2.3.4.2 Ensure Time Machine Volumes Are Encrypted If Time Machine Is Enabled

Information

One of the most important security tools for data protection on macOS is FileVault. With encryption in place, it makes it difficult for an outside party to access your data if they get physical possession of the computer. One very large weakness in data protection with FileVault is the level of protection on backup volumes. If the internal drive is encrypted but the external backup volume that goes home in the same laptop bag is not, it is self-defeating. Apple tries to make this mistake easily avoided by providing a checkbox to enable encryption when setting up a Time Machine backup. Using this option does require some password management, particularly if a large drive is used with multiple computers. A unique, complex password to unlock the drive can be stored in keychains on multiple systems for ease of use.

While some portable drives may contain non-sensitive data and encryption may make interoperability with other systems difficult, backup volumes should be protected just like boot volumes.

Note: This recommendation needs to be set on devices where Time Machine is enabled. If Time Machine is disabled, the audit is passed by default.

Backup volumes need to be encrypted.

Solution

Graphical Method:

Perform the following steps to enable encryption on the Time Machine drive:

- Open System Settings
- Select General
- Select Time Machine
- Select the unencrypted drive
- Select - to forget that drive as a destination
- Select + to add a different drive as the destination
- Select Set Up Disk...
- Set Encrypt Backup to enabled
- Enter a password in the New Password and the same password in the Re-enter Password fields
- A password hint is required, but it is recommended that you do not use any identifying information for the password

Note: In macOS 12.0 Monterey and previous, the existing Time Machine drive could have encryption added without formatting it. This is no longer possible in macOS 13.0 Ventura. If you wish to keep previous backups from the unencrypted volume, you will need to manually move those files over to the new encrypted drive.

See Also

https://workbench.cisecurity.org/benchmarks/18636

Item Details

Category: CONTINGENCY PLANNING, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-9, 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|10.4, CSCv7|13.6, CSCv7|14.8

Plugin: Unix

Control ID: ac27f9d05a2a3efb6894edfe9371f4e27f70d7b8f708298196d4eeef590dbcaa