Mac Cloud Backup Security — Encryption, VPN & GDPR
SMB3 encryption, VPN access, IP whitelisting, and DoD-compliant data destruction — your Time Machine cloud backups deserve the highest level of protection.
SMB3 Encrypted Transport
All data in transit is encrypted by the SMB3 protocol. No unencrypted connections allowed.
Time Machine Encryption
Enable encrypted backups directly in Time Machine preferences. Your data is encrypted before it leaves your Mac.
IP Whitelisting
Restrict access to your backup volume to specific IP addresses. Available in beta via our support team.
WireGuard VPN
Every account ships with a WireGuard config. The tunnel is required, encrypts your traffic, and works on any network — even when your ISP blocks SMB.
Data Sovereignty
Choose where your data lives: Germany, Finland, or the USA. Your data never leaves your selected region.
Secure Data Destruction
When you cancel, we perform a DoD 5220.22-M compliant 3-pass wipe. Your data is irrecoverably destroyed.
Defense in Depth
WireGuard in transit. SMB3 inside the tunnel. Time Machine encryption at rest. Three independent layers — your data is never in the clear.
How the WireGuard Tunnel Works
A targeted tunnel between your Mac and your bucket. Nothing else.
CGNAT Address Space
Each customer is assigned an address inside the carrier-grade NAT range (RFC 6598). No routable IPs, no public exposure.
Split Horizon
Customers are isolated from each other inside the tunnel. You can only reach your own bucket — never another customer's.
Cryptokey Routing
WireGuard pins every packet to its sender's public key. No IP spoofing, no session hijack, no man-in-the-middle.
No Full Tunnel
The config only routes Capsule Backup traffic. Your normal browsing, email, and apps go through your regular connection — we are not a proxy.
GDPR Compliant
We are fully GDPR compliant. Contact our DPO at support@capsulebackup.com for any data protection inquiries.
Security Architecture
Your data is protected at every step of the journey, from your Mac to our servers.
End-to-End Encryption
WireGuard wraps every byte in a ChaCha20-Poly1305 tunnel. SMB3 adds AES-CCM/GCM inside that tunnel. Time Machine's AES-XTS encrypts the data at rest. Three layers — never in the clear, anywhere.
No Intermediate Storage
Your backups travel directly from your Mac through the WireGuard tunnel to our servers. No intermediate storage. No third-party relay. No unencrypted hop.
Your Keys, Your Data
Time Machine encryption keys stay on your Mac. Even Capsule Backup cannot read your data. Set up your encrypted backup in under 5 minutes.
Why SMB3?
The modern, secure protocol purpose-built for file sharing — and the only protocol macOS uses for network Time Machine backups.
Encryption by Default
SMB3 enforces AES-128-CCM or AES-128-GCM encryption on every connection. Unlike older protocols, encryption is not optional — it is always on, protecting your backup data from eavesdropping.
No Legacy Fallback
Capsule Backup refuses connections using older, insecure protocol versions. There is no downgrade to SMB1 or SMB2, eliminating known vulnerabilities and man-in-the-middle attacks.
Built for macOS
Since macOS Catalina, Apple uses SMB3 exclusively for Time Machine network backups. It is the native, recommended protocol — no adapters, no workarounds, no compatibility issues. See how easy it is to get started.
| Feature | SMB1 | SMB2 | SMB3 |
|---|---|---|---|
| Encryption | None | None | AES-128-CCM/GCM |
| macOS Time Machine | Dropped | Dropped | Required |
| Secure Negotiation | No | Partial | Yes |
| Legacy Vulnerabilities | Many (WannaCry) | Some | Mitigated |
Security FAQ
Can Capsule Backup employees access my data?
If you enable Time Machine encryption, your backup data is encrypted with a password only you know. Even with physical access to the servers, your data would be unreadable. We strongly recommend enabling this option.
What is IP whitelisting and should I use it?
IP whitelisting restricts access to your backup volume to specific IP addresses. This means only connections from your approved IPs can reach your data. It is ideal for businesses with static IPs or users who want an extra layer of security.
Is SMB3 really secure enough for cloud backups?
SMB3 includes mandatory encryption of all data in transit, similar to HTTPS. Combined with Time Machine encryption for data at rest, your backups are protected by two layers of encryption — comparable to banking-level security.
What happens to my data if Capsule Backup goes out of business?
We would provide a minimum 90-day notice period for users to download their data. Your Time Machine backups can be accessed directly via SMB from any Mac, so you can retrieve your data independently.
How does the DoD 5220.22-M data destruction work?
When you cancel your subscription, after the billing period ends we perform a 3-pass overwrite on the disk area containing your data. This U.S. Department of Defense standard ensures data cannot be recovered by any known method.
Have more questions? Visit our complete FAQ for detailed answers.
Explore More
Capsule Backup is not affiliated with or endorsed by Apple Inc. Time Machine, macOS, Finder, and Migration Assistant are trademarks of Apple Inc.
"The IP whitelisting and VPN options make this the most secure cloud backup for Mac I've found. My clients love it."