2.7.2 Ensure Time Machine Volumes Are Encrypted

Information

One of the most important security tools for data protection on macOS is FileVault. With encryption in place it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting-up a Time Machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique complex password to unlock the drive can be stored in keychains on multiple systems for ease of use.

While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult backup volumes should be protected just like boot volumes.

Rationale:

Backup volumes need to be encrypted.

Solution

Perform the following to enable encryption on the Time Machine drive:
Graphical Method:

Open System Preferences

Select Time Machine

Select Backup Disk...

Select the existing Time Machine backup drive from the Available Drive list

Set Encrypt backups

Select Use Disk

Note: You can set encryption through Disk Utility or diskutil in terminal.

See Also

https://workbench.cisecurity.org/files/3569

Item Details

Category: CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-9, 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|10.4, CSCv7|13.6, CSCv7|14.8

Plugin: Unix

Control ID: 52e4bcd845d8af141efd6c26099720134b93aa98c1eb5cb437a567fb20f7093e