How does Time Machine encrypt backups to network disk?

Solution 1:

Neither the remote disk nor the remote volume is encrypted by Time Machine. Instead a special "sparse bundle (disk image)" ("backupbundle" for Catalina) is created on the network drive. In fact it's no uniform disk image file like a dmg but a special folder containing sub-folders and config/log files.

The content of the source volume(s) is saved as AES-128-encrypted band (or chunk) files in the bands folder.

The password is merged into a special file named token in the backupbundle.


The remote disk or volume could be encrypted independently though. This depends on the (TM-)server config.