Your Mac backup drive holds years of photos, financial records, work files — an external copy of nearly everything on your Mac. But what if that backup drive slips out of your bag at the airport, gets swiped from your car, or is taken in a home burglary? Without encryption, whoever has that drive has everything on it. With FileVault encryption enabled, they have nothing but unreadable data. This is what's known as "at-rest" protection, and Carbon Copy Cloner makes it a one-click setting on any APFS backup volume.

How do I enable encryption on my CCC backup?

When you initially select a volume as a destination to a backup task, CCC's Backup Volume Setup Assistant will offer an option to enable encryption. Simply check the box to enable encryption and provide the password that you would like to use to unlock the volume. If your backups are already configured, you can do the following to enable encryption on a volume:

1. Click Volumes in CCC's sidebar.
2. Select your backup volume in the sidebar.
3. Toggle the FileVault switch to the On position.
4. Enter a password to use for unlocking the volume, then encryption conversion will begin.

Product Tour: Learn how to enable encryption on your backup volume Opens in Carbon Copy Cloner. Don't have CCC?

Important: Store your password in a password manager. Unlike FileVault on your startup disk, an encrypted backup volume has no recovery key — if you forget the password, the data is unrecoverable.

I already enabled FileVault on my Mac. Are my backups encrypted too?

No. Your startup disk and your backup disk are separate volumes. Enabling FileVault on one has no effect on the other. To encrypt your backups, follow the steps above to turn on FileVault for your backup volume itself.

Can I disable encryption on my backup volume if I change my mind later?

Yes, using the same steps noted above; simply flip the FileVault switch to the Off position and provide the password used to encrypt the volume. Bear in mind that both encryption and decryption are conversion processes. These processes can take several hours on a populated volume and cannot be cancelled. These conversions will proceed in the background without your attention as long as your Mac remains on AC power (conversion is suspended while the Mac is running on battery power). CCC will indicate progress if encryption or decryption conversion is underway.

Can I change the password used to unlock the volume?

Yes, you can change the password in Disk Utility:

1. Choose Disk Utility from CCC's Utilities menu
2. Select the applicable volume in Disk Utility's sidebar
3. Choose Change Password… from the File menu

After you change the password to a CCC source or destination volume, click on the volume in CCC's Source or Destination selector and choose the option to unmount that volume, then repeat to remount the volume. CCC will prompt you to update the password that is stored in the System keychain (i.e. that CCC uses to unlock the volume during an automated backup task).

How does FileVault encryption work?

When data is encrypted "at rest", it means that the data physically stored on the disk is encrypted — unreadable without the password. If someone were to gain access to the disk and try to access it on another computer or operating system, they'd still need your encryption password to decrypt the data. Contrast that to folder-level access controls; on your Mac you can restrict access to a folder with permissions or ownership settings, but those settings can be easily defeated by attaching the storage to some other computer.

FileVault encryption works transparently. When an encrypted volume is unlocked and mounted, the filesystem automatically decrypts data on-the-fly as applications request file data. Likewise, data is automatically encrypted by the filesystem when files are written to disk. Applications don't participate in that encryption, and are essentially completely unaware of the physical storage logistics of the data.

In a few clicks, your CCC backup will be just as private as your Mac itself.