upgrade to macOS High Sierra, systems with all flash storage configurations are converted automatically. Systems with hard disk drives (HDD) and Fusion drives won't be converted to APFS on macOS High Sierra. When you upgrade to Mojave, HDD and Fusion volumes are also converted to APFS. You can't opt-out of the transition to APFS.

If I first upgrade to High Sierra on an HDD, and then clone to an SSD, will the SSD be converted to APFS?

If you're running macOS High Sierra or Mojave, then neither the HDD nor the SSD will be automatically converted to APFS. You can choose, however, to erase the SSD as APFS prior to cloning to it. Both APFS and HFS are valid destination formats when using Carbon Copy Cloner 5 on High Sierra and Mojave. When making a backup of a macOS Catalina system volume, CCC will automatically convert the destination volume from HFS+ to APFS, but only after your explicit approval of the action.

If the OS upgrade converted my startup disk to APFS, what do I need to do to my backup disk? Do I have to erase it as APFS?

You don't need to do anything at all to your backup disk after upgrading to macOS High Sierra or Mojave (and again, on macOS Catalina, CCC will automatically convert the destination to APFS, so you still don't have to do anything to the destination volume). Having an HFS+ backup of an APFS-formatted High Sierra or Mojave startup volume is acceptable; that will function just fine for any future restores, even to an APFS-formatted volume. If your backup disk is an SSD, or if you were planning to erase the destination anyway, we do recommend that you erase it as APFS.

I'm running Mojave — can I erase my HDD destination as APFS? Are there any advantages to using APFS on the destination?

If you were planning to erase your destination volume anyway, we recommend that you format the volume as APFS. While enumeration performance of APFS on a rotational disk is still significantly worse than HFS+ on the same hardware, there are some other advantages to choosing APFS rather than HFS+. For example, an APFS destination can store snapshots from which you can do point-in-time restores. APFS volumes also support sparse files, and you're less likely to run into name comparison problems (e.g. when files on the source APFS volume have Unicode characters like 'é') when backing up to an APFS-formatted volume. You also cannot boot a T2 Mac from an HFS+ encrypted volume, so if you have a T2 Mac and encryption of the backup is required, you must choose APFS.

Can I use CCC to clone an APFS startup disk to another Mac?

The macOS installer applies a firmware upgrade to your Mac when you install the macOS upgrade. This firmware upgrade cannot be made part of the cloning process. Only the macOS Installer can upgrade a Macintosh to support APFS. If you attempt to clone an APFS volume to a Macintosh that has not yet received the firmware upgrade from the macOS Installer, that Macintosh will not be able to boot from the APFS volume. Once your Mac has received the firmware upgrade via the macOS Installer, your Mac can boot from a CCC bootable backup on an APFS volume. Note, however, that every major MacOS upgrade may require a new firmware upgrade to allow use of the newer operating system.

Note that this is also applicable to a Macintosh running in Target Disk Mode. If you upgrade one Mac to High Sierra (or later) via the Installer, you cannot boot a second Mac into Target Disk Mode, attach it to the first, then clone High Sierra (or later) to the Mac in Target Disk Mode. The required firmware upgrade cannot be applied to the Mac that is booted in Target Disk Mode, you must run the macOS Installer on that second Mac. Once the second Mac has received the firmware upgrade via the macOS Installer, you can clone the first Mac to the second Mac booted in Target Disk Mode.

Does CCC support encrypted APFS volumes?

Yes, CCC 5 can clone to and from encrypted APFS volumes (aka FileVault encryption). Note that CCC doesn't play any role in the encryption process – encryption is a function of the volume, not of the tool that's writing a file. If you enable FileVault on your startup disk, then the files on your startup disk will be encrypted. Those files are decrypted on-the-fly by the filesystem when they're opened by an application. Likewise, if you enable FileVault on the destination volume (e.g. via the Security Preference Pane while booted from the backup), then the files on the destination will be encrypted. CCC doesn't have to encrypt those files, they're encrypted on-the-fly by the filesystem as the bits are written to disk.

I heard that APFS has a 'cloning' feature. Is that the same as what CCC is doing?

No, the cloning functionality within APFS is completely unrelated to the cloning that CCC performs.

APFS cloning allows the user to instantly create copies of files on the same volume without consuming extra storage space. When cloning a file, the file system doesn’t create copies of the data, rather it creates a second reference to the file that can be modified independently of the first file. The two files will share storage on the disk for portions of the files that remain identical, but changes to either file will be written to different parts of the disk. APFS file cloning only works when you make copies of a file on the same volume (e.g. duplicate a file or folder in the Finder). CCC is typically copying files between volumes, so APFS cloning isn't applicable for that kind of task.

The important take-away is that APFS file cloning can save you space on your startup disk, but CCC cloning can save your data if your source disk fails. They serve completely different purposes; APFS file cloning is not at all related to making backups.

Why doesn't the disk usage on my backup disk match the disk usage on the source disk?

CCC's global exclusions as well as the SafetyNet feature have traditionally led to legitimate differences in disk usage in the past. The aforementioned APFS file cloning feature, however, adds a new dimension to this concern. While APFS file cloning saves space on your source volume, those space savings can't be consistently applied when copying your files to another volume (because Apple doesn't offer a way for us to determine that one file is a clone of another). Making matters worse, Finder does not accurately represent the true disk usage of your files. Finder doesn't take into consideration whether one file is a clone of another (again, because Apple doesn't provide a way to make that assessment), so it sums up the total size of each file and folder, presenting a total value that is possibly astronomically higher than the capacity of the disk.

If you convert your Mac's disk to APFS, understand that the disk usage on your source and destination may never add up, and therefore may not be a reliable measure for comparing the source and destination. Pink vellum wedding.

Additional Resources

We're here to help

If you get stuck or need some advice, you can get help right from within CCC. Choose 'Ask a question' from CCC's Help menu to pose a question to our Help Desk.