CCC Backup and FileVault

[Wando64]

Can anybody confirm if a CCC backup of a FileVaulted disk is going to be already encrypted (as it is a copy of an encrypted disk) or whether CCC own encryption should be enabled as well?
Real life experience would be appreciated. Assumptions and theories are also very much appreciated, but please say so.

Many many thanks.

EDIT: actually I am not even sure CCC can do its own encryption...
[automerge]1577532634[/automerge]
I should have done better research. I found the following information in the CCC manual:

If I back up an encrypted volume to a non-encrypted volume, will the copied files be encrypted on the destination?
No, encryption occurs at a much lower level than copying files. When an application reads a file from the encrypted source volume, macOS decrypts the file on-the-fly, so the application only ever has access to the decrypted contents of the file. Whether your backed-up files are encrypted on the destination depends on whether encryption is enabled on the destination volume. If you want the contents of your backup volume to be encrypted, follow the procedure documented here to enable encryption.
Will Carbon Copy Cloner enable encryption on my backup volume?
No. You can enable encryption in the Security & Privacy preference pane while booted from your bootable backup, or in the Finder by right-clicking on your backup volume (for a backup volume that does not have an installation of macOS).
Do I have to wait for encryption to complete before rebooting from my production volume?
No. Once you have enabled encryption on the backup volume, you can reboot from your production startup disk and the encryption process will continue in the background.

This looks like quite a clunky process which makes me question the long term use of CCC as a backup option.

 

[BrianBaughn]

The way I read it you only have to go through the backup disk encryption process once.

 

[junkw]

I use CCC with Filevault

Let's say you have:
- a Mac (late 2012 quad i7) containing internal filevault-encrypted drive
- a blank external USB drive

FIRST TIME USE:
---------------------------

- connect external drive to mac
- open CCC
- clone internal to external
- shutdown computer
- boot on external (hold option key at boot and select external to boot on)
- wait (booting on external may be slow)
- open System Prefs > Security > Filevault
- enable Filevault (this starts encrypting the drive you booted on (meaning the external drive))
- shutdown computer (you don't have to wait for it to complete 100% encryption)
- boot on habitual (internal) drive
- at some point a popup will appear to enter password to unlock the external drive. Enter password. (this shows that your external is encrypted/encrypting)
- open Applications > Utilities > Terminal.app
- type "diskutil cs list" or "diskutil apfs list" you should see in the list your external with a % encrypting. After maybe 1 hour, encryption of the external should reach 100%

EVERY TIME YOU NEED TO UPDATE THE EXTERNAL DRIVE CONTENT:
------------------------------------------------------------------------------

- connect the external to the mac
- a popup appears asking you to enter filevault password to unlock external drive. Enter it. (this shows that your external is encrypted/encrypting)
- open CCC
- clone internal to external
- disconnect external

TO TEST IF YOUR EXTERNAL DRIVE IS IN GOOD SHAPE
------------------------------------------------------------------

- shutdown computer
- connect external drive to mac
- power on computer while holding ALT (OPT) key
- select the external drive to boot
- Enter filevault password (this shows that your external is encrypted/encrypting)
- it boots. (can be slow)
- once booted verify all is good
- shutdown computer

 

[chabig]

This looks like quite a clunky process which makes me question the long term use of CCC as a backup option.

There is nothing clunky about it. All you have to do is encrypt the destination drive (right click on it in the Finder and select "Encrypt"). That's a one-time task.

 

[junkw]

All you have to do is encrypt the destination drive (right click on it in the Finder and select "Encrypt"). That's a one-time task.

will not always work on Catalina, APFS due to a bug
Method that always work is the one I described above ^^

 

[chabig]

will not always work on Catalina, APFS due to a bug

I see that documented on the CCC website: https://bombich.com/kb/ccc5/working-filevault-encryption

The "clunky" process to which the OP refers is only required once, fortunately.

 

[Wando64]

There is nothing clunky about it. All you have to do is encrypt the destination drive (right click on it in the Finder and select "Encrypt"). That's a one-time task.

One time yes, but it requires booting up from the backup and then proceed with the encryption.
It is unclear whether I will then need to keep the Mac in this state until the encryption has completed.
Keeping in mind that the drive is USB3 connected, this is going to take some time.
Clunkier then I would prefer it to be.

EDIT: Actually it would seem that I can just reboot normally and the process will continue. Perhaps not as clunky as I thought. Thanks for forcing me to look twice and more carefully. My fault.