I've seen some great answers on Time Machine encryption, especially one by Gordon Davisson. But the variations regarding networked volumes is still hazy. The rules for locally attached volumes seem clear – it's an all-or-nothing proposition, please verify:
TM unencrypted backup to unencrypted volume: TM does an unencrypted backup.
TM encrypted backup to unencrypted volume: TM encrypts the volume (and all the files on it) then does the backup.
TM unencrypted backup to encrypted volume: TM decrypts the volume (and all the files on it) then does the backup.
TM encrypted backup to encrypted volume: TM does a backup and the OS handles the encryption?
Now, as for network attached storage:
TM unencrypted backup to unencrypted volume: TM creates an unencrypted backupbundle.
TM encrypted backup to unencrypted volume: TM creates an encrypted backupbundle. The other files on the volume are not encrypted and require no password?
TM unencrypted backup to encrypted volume: TM creates an unencrypted backupbundle, but it is encrypted by the OS anyway because the volume is encrypted? The backupbundle requires the same password as all the other files on the volume??
TM encrypted backup to encrypted volume: TM creates an encrypted backupbundle but what password does it require – the TM specified password or the volume's password (assuming they are different). Are two passwords required, one to mount the volume and one to open the backupbundle (Apple's documentation implies that you can)? Is the backupbundle encrypted separately using a different key than the other files or is it double-encrypted? Does reality exist?… oops too many questions.
Thank you for your patience! Any light on this subject would be appreciated.
Best Answer
It’s pretty easy if you just look at the disks and you’re on a moderately new macOS version.
Today, Apple encrypts disks and not backups. If the source is encrypted, it doesn’t matter because it gets copied unencrypted to the Destiination. If the destination is not encrypted the file stay clear, if the destination is encrypted, the files are encrypted.
Apple does encryption at rest, so until the filesystem is uncounted and then the key to decrypt them is no longer valid until a key to unlock is provided.
You can inspect encryption status with these two commands.
APFS is the newer modern filesystem and core storage was used after the original method of encrypted sparse disk images. Complicated, so that’s why you see so many answers here on the old method, the newer method and the current method. Full disk encryption arrived with 10.7 Lion, so many major versions ago the old implementation is likely not in play for you.