How to change Time Machine encryption password?

Discussion in 'Mac OS X Lion (10.7)' started by dacreativeguy, Sep 25, 2011.

  1. dacreativeguy macrumors 68020

    Jan 27, 2007
    I encrypted the TM disk to a password, but would like to change that password. Can't find any info on this anywhere. Is decrypting and re-encrypting the only way to do this?
  2. mrapplegate macrumors 68030

    Feb 26, 2011
    Cincinnati, OH
    Try the man page for diskutil, specifically the core storage section:

    changeVolumePassphrase | passwd lvUUID [-recoverykeychain file] [-oldpassphrase oldpassphrase] [-newpassphrase newpassphrase] [-stdinpassphrase]
                               Change the passphrase of an existing encrypted volume. It need not be unlocked nor mounted. The parameters, while variously optional, must be given in the above order.
                               You must authenticate either via the -oldpassphrase parameter, via the -stdinpassphrase parameter (with newline or eof-terminated data given to stdin), or via an interactive prompt (if no parameters are given), in the
                               same manner as diskutil coreStorage convert above.  Alternatively, you can authenticate by specifying -recoverykeychain with a path to a keychain file.
                               A new passphrase must be supplied, again via one of the three methods above (interactive, -newpassphrase, or -stdinpassphrase).
                               If you are supplying both the old and new passphrases via stdin, they must be separated with a newline character.
  3. dacreativeguy thread starter macrumors 68020

    Jan 27, 2007
  4. mrapplegate macrumors 68030

    Feb 26, 2011
    Cincinnati, OH
    Unfortunately there is no GUI for it. The command line sometimes is the only way. The man page is your friend :D
  5. haravikk macrumors 65816

    May 1, 2005
    Been interested in this myself lately, but I don't suppose anyone knows where the password being used for an encrypted backup (or any encrypted core storage volume for that matter) is actually stored?

    I'm assuming that any pass-phrase I supply is actually being used to protect the real encryption key, hidden in the header for the encrypted file-system, however, when I order disk utility to unmount and mount an encrypted volume, I don't receive any kind of password prompt. Since a recovery keychain can be used to provide an existing password for core storage, I would have thought it must be going into a keychain somewhere, but I don't see any entry that looks right.

    I'd been hoping to do what I usually do with encrypted disk-images which is encrypt them with a completely random key, store that in a keychain, then secure the keychain with a good strong pass-phrase that I can actually type as required, and have it automatically lock after a while so if I unmount the disk I'd need to re-authenticate.

    Anyway, I'm just a bit bewildered as to where the pass-phrase supplied for core-storage encryption actually goes, as it must be stored somewhere for the drive to decrypt properly, but where?
  6. shepster macrumors newbie


    Mar 4, 2005
    Use Disk Utility

    If you open up Disk Utility and select the encrypted volume, you should be able to Change Password... from the File menu. I have checked this on a backup disk I have already supplied a password for. Don't know if the option is there if the volume is encrypted and unmounted.

    There is also a Turn Off Encryption... item (similarly in the File menu).
  7. haravikk macrumors 65816

    May 1, 2005
    Yeah, Disk Utility seems to do this okay for the simple cases, however, command-line is the only way to do it for non-standard cases such as enabling Core Storage encryption on a disk image volume, or an Apple RAID, both of which are a bit fiddly and result in devices that Disk Utility (the app) can't see.

    To answer my own earlier question, once you do the encryption the password isn't stored anywhere, which means you won't be given a keychain capable prompt until you restart your machine. This is because the key is required only when a Core Storage unlock command is performed, but there is no corresponding lock command, and there seems to be no way to normally unmount a core storage volume unless it's a single external drive, in order to force a new unlock prompt.

    In any event, once you enter the password for such a prompt you can save to the keychain normally. This means you can fairly easy use a big nasty passphrase for encrypting your volumes then, once it's in your keychain, you can create a separate keychain with an easier to remember password for managing it.
  8. nim6us macrumors member


    Nov 20, 2012
    Hit AppleKey+Space Bar that will open the Finder, then type "Disk Utility". Once Disk Utility is open click the partition that you want to change then click "File" and and "Change Password". There you go, sans Terminal!
  9. sydlow macrumors newbie

    Oct 13, 2011
    Reviving an old discussion - did you ever find this out?
    I'm finding the situation where I don't want the TM encrypted backup partition automatically mounted. I'd like it to prompt for a password, and I also can't find that stored anywhere.

    Hope you can help.
  10. Weaselboy Moderator


    Staff Member

    Jan 23, 2005
    It is stored in Keychain app.
  11. haravikk macrumors 65816

    May 1, 2005
    Yep! If you open /Applications/Utilities/Keychain then somewhere in your login or system keychain should be an entry with a name matching the name of your Time Machine backup volume; if you're having trouble finding it then you might also try looking for an entry with a kind listed as "Core Storage Password".

    Once you've located the right one you can use Keychain Access to move it into another keychain; in my case I've moved mine into a new keychain that has its own password, and locks automatically after five minutes, this prevents it from mounting automatically, but will produce a password entry prompt when the system tries to mount the drive, simply requiring the keychain's password to unlock it and mount the volume.

    If you want the system to ignore the drive completely until you tell it to mount then the same procedure for the password should work, but you'll need to tell your system to ignore the drive (so it won't automatically try to mount it); I'm not sure if there are any good GUI tools but you can do this with the terminal if you need to.
  12. sydlow macrumors newbie

    Oct 13, 2011
    I've checked every keychain - here's what happens when I plug in the disk:

    The fact that OS pops up asking for a password confirms that there is no entry in any keychain, but the puzzle is that when I dismiss that and go into Disk Utility I can still mount that partition without entering a password. So my hypothesis is that it's cached somewhere else.


    Attached Files:

Share This Page