I encrypted the TM disk to a password, but would like to change that password. Can't find any info on this anywhere. Is decrypting and re-encrypting the only way to do this?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How to change Time Machine encryption password?
- Thread starter dacreativeguy
- Start date
- Sort by reaction score
Try the man page for diskutil, specifically the core storage section:
Code:
changeVolumePassphrase | passwd lvUUID [-recoverykeychain file] [-oldpassphrase oldpassphrase] [-newpassphrase newpassphrase] [-stdinpassphrase]
Change the passphrase of an existing encrypted volume. It need not be unlocked nor mounted. The parameters, while variously optional, must be given in the above order.
You must authenticate either via the -oldpassphrase parameter, via the -stdinpassphrase parameter (with newline or eof-terminated data given to stdin), or via an interactive prompt (if no parameters are given), in the
same manner as diskutil coreStorage convert above. Alternatively, you can authenticate by specifying -recoverykeychain with a path to a keychain file.
A new passphrase must be supplied, again via one of the three methods above (interactive, -newpassphrase, or -stdinpassphrase).
If you are supplying both the old and new passphrases via stdin, they must be separated with a newline character.Unfortunately there is no GUI for it. The command line sometimes is the only way. The man page is your friend
Been interested in this myself lately, but I don't suppose anyone knows where the password being used for an encrypted backup (or any encrypted core storage volume for that matter) is actually stored?
I'm assuming that any pass-phrase I supply is actually being used to protect the real encryption key, hidden in the header for the encrypted file-system, however, when I order disk utility to unmount and mount an encrypted volume, I don't receive any kind of password prompt. Since a recovery keychain can be used to provide an existing password for core storage, I would have thought it must be going into a keychain somewhere, but I don't see any entry that looks right.
I'd been hoping to do what I usually do with encrypted disk-images which is encrypt them with a completely random key, store that in a keychain, then secure the keychain with a good strong pass-phrase that I can actually type as required, and have it automatically lock after a while so if I unmount the disk I'd need to re-authenticate.
Anyway, I'm just a bit bewildered as to where the pass-phrase supplied for core-storage encryption actually goes, as it must be stored somewhere for the drive to decrypt properly, but where?
I'm assuming that any pass-phrase I supply is actually being used to protect the real encryption key, hidden in the header for the encrypted file-system, however, when I order disk utility to unmount and mount an encrypted volume, I don't receive any kind of password prompt. Since a recovery keychain can be used to provide an existing password for core storage, I would have thought it must be going into a keychain somewhere, but I don't see any entry that looks right.
I'd been hoping to do what I usually do with encrypted disk-images which is encrypt them with a completely random key, store that in a keychain, then secure the keychain with a good strong pass-phrase that I can actually type as required, and have it automatically lock after a while so if I unmount the disk I'd need to re-authenticate.
Anyway, I'm just a bit bewildered as to where the pass-phrase supplied for core-storage encryption actually goes, as it must be stored somewhere for the drive to decrypt properly, but where?
Use Disk Utility
If you open up Disk Utility and select the encrypted volume, you should be able to Change Password... from the File menu. I have checked this on a backup disk I have already supplied a password for. Don't know if the option is there if the volume is encrypted and unmounted.
There is also a Turn Off Encryption... item (similarly in the File menu).
If you open up Disk Utility and select the encrypted volume, you should be able to Change Password... from the File menu. I have checked this on a backup disk I have already supplied a password for. Don't know if the option is there if the volume is encrypted and unmounted.
There is also a Turn Off Encryption... item (similarly in the File menu).
Yeah, Disk Utility seems to do this okay for the simple cases, however, command-line is the only way to do it for non-standard cases such as enabling Core Storage encryption on a disk image volume, or an Apple RAID, both of which are a bit fiddly and result in devices that Disk Utility (the app) can't see.
To answer my own earlier question, once you do the encryption the password isn't stored anywhere, which means you won't be given a keychain capable prompt until you restart your machine. This is because the key is required only when a Core Storage unlock command is performed, but there is no corresponding lock command, and there seems to be no way to normally unmount a core storage volume unless it's a single external drive, in order to force a new unlock prompt.
In any event, once you enter the password for such a prompt you can save to the keychain normally. This means you can fairly easy use a big nasty passphrase for encrypting your volumes then, once it's in your keychain, you can create a separate keychain with an easier to remember password for managing it.
To answer my own earlier question, once you do the encryption the password isn't stored anywhere, which means you won't be given a keychain capable prompt until you restart your machine. This is because the key is required only when a Core Storage unlock command is performed, but there is no corresponding lock command, and there seems to be no way to normally unmount a core storage volume unless it's a single external drive, in order to force a new unlock prompt.
In any event, once you enter the password for such a prompt you can save to the keychain normally. This means you can fairly easy use a big nasty passphrase for encrypting your volumes then, once it's in your keychain, you can create a separate keychain with an easier to remember password for managing it.
Reviving an old discussion - did you ever find this out?
I'm finding the situation where I don't want the TM encrypted backup partition automatically mounted. I'd like it to prompt for a password, and I also can't find that stored anywhere.
Hope you can help.
Yep! If you open /Applications/Utilities/Keychain Access.app then somewhere in your login or system keychain should be an entry with a name matching the name of your Time Machine backup volume; if you're having trouble finding it then you might also try looking for an entry with a kind listed as "Core Storage Password".
Once you've located the right one you can use Keychain Access to move it into another keychain; in my case I've moved mine into a new keychain that has its own password, and locks automatically after five minutes, this prevents it from mounting automatically, but will produce a password entry prompt when the system tries to mount the drive, simply requiring the keychain's password to unlock it and mount the volume.
If you want the system to ignore the drive completely until you tell it to mount then the same procedure for the password should work, but you'll need to tell your system to ignore the drive (so it won't automatically try to mount it); I'm not sure if there are any good GUI tools but you can do this with the terminal if you need to.
I've checked every keychain - here's what happens when I plug in the disk:
https://www.youtube.com/watch?v=9K4Lc_UHk84
The fact that OS pops up asking for a password confirms that there is no entry in any keychain, but the puzzle is that when I dismiss that and go into Disk Utility I can still mount that partition without entering a password. So my hypothesis is that it's cached somewhere else.
Puzzled.
Attachments
Unfortunately, on macOS Big Sur there is no option under the Terminal command "diskutil" for "changeVolumePassphrase".
Has this been updated with a new command?
Has this been updated with a new command?
I've shared a StackExchange solution, How To Change Time Machine Password - Mac OS Extended (Journaled, Encrypted). I noticed for APFS formatted Solid-state drives (SSDs) the File > Change Password... password option is available. However, this option is grayed out for Mac OS Extended formatted SSDs.