From Mac OS X 10.7 (Lion) onwards, FileVault (now at version 2) encrypts the whole Mac disk. When the Mac is booted up, the disk is unencrypted. This means that your data can be accessed and backed up by TSM without a problem. It does also mean that your data is backed up as if it were unencrypted data. On the matter of how secure TSM backup is, please see our page on TSM security. For how to encrypt files for TSM backup, please see our page on how to encrypt files for backup.
In both Mac OS X 10.5 (Leopard) and OS X 10.6 (Snow Leopard), the earlier version of FileVault, FileVault 1, keeps data in sparse bundles, a series of files which are each 8MB in size. Users of this version of FileVault must choose whether to back up data encrypted or unencrypted, and then to exclude from TSM backup whichever type is not being backed up. The exclusion of one version of the data is important because otherwise this will lead to duplication on the HFS, which is a waste of resources.
Please note that if you wish to back up your data encrypted, then another option is to encrypt within TSM, on which see our page on how to encrypt files for backup.
Your data will be backed up unencrypted if you run backups while you are logged in, because then TSM can access your files. If you only ever run manual backups then this is how your data will be backed up. Your data will also be backed up in this way if your scheduled backups run while you are logged in - whether this is because you are using your machine when it backs up, or because you leave it logged in overnight.
If you back up your data unencrypted, please make sure to exclude your FileVault encrypted files from backup, so that they are also not sent to the HFS, as this is a waste of resources. To do this, please see our page on excluding folders from backup. The exclude rule that you need to create will look like:
.user_nameis the user name that you use to log on to the machine; so for a user
fredthis would be:
exclude.dir /Users/.fredNote the initial '.' before the username is crucial: it is this that indicates that a FileVault directory is being excluded.
Your data will be backed up encrypted, i.e. in the form of 8MB sparse bundles, if backups are run while you are not logged in. This will happen if scheduled backups run and you did not leave the machine logged in; or, where a machine has two or more user accounts, if one user backs up another user's data.
If you back up your data encrypted, please make sure to exclude your unencrypted files from backup, so that they are also not sent to the HFS, as this is a waste of resources. To do this, please see our page on excluding folders from backup. The exclude rule that you need to create will look like:
user_nameis the user name that you use to log on to the machine; so for a user
fredthis would be:
exclude.dir /Users/fredNote lack of an initial '.' before the username (in contrast to that shown in the previous section), which indicates that a home directory (not a FileVault one) is being excluded.