Finally decided not to wait until 25-Oct-2025 (Windows 10 EOL), but to start migrating from my (17+ years old…) Windows PC to my MacBook Air “now”! This means my M1 will become my main computer and I want/need to make “local” backups of it (I’m already making offline backups to my 1 TB OneDrive using Arq).
On the PC I currently make several kinds of “local” backups (weekly):
Incremental images of every partition on the internal SSD/HD to an external HD, using Macrium Reflect 8, which I can restore using a bootable USB drive.
Synchronize some files to an USB stick using SyncBackFree.
Copy certain VeraCrypt images to that same USB stick.
Copy the new contents of that USB stick to an old Mac mini (which I only use for storage).
Additionally I “now and then” copy the entire content of that USB stick to an external HD that I keep at a family member living in a different state.
I plan to ditch both my PC (from 2008) and the old Mac mini (from 2011) and bought two Samsung T7 2 TB SSD drives to use as my new “local” backup locations (one at my house, one at that family member in the other state). Since I take my MacBook Air there whenever I visit them, I might no longer need the USB stick as a transfer medium.
My MacBook Air M1 is the base model; its internal SSD is only 256 GB. Therefore, I plan to put the backups of my iPhone (capacity 256 GB, iMazing backup is only 20 GB) and iPad (capacity 256 GB, iMazing backup is only 25 GB) on the external SSD as well.
Which software / procedures do you recommend to replace the PC backup/sync software?
Preferably I would like to make bootable backups (or backups that can easily be restored on a fresh Mac).
I also want to make sure that these backups are encrypted. How to do that? (FileVault is only for internal drives?)
Why must the backups be encrypted? Inversely said, are you in such a frame of need to go that far in securing all of your data, perhaps as opposed to selective parts of your data?
Do you appreciate the distinctions between creating a backup file, a bootable clone, and an archive? Why do you need every backup to be bootable, versus having recovery to your baseline operating system + one recovery (backup) to restore the contents to the recovered operating system?
Do you appreciate the distinctions between creating a distinct copy of data contents to locate in a different physical or cloud location versus creating a sync-able copy of data contents to access dynamically, on-call from one or more remote locations to the storage?
As to examples, I use Time Machine routinely (two to three times per week if not more often) to backup my documents on my main volume as well as all contents on two internal volumes (repositories and databases) to an SSD. I also tie into my work-provided backup application to run additional cloud-based backups. I do quarterly clean ups of completed work to store files on an external (spinning) HD before removing them from my internal drive. I do not encrypt anything.
My M1 MacBook Air was encrypted by default when I received it (FileVault). That’s SOP for macOS these days. I encrypt my backup drives because they often sit in plain view on my desk while they are in use.
Interesting. Not my approach though. If it is however your default approach, should I presume that your backups are automatically encrypted as well? Hence, no fuss to make extra changes at that end.
With Apple Silicon Macs, it’s Apple’s default to deliver macOS with FileVault turned on. You can of course turn it off if that’s your preference. I format my backup drives before using them, and it’s at that time that I choose APFS encrypted as the format.
Just to note that on Macs with Apple Silicon chips, FileVault technically no longer encrypts the drive as the internal drive is already encrypted by default regardless of the FileVault setting. It’s just about where the encryption keys are stored. This is why turning on FileVault later is instant, and no encryption needs to take place (as was the case before T2 and Apple Silicon chips, where you had to wait).
Encryping all data on the SSDs is indeed not needed per se (only encrypting financial/health data and local email backups would probably be fine), but I currently (still) use FileVault on the internal SSD. If there’s something similar for external SSDs I’d like to use that (encrypted APFS?). What I don’t know: if I use software to backup the internal drive, does it copy encrypted or unencrypted data? (Does encryption on the source or the target determine whether data is encrypted?)
Also backups don’t have to be bootable per se. If I’m able to quickly restore a backup to make a new/wiped Mac feel like my Mac that’s fine.
I will probably receive the external SSDs tomorrow. The first thing I need to figure out is how to format the drives, if I want to use encryption and be able to write to them (once) from PC?
My current plan:
Format the first SSD as FAT32/NTFS and copy relevant data from PC (using PC).
Format the second SSD as encrypted APFS and copy all data from the first SSD (using Mac).
Format the first SSD as encrypted APFS and copy all data from the second SSD (using Mac).
Can I do this smarter?
Also: which software on the Mac can copy files and compare their hashes afterwards to verify that the copy is indeed identical?
EDIT: I don’t need to figure out only the format, but also volumes/partitions/… Can I put “everything” in one volume, or should I make multple? (For “clone”, for manually copied files and mobile backups, for TimeMachine)
I am not able to read this whole thread right now, so just a few general answers:
If you are dealing with external drives that need to be readable and writable both on Macs and PCs, ExFAT is an alternative. NTFS does not work with Macs out of the box. More at File system formats available in Disk Utility on Mac - Apple Support (CA) - APFS is the way to go these days for external drives that are used by Macs only.
If you need your external drives to be encrypted, APFS encrypted seems to be a reasonable choice as long as you only need to access them via a Mac. I have no first-hand experience, though. Tools like CCC do support it (I am using CCC for backups) - Everything you need to know about CCC and APFS - Bombich Software. I do not encrypt external drives (they do not leave my home, I do not want to deal with encrypted external drives at home). My preferred choice: I encrypt sensitive data if needed (password manager (in the past 1Password, Strongbox these days), disk images in the past), no matter where the data is being stored at. I am using FileVault on my internal Mac drive, though.
Hashes… So far, I have not cared about comparing hashes. It is overkill for me. Apparently, Carbon Copy Cloner is able to do that since v6 - What's new in CCC 6? - Bombich Software - “CCC 6 can verify files at the end of the backup task, and also offers the opportunity to verify files on the source and destination, independently, against a hash that was recorded when the file was last copied.” I have no first-hand experience with this feature.
So, macOS is delivered with its internal drive encrypted, as I noted. The difference now, with the most recent hardware and software, is that a hierarchy of encryption keys is already in place whether or not “FileVault” is turned on. The role of “FileVault” has been reduced to simply adding the user’s credentials at the top of the hierarchy of keys, somewhat astonishingly, without requiring re-encryption.
I have been experimenting with the external drive for backups the last couple of days, but I could still use some help from more experienced Mac users.
I configured this 2 TB drive to have a single APFS container with these volumes:
Clone (minimum reserved space: 512 GB), to hold a clone of my internal 256 GB SSD + some incremental
Time Machine (minimum reserved space: 512 GB), to use for Apple’s Time Machine
External (minimum reserved space: 512 GB), to store some data (like audio/video files)
My plan was to use SuperDuper! to make an initial clone of my internal SSD and then weekly incrementals, but it seems SuperDuper! always overwrites the clone (either completely or smart), but never adds an incremental.
Some cloning related questions:
Does SuperDuper! indeed not make incremental backups?
If so, can I set the minimum reserved space to 256 GB? (I know I have to delete the volume and create a new one to do that)
Does Carbon Copy Cloner support incremental backups?
Do I need to purchase a new CCC license for every OS update?
Do I need to purchase a new SuperDuper! license for every OS update?
I created all volumes with encryption, but SuperDuper! seems to delete the volume and create a group with two new ones (OS and data?). Is that still encrypted? Or protected by FileVault, because the source is?
Some Time Machine related questions:
Where can I find a good list of what to exclude? (For example I develop some programs in JavaScript/Node and it makes sense to not include the .node_modules folder)
Some generic external drive questions:
How can I make the drive auto mount the Time Machine and External volumes?
How can I make the drive not auto mount the Clone volume?
This is an opinion, but one backed up by some number of years of experience and also tainted by my profession (cyber security) so take it with as many grains of salt as needed for palatable taste While I’m aware that there are good arguments against encryption, I’m (generally) for it for the following reasons:
Nearly everyone has some information that they would want (or need) to be kept confidential if they lose custody of the device(s) containing it.
Information within a given system has a tendency to be “leaky” and often slips across what we think are boundaries in “delightfully” surprising and novel ways, which is why encrypting all of the information is preferable to some of it, because…
… if (when) someone loses custody of a device holding their information the answer as to whether or not it was encrypted is much more palatable when it’s an unqualified yes, rather than anything that involves the phrase, “it depends”. This is especially true if they’re the custodian of some of that information rather than its owner, something that’s also “delightfully” surprisingly true more often than expected, especially if the device is used for any employment related activities.
Encryption comes with its own risks, as it emphasizes confidentially over availability, but that’s where a comprehensive backup/recovery strategy comes into play, one that accounts for the backups themselves being encrypted.
Again, my not-unbiased opinion, offered in answer to a question you didn’t ask (me), so feel free to disregard
Versed as I am in a different field, encryption always seemed to me to be the equivalent as lending oneself later to having to work with any number of proprietary data storage formats that exist in the world of science and engineering instrumentation. Prying out the data later was going to be like searching down the tunnel of hidden usenet groups for some old soul who developed the secret decoder key to unlock it, but only if you also use version 0.00001 of the Cobol code written in 1982 on a VAX machine.
That everything happens now in the background is only the security that some well-trained, purposeful gremlin other than me is happily and effectively doing the usenet search and decoding what was encoded. Heaven forbid that I forget to feed the gremlin or lock him away in a different closet when I move to a new home.
Readily accepted, certainly not disregarded. I expect that someday, when I move off of my i9 MBP to an MX based machine, I will simply live with the gremlin doing its work in the background and never know the difference.
Oh … no. They snuck that T2 chip in my system. Darn!
I guess the gremlins have been happy without me even knowing.
Thanks for the insight. I feel humbly embarrassed that I was so naive yet refreshingly enlightened that my fears from other experiences are grossly displaced.
Yes, CCC supports incremental backups, and in fact, that’s its default behaviour.
No, you only need to pay for major CCC releases, which are traditionally not tied to OS updates, and often the older version will continue to work just normally and still be supported.
I agree, and with points 1, 2, & 3. But I’ve lost data to both PGP and AES-256 encrypted files that became corrupted. So I always keep at least one unencrypted copy of all my data offline on ExFAT formatted drives (My next of kin has an iPhone but AFAIK has never touched a Mac).
And as a precaution before I upload any existing unencrypted data to Google Drive or iCloud I scan it for sensitive info: bank account numbers, social security, medicare, etc.