As the name implies, SafetyNet is a safety mechanism that works to avoid accidental loss of data on the destination.
In a typical backup scenario, you have a disk that is dedicated to the task of backing up your startup disk, and you expect the contents of the backup disk to match the contents of the source exactly. In many cases, though, people see lots of extra space on a big 3TB disk and can't resist using it for "overflow" items — large video files, archives of old stuff, maybe your iMovie Library. If you already have that big disk loaded with some overflow items and you're hoping to use it as a backup volume as well, you'll find that CCC's default settings are designed to give you that backup without completely destroying everything else on your backup disk in the blink of an eye.
When CCC copies files to the destination, it has to do something with files that already exist on the destination — files that are within the scope of the backup task, and items that aren't on the source at all. By default, CCC uses a feature called the SafetyNet to protect files and folders that fall into three categories:
- Older versions of files that have been modified since a previous backup task
- Files that have been deleted from the source since a previous backup task
- Files and folders that are unique to the root level of the destination
If you're backing up to an APFS-formatted destination volume that has CCC snapshot support enabled, then CCC's SafetyNet feature is implemented via snapshots. At the beginning of the backup task, CCC creates a SafetyNet Snapshot on the destination. This snapshot captures the state of the destination volume before CCC makes any changes to it. When CCC proceeds to update the destination, it deletes and replaces files immediately as applicable. Because the files are retained by the SafetyNet Snapshot, those files are not permanently deleted until the snapshot is deleted. Protection of items that are unique to the root-level of the destination remains the same as described below.
Legacy SafetyNet Behavior: SafetyNet On
If you're backing up to a non-APFS volume, or if you have snapshot support disabled for an APFS destination, then CCC's SafetyNet is implemented as a folder on the destination.
When the SafetyNet is on, CCC places the older versions of modified files, and files that have been deleted from the source since a previous backup, into the _CCC SafetyNet folder at the root of the destination. We call this a "safety net" because the alternative would be to immediately delete those items. The SafetyNet prevents catastrophes — rather than immediately deleting items from the destination, CCC saves these items on the destination as long as space allows.
That third category of files and folders is left alone on the destination when the SafetyNet is enabled. Files and folders that are unique to the root level of the destination will be left completely alone. To get a better of idea of what that means, consider the following two Finder windows:
The first window shows the contents of the startup disk, with the usual Applications, Library, System, and Users folders. The second window shows the contents of the destination volume. The "root" of the destination volume is what you see in the second pane. There are two items that are unique to the root level of the destination volume, "_CCC SafetyNet" and "Videos". If CCC were to update this volume with the SafetyNet on, both of these folders, tagged as green in the screenshot, would be left alone by CCC. The Users folder, however, is not unique to the destination — that folder is present on both the source and destination. As a result, the "olduseraccount" folder that is inside the Users folder would not be left in place, rather it would be moved to the _CCC SafetyNet folder.
Limiting the growth of the SafetyNet folder
When the SafetyNet feature is enabled for a CCC backup task, CCC will automatically prune the contents of the SafetyNet folder, by default, when the free space on the destination drops below 25GB. CCC will automatically adjust that pruning limit as necessary, e.g. if you have a backup task that copies more than 25GB, CCC will perform additional pruning and increase the pruning limit.
Generally you won't need to adjust CCC's pruning behavior, but you can customize the pruning settings for each task in Advanced Settings. CCC offers pruning based on size of the SafetyNet folder, age of items within the SafetyNet folder, and amount of free space on the destination.
When the Auto Adjust option is enabled (and it's enabled by default), CCC will automatically increase the free space pruning limit if your destination runs out of free space during the backup task. For example, if your pruning limit is set to the default of 25GB, and you have 25GB of free space at the beginning of the backup task, no pruning will be done at the beginning of the task. If that task proceeds to copy more than 25GB of data, however, the destination will become full. CCC will then increase the pruning limit by the larger of either the amount of data copied in the current task, or by the amount of data that was required by the last file CCC attempted to copy. For example, if CCC copied 25GB of data, then the pruning limit would be increased by 25GB. If CCC wanted to copy a 40GB file, however, CCC would not fruitlessly copy 25GB of that file, rather it would immediately increase the pruning limit by 40GB, revisit pruning, and then restart the task.
Lastly, note that you may change the pruning limit manually if the automatically-adjusted value is set higher than you prefer. The auto adjustment feature is designed to make SafetyNet pruning more liberal and less fussy, but you may reset the pruning limit to a lower value at any time.
If you always want the destination to match the source, and you have no need for retaining older versions of modified files or files deleted from the destination since a previous backup task, you can disable CCC's SafetyNet with the large switch icon underneath the destination selector. When CCC's SafetyNet is disabled, older versions of modified files will be deleted once the updated replacement file has been successfully copied to the destination, and files that only exist on the destination will be deleted permanently. Files and folders that are unique to the destination will not be given special protection from deletion. The only exception to this is the _CCC SafetyNet folder — CCC will not delete that folder. If the _CCC SafetyNet folder was created in a previous task that had the SafetyNet enabled, you can simply drag the SafetyNet folder to the Trash to dispose of it.
Protect root level items on the destination
CCC's SafetyNet includes a key feature that provides protection for items that are unique to the root level of the destination volume (see the explanation in the "SafetyNet On" section above). When you choose SafetyNet Off from the SafetyNet popup menu, the Protect root level items on the destination setting is disabled. If you would like to use that setting with the SafetyNet disabled, click the Advanced Settings button, then check the box next to that option.
With this setting, CCC won't delete anything from the destination. If a file exists on the destination and not on the source, that file will be left in place on the destination. If a file will be updated on the destination, the older version of the file will be moved to CCC's SafetyNet folder. This setting is useful for source folders and volumes that leverage excellent organization. For example, if you store photos by project name, and you like to remove those projects from the source as a whole when the project is complete, you can use the Don't delete anything SafetyNet setting to avoid removing those archived projects from the destination.
One cautionary note about using this setting: Older files will accumulate on the destination, consuming more space than is consumed on the source. Also, if your files are not well organized, you may find a future restore to be quite tedious because everything you've deleted from the source will still be on the backup.
When you use the Don't delete anything SafetyNet setting, CCC won't be able to replace items that have a different type on the destination. For example, if you replace a folder with an alias, CCC won't be able to copy the alias file; instead, you'll get an error. You can manually remove the offending item from the destination, or choose one of the other SafetyNet settings so that CCC may do the replacement.
If you would rather that CCC did not move or delete files that are unique to your backup volume (e.g. files that are not part of the source data set), there are a couple other ways to protect that data.
Add a new partition to the destination hard drive
You can use Disk Utility to resize existing HFS+ formatted volumes and to add new partitions to APFS containers. These actions can be done non-destructively, that is, without erasing the files and folders on any existing volumes.
Back up to a folder
You can use CCC to back up your data to a subfolder on the destination volume. When backing up to a subfolder on the destination volume, CCC's copying and deleting considerations are made entirely within the scope of that subfolder — content outside of that subfolder is not considered or affected by the backup task. To back up to a folder, select "Choose a folder..." from CCC's Destination selector.
We strongly recommend that you find the means to dedicate a volume to the task of backing up your irreplaceable data. If you have data on your backup volume that exists nowhere else, it is not backed up! Whenever you target a volume for use with Carbon Copy Cloner, there is a risk that some files will be removed for one legitimate reason or another. CCC offers options and warnings to protect your data from loss, but nothing can protect your data from a misuse of CCC or a misunderstanding of the functionality that it provides.