Back That Data Up

Mac backup

How to back up a Mac to Dropbox securely.

A lot of people already pay for Dropbox. It is sitting there, with storage capacity going unused. Using it for a real encrypted Mac backup is a reasonable idea. Here is how to do it right, and what "right" actually means.

2026-06-28 · 10 min read

What Dropbox does and does not do

Start here. Dropbox is a sync service. It copies whatever you put in your Dropbox folder to the cloud and to every other device signed into your account. If you put files in Dropbox, those files are accessible from your other computers. That is what Dropbox was built for, and it does that job well.

Sync is not backup. Delete a file from your Dropbox folder and Dropbox deletes it from the cloud and from your other devices. Ransomware encrypts your files and Dropbox mirrors those encrypted files to the cloud. You can get individual file versions back through Dropbox's version history (usually 180 days on a paid plan), but version history is per file and is not designed for full Mac restoration.

The goal of this post is different from sync. We are going to talk about using Dropbox as a destination for a real backup: encrypted, versioned, restorable, and yours.

The naive approach and why it fails

The naive approach is to drag your important files into the Dropbox folder and call it done. Or to use Dropbox's "backup this folder" feature that appears in the app.

This gives you sync. It does not give you backup. The problems:

  • No point in time snapshots. Dropbox stores the current state of your files plus some version history. It does not give you a browsable copy of your whole Mac as it existed at 9am on Tuesday.
  • No encryption you control. Files in your Dropbox folder are encrypted in transit and at rest, but Dropbox holds the encryption keys. They can read your files. Governments can subpoena them. Employees with access can see them. That is the reality of how most cloud sync works.
  • Mirror behavior. Damage to the local files mirrors to Dropbox. That is the fundamental limit of sync as a backup strategy.
  • No system state. Your Dropbox folder contains files you put there. It does not contain your apps, your preferences, your email database, your keychain, or anything that makes your Mac yours beyond the files you explicitly synced.

This approach is better than nothing. If your drive fails and you put your most important files in Dropbox, you can get those files back. But it is not a backup in any serious sense of the word.

The right approach: local backup plus encrypted cloud vault

The setup that actually works has two parts.

Part one: local point in time backup. A backup app on your Mac that takes snapshots of your whole system and stores them on a local drive. Each snapshot is independently readable. You can open a snapshot from any date and navigate it like a folder. This is the foundation. Time Machine is the free option. Back That Data Up adds hardware key encryption, anomaly aware backups, and independent snapshots that do not depend on an unbroken chain.

Part two: encrypted off-site copy using Dropbox as the destination. A backup app that encrypts your most important files into a private format before writing them to Dropbox. Not sync. An encrypted backup vault, stored in your Dropbox account, in a format that only your Mac can open.

The second part is what Cloud Vault in Back That Data Up does. Here is what makes it different from just putting files in Dropbox:

  • The files are encrypted on your Mac before they are written to Dropbox. Dropbox receives opaque encrypted data. Dropbox employees cannot read it. Anyone who breaks into your Dropbox account cannot read it. Only your Mac, with your key, can open it.
  • The backup runs on a schedule, not on every file change. Changes accumulate locally, and the backup writes a new encrypted snapshot at the interval you set. You end up with versioned encrypted copies in Dropbox, not a mirror.
  • Restore goes through the app, not through Dropbox.com. You open BTDU, choose the Cloud Vault, authenticate with your key, and browse the encrypted snapshots as if they were local folders. Navigate to any file from any backup date. Drag it out.

Why encryption before upload matters

I want to spend a moment on the encryption point because it is load bearing for anyone who takes security seriously.

When you put a file in Dropbox, Google Drive, or OneDrive, the service encrypts it for storage. But the service holds the keys. This is called server-side encryption. It protects the files against someone physically stealing servers from a data center. It does not protect the files against Dropbox itself, against government requests to Dropbox, or against a breach that exposes the key management system.

Client-side encryption is different. You encrypt the file on your machine, using a key that never leaves your machine, before the file is uploaded. The cloud service receives encrypted bytes. It has no idea what is in them. Even if the cloud service wanted to read your files, it could not.

Cloud Vault uses client-side encryption. The encryption happens on your Mac. The key is yours. Dropbox receives a private format that only your Mac can open. If you cancel your Dropbox subscription tomorrow, download the vault files to a drive, and come back in five years, your Mac can still open them. The vault does not depend on any back end service I run. It is a format your Mac understands, your key unlocks, and your files live in.

For anyone handling sensitive client files, legal documents, health records, or simply anything they would not want to become public, that distinction is significant.

Hardware keys: the optional level above

I built one feature into BTDU that I have not seen in any other Mac backup app: you can lock your backup with a FIDO hardware key.

A FIDO key is a small physical device, like a Yubikey, that plugs into a USB port. You register it with the backup, and from that point on the backup only opens when that key is present. Not just a password. The physical object.

For a Dropbox cloud vault specifically, this is an extra layer on top of the client-side encryption. The vault is already encrypted before it hits Dropbox. Adding a hardware key means that even if someone obtained your vault files AND your Mac AND guessed your password, the backup stays sealed without the physical token.

This is not the right setup for everyone. If you lose the key and have no backup of it, the vault is sealed to you too. (Keep a spare. Yubikey sells two-packs for this reason.) But for people whose files represent serious professional or personal liability, hardware key encryption is a different category of protection. Touch ID and Face ID are convenient. A hardware key is unconditional.

How to set this up with BTDU and Dropbox

The practical setup:

  1. 1. Install Back That Data Up and run the initial setup. Point the main backup at an external drive. This is your local point in time backup. Run it first. Everything else is the second copy.
  2. 2. Open Cloud Vault in BTDU. Select Dropbox as the destination. BTDU will ask for authorization to write to a folder in your Dropbox account (it uses a dedicated folder inside your Dropbox, not a flat dump in the root).
  3. 3. Choose what to include. Cloud Vault is designed for your most important files, not a mirror of your entire system. Pick your Documents, your Desktop, your project folders, your photo library, whatever you would be most upset to lose. BTDU encrypts and uploads those on a schedule.
  4. 4. Choose your encryption key. Touch ID is the easy option. If you want a hardware key, register your Yubikey at this step. BTDU generates a unique encryption key for the vault, wrapped by your chosen unlock method.
  5. 5. Set the schedule. Daily is reasonable for most people. The first run will upload everything. Subsequent runs upload only changed files, so they are fast.
  6. 6. Let it run. You now have a local backup and an encrypted off-site copy in Dropbox. If your Mac is stolen or your house floods, the Dropbox vault is your restore path. If Dropbox has a problem, the local backup is your restore path. Two independent copies, two independent locations.

What Dropbox storage does this use?

Cloud Vault writes encrypted snapshots to a folder inside your Dropbox. Each snapshot contains only changed files since the last snapshot, so after the first run the uploads are small.

If you back up 20GB of files and they change slowly, you will use roughly 20GB for the first snapshot plus a small delta for each subsequent one. BTDU retains a configurable number of snapshots and prunes older ones automatically, so the total footprint stays bounded.

Dropbox's free plan is 2GB, which is not enough for most people's important files. Dropbox Plus at 2TB is usually more than enough. If you already pay for Dropbox, the space is likely sitting there unused.

BTDU also supports Google Drive, iCloud Drive, and OneDrive with the same Cloud Vault setup. The workflow is identical regardless of which cloud you choose. Pick the one you already pay for.

One more thing

I built BTDU because I wanted a Mac backup app that would just always run for my partner, who will never open settings, while also giving me the ability to tweak everything I want to tweak. Same binary. No subscription.

Cloud Vault was the feature that grew out of exactly the problem this post is about. I was paying for Dropbox. I wanted my files in the cloud. But I did not want Dropbox to be able to read them. And I wanted versioned point in time snapshots, not a mirror. The existing options were either too complicated or too expensive. So I built it.

The result: you get encrypted, versioned, off-site backups in the cloud you already pay for. No new subscriptions. No new cloud accounts. Your own Dropbox, used the way it should have worked all along.

If BTDU sounds like a fit, here is where to start. $29.99, one time. Cloud Vault and all other features included. No subscription, ever.

Already using Dropbox? BTDU works with your existing account. No new storage account needed.