Mac backups — Time Machine + cloud + encrypted external SSD

"Code you didn't back up will disappear eventually." Backing up a developer's machine is different from backing up vacation photos — git repos, SSH keys, 1Password vault, dotfiles, dev environments. When you lose them, the recovery time is the cost.

This guide applies the 3-2-1 backup rule (3 copies, 2 media types, 1 off-site) to a Mac. Time Machine + external SSD + cloud backup, plus four recovery scenarios.

Audience: macOS 14+ users. Corporate machines should follow employer policy first.

TL;DR

1. Time Machine — automatic hourly backups to an external SSD or NAS (the baseline)
2. Backblaze — cloud backup ($9/month unlimited), or iCloud Drive + Photos
3. Add developer assets: dotfiles → /mac/dotfiles (Git), SSH keys → /multi-os/password-manager (1Password)
4. Test recovery: don't just back up — verify restores work
5. Encrypt external SSDs — diskutil apfs encryptVolume or right-click in Finder

Prerequisites

• macOS 14+ + admin account
• External SSD or NAS (for Time Machine) — 2-3× the size of the Mac's internal disk
• (Optional) a paid cloud backup service

1. Why Time Machine alone isn't enough

Time Machine's weaknesses:

• External drive lost / stolen together — gone (theft, fire)
• External drive dies — gone (HDDs average 5-7 years)
• Ransomware encrypts both drives when the external is connected

Apply 3-2-1:

• 3 copies: working disk + Time Machine + cloud
• 2 media types: SSD/HDD + cloud
• 1 off-site: cloud, or somewhere outside your home/office

2. Time Machine setup (15 min)

2.1 Pick an external drive

Recommended specs:

• Size: 2-3× the Mac's internal (1TB internal → 2-3TB external)
• Interface: USB 3.2 or Thunderbolt (USB-C)
• Type: SSD recommended (HDDs back up faster but are slow and noisy)

NAS works too (Synology / QNAP), mounted via AFP / SMB.

2.2 Format (APFS recommended)

Disk Utility → pick the external → Erase:

• Format: APFS
• Scheme: GUID Partition Map
• Name: e.g. TimeMachine

If you'll share the drive with Windows, use ExFAT — but Time Machine won't work; you'll need a different backup solution.

2.3 Encryption (required)

Disk Utility or right-click in Finder:

• "Encrypt" → password + hint
• Lose the password = data is gone forever

Without encryption, a stolen drive exposes every backup. Must be ON.

2.4 Enable Time Machine

System Settings → General → Time Machine → + → pick the external → Use Disk.

Options:

• Back Up Automatically: ON (recommended)
• Show Time Machine in menu bar: ON

The first backup takes hours depending on disk size. After that, hourly incrementals.

2.5 Exclude items (save space)

System Settings → General → Time Machine → Options... → Exclude:

node_modules        ← huge folders in every JS project
.next               ← Next.js build cache
target              ← Rust build artifacts
build               ← C/C++ build artifacts
Library/Caches      ← system caches
.DS_Store           ← Finder metadata

Excluding the whole ~/Library/Caches saves several GB.

2.6 Verify

tmutil status              # backup progress
tmutil listbackups | tail  # most recent backup timestamps

Or the menu-bar Time Machine icon shows the last backup time.

3. Cloud backup (off-site)

Three options:

3.1 Backblaze Personal Backup ($9/month, unlimited)

Best value. Backs up every user file to the cloud. Even external drives (when connected) are included automatically.

# Download the macOS client from https://www.backblaze.com/
# Runs in the background, uploads on change

Caveat: single user only (corporate licenses are separate).

3.2 iCloud Drive + Photos (limited)

• iCloud Drive: 50GB ($0.99/mo) to 12TB ($59.99/mo)
• Sync Documents / Desktop to iCloud automatically
• ⚠️ This is sync, not backup — delete on one side, it's deleted on the other
• Poor fit for dev assets (lots of small files)

3.3 Arq Backup ($50 one-time, BYO S3)

• Backs up to your own S3 bucket or Backblaze B2
• The software is free; you pay only for storage
• Powerful options (deduplication, encryption, scheduling)

4. Developer assets — separate strategies

4.1 Code (Git)

• Local commit + push to GitHub / GitLab — already backed up
• But uncommitted changes and local branches aren't — commit and push often

4.2 dotfiles

.zshrc / .gitconfig / ~/.config/* etc. — manage with chezmoi in Git. One command to restore on a new machine.

4.3 SSH keys

• ✅ Time Machine: backed up (encrypted disk is mandatory)
• ✅ Recommended: 1Password SSH agent — keys in the vault (/multi-os/password-manager)
• ❌ GitHub Gist / public plaintext: never

4.4 .env files

• ✅ Store as 1Password secure notes
• ✅ Or use op run to inject from the vault at runtime
• ❌ Don't rely on Time Machine alone (you'll accidentally commit it to git eventually)

4.5 Local development databases

# Postgres regular dump
pg_dump -U postgres mydb > ~/backups/mydb-$(date +%F).sql

Or back up a docker volume:

docker run --rm -v mydata:/data -v $(pwd):/backup alpine \
  tar czf /backup/mydata-$(date +%F).tar.gz -C /data .

Put the output under ~/backups, which Time Machine picks up.

5. Recommended backup frequency

6. Recovery scenarios

6.1 Accidentally deleted a file

Time Machine UI:

• Menu-bar Time Machine icon → Enter Time Machine
• Slide the timeline → Finder window from a past point → right-click file → Restore

Or via CLI:

tmutil listbackups
tmutil restore /Volumes/TimeMachine/.../path/to/file ~/Desktop/recovered/

6.2 Mac itself broke (disk failure)

On a new Mac or after wiping the same one:

• Setup Assistant → "Restore from Time Machine"
• Connect the external → pick a backup → restore (multi-hour)

Or partial:

• Install macOS, then use Migration Assistant for user data only

6.3 External backup drive died

If your Time Machine external dies:

• Recover from cloud backup (Backblaze)
• Or rebuild the environment from Git remote + 1Password + chezmoi (a few hours)

6.4 Ransomware (every disk encrypted)

You need an offline backup to recover:

• The external must not be connected most of the time
• Practical pattern: connect the external once a week, let Time Machine back up, then disconnect
• Or rely on cloud-backup versioning (restore the version before the ransom event)

Backblaze keeps 30 days of versioning by default; pay extra for one year.

7. Verify

7.1 Is the backup actually working

# Most recent backup
tmutil latestbackup
# /Volumes/TimeMachine/Backups.backupdb/MacBook/2026-05-16-103015
 
# Backup integrity
sudo tmutil verifychecksums /Volumes/TimeMachine/Backups.backupdb/...

7.2 Test a restore (the important one)

Quarterly:

1. Delete a random file, restore it through Time Machine — confirm
2. Detach the external, download a random file from Backblaze — confirm

A backup you've never tried to restore is essentially "no backup." Do it once.

8. Troubleshooting

"Time Machine couldn't complete the backup"

• Check the drive is connected (diskutil list)
• Run Disk Utility → First Aid
• Backup disk corruption: start fresh on a new disk

Backups take forever

• The first backup covers the whole disk (GBs to TBs) — expected
• Subsequent runs are incrementals at most every hour
• If hourly runs take 5+ minutes, you're modifying large files often (e.g., Docker images) — add exclusions

Repeated "Time Machine needs to create a new backup"

• Disk corruption or broken backup chain
• After waiting for a safe window, tmutil delete <old-backups> and start over

External SSD not recognized on macOS Sequoia

• USB-C cable / hub compatibility (use Apple-original or certified cables)
• SMC reset (Intel Mac) or NVRAM reset
• Try a different port

How is the 1Password vault backed up?

• 1Password handles its own cloud backups (Apple servers + AWS)
• In addition: print the emergency kit (PDF + Secret Key + master password) and keep it somewhere safe
• Corporate vaults aren't backed up separately — confirm with IT policy

Backblaze missed some files

• Backblaze auto-excludes folders like node_modules (default policy)
• Check the client's Settings to see exclusions and verify important folders are included

9. What's next

• Mac security (FileVault · Firewall) — /mac/security-firewall
• Manage dotfiles — /mac/dotfiles
• Password manager — /multi-os/password-manager
• File sync (Syncthing) — /multi-os/file-sync — different use case from backups

References

• Time Machine official
• Backblaze Personal Backup
• Arq Backup
• 3-2-1 backup rule

Changelog

• 2026-05-16: First draft. Time Machine + cloud + dev-asset strategies + four recovery scenarios + six troubleshooting cases.