How to enable encryption on a Time Machine backup drive without deleting the existing backups

Please note that I can not guarantee that the things explained in the following post might not work as you intended it to work. You might loose all your (backup) data. Something worse might happen. You probably should not read this post. You have been warned!

Starting with version 10.7, codenamed Lion, Mac OS X supports full disk encryption. Contrary to older versions that supported encrypted home folders or disk images only, this allows one to encrypt external drives. While you can encrypt the boot drive on the fly, there is no graphical user interface to enable full disk encryption on your Time Machine drive without deleting the content first.

For normal drives, you could copy the content on another disk, enable encryption, then restore the content from the backup. This does not work for your backup drive. I went through big pain trying to copy the Time Machine backup to an additional drive and back. To make it short: Copying a Time Machine backup is not as trivial as it sounds because the backups relay on using hard links to directories. As far as I could tell, there is no tool that knows how to copy these hard links. Some tools know about the problem and refuse to copy the data, others create an actual copy of all files once per hard link. With some preconditions met, you can use tools like Carbon Copy Cloner or Apple’s own Disk Utility’s restore feature to copy the backup. Not to forget: Being able to copy the data off you backup drive does not necessarily mean all preconditions are met to copy the data in the other direction. (As a side note: Copying one Terabyte of data takes some time …)

After going through this hell I found a much simpler and thus better solution: You can enable full disk encryption for any drive on the fly using the diskutil command line tool. The command is:

diskutil coreStorage convert /dev/disk_s_ -stdinpassphrase

Replace _ by the actual disk/slice number of your backup partition.

Since the encryption is done in the background, the data is not secured immediately. To get a clue about the progress, call

diskutil coreStorage list

Final note: When I enabled encryption the GUI-way, it created a new file system that had case sensitive enable. My old backup drive is set to be case preventing. I’m not sure if there is a way to change that on the fly, too. In theory, changing from case preventing to case sensitive should be possible.