Checklist 23: Safeguarding Your Data with Backups and Encryption

• Creating a new password-protected backup.
• What do I do if I forget my password?
• Determining if your current backups are corrupt.
• Use Keychain Access to store confidential information in Secure Notes.
• FileVault: why you should be encrypting your primary disk.

The files on your Mac are more than “just data” — they often represent a substantial portion of your personal and work lives! From family pictures to important spreadsheets or reports, our hard drives are home to an enormous amount of valuable and sensitive data. Keeping this data safe isn’t just about preventing malware and keeping viruses away; it’s also about creating a plan to ensure access to your data in the event of a major problem. At the same time, keeping that data inaccessible from those who don’t have permission to access it is important, too. In other words, not only should you back up your hard drive — you should encrypt your data and its copies, too.

Creating a new password-protected backup. The good news is that Apple includes a backup solution built straight into your Mac’s operating system. Time Machine simplifies the process of backing up your data and even makes it easy to encrypt, too, so no one can go snooping through your files. Before we begin, make sure you have an external storage device with sufficient free space to house an entire backup copy of your system. Ideally, you should use a disk dedicated solely to this purpose.

Apple does offer its own storage solution in the form of the networked Time Capsule solution. While this further streamlines the process by continually syncing and updating your backups whenever you alter files, it’s not a required part of the process by any means. In fact, it’s a smart idea to keep a backup drive that does not connect to your network the way Time Capsule does. Standard external drives only connect to your Mac physically, not over the network. In fact, an “offline” drive is insurance against system failures, malware, and more, when you keep them disconnected from your system.

Okay, so you need storage, but what do you do once it’s plugged in and ready to go?

Sometimes, your Mac will immediately prompt you with a box asking if you’d like to set up the external storage as a backup disk. If it does not, designating it as such is simple — you can find the Time Machine menu both under System Preferences inside your Apple menu or by selecting the Time Machine icon from your Menu Bar.

On the window that appears, you can choose which disk to designate as your backup drive. At this step, you should also see a box you can tick off to “Encrypt Backup Disk.” When creating your backups, your Mac will first prompt you to enter a password. Choose something secure, but which you can remember! This password functions as a key for encrypting and decrypting all the data on the drive; you will need to enter this password any time you wish to access the drive’s contents.

Now you’re all set — you can begin backing up. Explore the preferences available in Time Machine, and choose how often you want to create a system backup automatically. If you don’t want to leave the drive connected in the meantime, just remember to stick to a schedule of regularly creating new backups. The peace of mind that comes from knowing your data is safe is a simple process on a Mac.

What do I do if I forget my password? While encrypting your backup disks is a smart move, it does come with a potential pitfall. Since you need to enter a password to encrypt it, you’ll need to remember that password for if you need use that backup disk. If you rely on automatic backups and rarely have any reason to enter it, the password can be all too easy to forget. What if you end up in a situation where you don’t remember the password, but you need to access the disk? Unfortunately, there’s not much you can do at that point. Because of the encryption standard Time Machine uses, there’s no way to bypass the password. However, you can take some precautionary steps.

First, be sure to set a password hint that will trigger your memory of the password you used to set the encryption. Next, you can consider having the system add your password to the system’s Keychain. If you ever need to access the drive but you’ve forgotten the password, you should be able to retrieve the (already separately encrypted) password from Keychain and use it to unlock your files. While writing down your passwords is seldom a good idea, keeping a copy in a very secure place is one possible “last resort” to protect against losing access to your backups.

Determining if your current backups are corrupt. There is no worse feeling that trying to restore your Mac from a Time Machine backup only to discover that it doesn’t work — or worse, that it doesn’t work because the files have become corrupted. While you can take precautions, there’s no way to know when bad sectors or even outright hard drive failure might occur. So, in other words, it’s imperative to regularly check on the health of your backups in addition to updating them on a schedule.

If you connect your backup disk to your Mac via your home network — such as when you are using an official Time Capsule — then there is a very easy way to accomplish this. Summon the Time Machine pane from the Menu bar, press your Option key, and voila: a “verify backups” button appears. Click this to have your Mac perform an integrity check of your files. If everything comes back clean, you’ll know your files are still safe. It’s a good idea to verify your backups on a consistent basis.

Unfortunately, this option isn’t available for users with external storage directly connected to their Mac. There is no automatic way to ensure your data is the same as when you backed it up. You can, of course, try some basic tests: for example, open a few files, or try to copy them back over to your main hard drive. Use Time Machine itself to restore some test files. If everything works, the chances are good that your backups are not corrupt.

For power users, you can use the Terminal session to develop a better sense of your backup health. Enter tmutil compare on the command line. This command triggers the system to draw a comparison between your latest Time Machine backup to the current state of your files. At a glance, this lets you see which files have changed, added, or removed. For additional info, try tmutil compare -s. The “s” switch added here looks specifically at how much information varies. A line of zeros next to the files indicates consistency — that’s what you want to see for a healthy backup.

Use Keychain Access to store confidential information in Secure Notes. On previous episodes we’ve briefly mentioned how it’s never a good idea to store confidential or sensitive information using the built-in TextEdit or Notes apps on your Mac, and today we’re going to cover this topic more in-depth. First off, a refresher on why it’s not safe to store important information in TextEdit or Notes:

When you create a document using TextEdit or Notes, the data is stored in “plain text” on your computer. That means the data is not stored securely, and could be easily seen by anyone with access to your computer. While you might not be too concerned about storing your grocery list in a secure manner, you wouldn’t want to do the same with your passwords, social security number, or bank account information.

Depending on your settings, your Mac might automatically be syncing the contents of your TextEdit and Notes documents with iCloud, making them available on any of your other devices that use the same iCloud account. Your own computer might be secure, but what about your teenager’s laptop? If they loaned it to a friend or left it behind on the bus, that could be a real cause for concern if you were storing sensitive information insecurely!

Many password management apps have the capability to store non-password data in a secure manner, but there is also a way to do so that’s built right into macOS by using Keychain Access. Keychain Access is an app that allows you to manage data such as (logins and passwords) that are stored securely by your Mac. One feature of Keychain Access that’s often overlooked is its ability to store confidential information in Secure Notes. This information doesn’t have to be computer-specific! It could include credit card or PIN numbers, lock combinations, cryptographic keys, tax information, or confidential business information.

Creating a Secure Note in Keychain Access is pretty straightforward:

1. On your Mac, open the Applications folder, then open the Utilities folder, and then open the Keychain Access app.

2. Select a Keychain from the list of Keychains in the top left corner of the Keychain Access app. Choose the “login” keychain If you’re not sure which one to pick. The keychain might be locked — if that’s the case, click the lock icon, then enter your keychain password to unlock it.

3. Click the File menu, then click New Secure Note.

4. Enter a name for the Secure Note. The name should help you remember what information you’re going to store in it, but don’t put any sensitive information in the note name itself!

5. In the Note field, type or paste in the confidential information that you want to store.

6. Click the Add button once you’re done.

The Secure Note will then be stored in an encrypted format on your computer, and will require your Keychain password in order to access it in the future. So now that you know how to create a Secure Note, how do you view it again in the future?

Thankfully, Apple made it simple to access and view the contents of Secure Notes:

1. Open the Keychain Access app.

2. Select the Keychain that you used to store the Secure Note from the list of Keychains in the top left corner of the Keychain Access app. Unlock the Keychain if necessary.

3. Select Secure Notes in the Category list in the lower left corner of the Keychain Access screen.

4. Double-click the note you want to view, then select Show Note.

5. Enter your login password to see the note.

FileVault: why you should be encrypting your primary disk. Okay, before we wrap up, let’s look at one last thing. You’ve encrypted your backups to keep them safe and secure, but what about the original files from which those copies originated? For MacBook users the threat of theft is very real, and your data shouldn’t fall into a thief’s hands along with your hardware. Apple includes the FileVault utility to give users more ways to protect themselves from data theft; it offers a quick way to encrypt your primary disk. Functionally, the main difference for users is the need to input their FileVault password on startup to decrypt the drive. Without this password, no one will be able to access your files. Sounds good, right? Let’s walk you through the setup process. Like Time Machine, it doesn’t take long.

From the main Apple menu, enter your System Preferences and open the option labeled Security & Privacy. In the resulting pane, click over to the tab labeled FileVault and select the lock icon. At this point, the system prompts for your administrator’s password; input that and unlock the FileVault options. Now, turn FileVault on and set up your recovery options. You can choose to link your FileVault encryption to an iCloud account, which gives you some remote abilities to reset passwords or wipe data. Otherwise, you will receive a keycode — write this down and store it in a very secure spot.

At this point, all that’s left to do is restart your Mac and wait. FileVault will lock down your data with secure encryption and prompt you for your password. Now your data is safely locked away both as a backup copy and during normal operation.

Everyone should take the time to think about their current backup solutions as well as the integrity of their data, now and into the future. Not only do backups offer users security and peace of mind, but they are incredibly easy to create and maintain. If you haven’t checked or updated your backup disks in a while, let this serve as a reminder to do that now. In combination with how easy Apple makes it to lock down the data on your drives with FileVault, there’s simply no excuse for skipping these essential steps.

That’s it for today’s episode of The Checklist! If you’d like more information on the topic we covered today, or if there’s a specific topic you’d like to see featured on a future episode, send us an e-mail at checklist@securemac.com!