Mac – Encrypt TimeMachine backups or rely on hardware encryption

To answer your first question about the keychain and whether you should encrypt backups: the passwords in your keychain are already encrypted, that's why you always have to type a password (by default your login password) to show stored passwords. So there's no immediate need to encrypt.

Of course, you could add Time Machine encryption to provide a further layer of security. This is possible starting with OS X Lion and Mountain Lion (from http://support.apple.com/kb/ht1427):

OS X Lion and Mountain Lion let you encrypt the Time Machine backup external drive using FileVault 2.

FileVault2 also uses your login password, though. So if the bad guys are able to guess or crack that password, they will have also access to your keychain information. Choosing different passwords for login and for accessing your keychain would protect the keychain passwords in such an event.

Either way, use strong passwords, password quality is of foremost importance to protect your data.

EDIT:

The OP asked in a comment how to set different passwords for login and keychain. Here is how:

• Open Utilities>Keychain Access.

• Right click each keychain and select 'Change Password for Keychain XYZ':

  

If you prefer to use your current password as keychain password and change your login password, log in using another account and change your account's password from System Preferences>Users & Groups. That will only change your login password, not your keychain password.

At the moment, it's relatively safe. Most ransomware has targeted Windows users, and so far, the ransomware that has targeted Macs has been relatively crude. The latest (very crude) Mac ransomware threat did not destroy Time Machine backups, but was not stopped by FileVault.

In general, the steps you describe in part 2 of your question are unlikely to help protect you; encrypted data is not harder to re-encrypt than unencrypted data.

Vulnerabilities that don't require what you describe in part 1 of your question are rare, but are found from time to time. Mac Ransomware that uses one has yet to be seen. It's likely that Mac Ransomware will slowly get more sophisticated, and careful, savvy users are unlikely to lose their data to ransomware anytime soon. But I can't predict the future. This answer may live on for years and such ransomware is likely to turn up eventually. But the meaning of "careful, savvy user" will likely change over time as well.

At present:

Ransomware will have a relatively hard time deleting or encrypting online Time Machine backups. Even as root/superuser, it's hard to delete Time Machine backups:

sudo rm /Volumes/BK1/Backups.backupdb/Orion/2017-03-18-184155/BOOT/var/du--sortedALLk.13224.bak
Password:
override rw-r--r--  root/wheel for /Volumes/BK1/Backups.backupdb/Orion/2017-03-18-184155/BOOT/var/du--sortedALLk.13224.bak? y
rm: /Volumes/BK1/Backups.backupdb/Orion/2017-03-18-184155/BOOT/var/du--sortedALLk.13224.bak: Operation not permitted

But it's far from an insurmountable problem. I think folks should assume that the additional step that the ransomware would have to go through (which I'm familiar with but choosing not to publicize - I'd rather not help script kiddies) to be able to delete or encrypt TM backups is something most Mac ransomware you're likely to become infected with will be programmed to take.

Time Machine users are encouraged to allow backups to run often, which makes them quite vulnerable to ransomware.

Therefore some backup drives should be connected less often and kept more secure - not fully accessible to the system - specifically to protect from ransomware.

Typically, victims realize they've been infected with ransomware only when the ransomware announces its presence. So it's likely you won't be able to tell that a computer is infected with ransomware before it has a chance to encrypt the data on a frequently or continuously connected external drive. Assuming otherwise is far from a safe assumption. The ransomware threat makes better disaster preparedness, including having more numerous offline physical backups, more important.