How Apple's iOS BackupAgent Creates and Transfers Encrypted Backups to Your Computer

When an iPhone or iPad backs up to a computer, a system service called BackupAgent manages the process directly on your device. This service collects application data, applies Apple's backup rules, and securely transfers everything to your computer via USB or Wi-Fi.

Unlike a simple file copy, iOS backups are structured, streamed, and optionally encrypted on-device by this service. Below we break down how BackupAgent performs this job step by step.

1. Backup Session Initialization

When a computer requests a backup (via iTunes, Finder, or third-party tools like iMazing), the host communicates with the device over the usbmuxd protocol. The request is routed to lockdownd, which launches the BackupAgent process on iOS.

At this stage:

  • The host (your computer) and device negotiate the backup protocol version.
  • Since iOS 16.1, the device displays a passcode/password prompt to verify that you are the device owner. More details in our: blog post.

2. File Selection and Rules

Not every file on the device is backed up. BackupAgent applies backup rules defined by Apple:

  • System caches, temporary files, and app binaries are excluded.
  • Application data (Documents, Library, Preferences, etc.) is included unless explicitly marked with NSURLIsExcludedFromBackupKey in the app's Info.plist by the developer.
  • Keychain data, health data, Safari history, call history items and other sensitive information require backup encryption to be enabled to be backed up.

This filtering ensures backups remain efficient and respect privacy/security boundaries.

3. Packaging and Streaming

BackupAgent doesn't build a monolithic archive in local storage. Instead, it streams files directly to the computer:

  1. File iteration: BackupAgent walks through the list of files selected for backup.
  2. Chunked transfer: Each file is read in chunks, and added to an index (Manifest.db) with their metadata (path, size, domain, modification date, hash).
  3. Host reception: The computer receives these chunks and reconstructs them into the backup folder structure. Content files are stored using SHA-1 hashes as filenames, while file metadata is stored in the index Manifest.db, which is received at the end of the backup process (step 5. Manifest and Integrity).

This streaming approach avoids consuming large amounts of device storage and allows very large backups to be produced.

4. Encryption Layer

When encrypted backups are enabled on your device, BackupAgent applies an additional cryptographic layer:

  • A backup keybag is created or reused. It contains per-class keys that protect different file protection classes (NSFileProtectionComplete, NSFileProtectionUntilFirstUserAuthentication, etc.).
  • BackupAgent uses the backup encryption password to derive an encryption key for this keybag.
  • Each file's content is encrypted on-device before being streamed out, using its protection class key.
  • Your computer stores the encrypted data exactly as received. This data cannot be decrypted without both the backup password and the keybag.

This ensures that sensitive data never leaves the device unencrypted.

More details about iOS backup encryption and iMazing:
Backup Encryption in iMazing

5. Manifest and Integrity

At the end of the stream, BackupAgent finalizes a Manifest.db SQLite database containing:

  • File metadata (domain, relative path, flags, sizes, hashes).
  • Encryption information (class keys, protection attributes).
  • References to the encrypted keybag if backup encryption is enabled.

The manifest is encrypted with a specific key to prevent tampering or access to file metadata without the backup encrytion password.

It then asks the computer to verify that all files have been stored properly at their correct locations.

6. Host-Side Storage

On the computer, the backup is stored in a folder such as:

  • /Users/<username>/Library/Application Support/iMazing (macOS, iMazing)
  • /Users/<username>/Library/Application Support/MobileSync/Backup/<Device UDID>/ (macOS, Finder or iTunes)
  • C:\Users\<user>\AppData\Roaming\iMazing\Backups\<Device UDID> (Windows, iMazing)
  • C:\Users\<username>\AppData\Roaming\Apple Computer\MobileSync\Backup (Windows, Apple Devices or iTunes)

Inside, you'll find:

  • Manifest.db – the index and metadata of all files.
  • Manifest.plist – backup properties (list of apps, version, encryption, device info).
  • Info.plist – metadata about the device and backup.
  • Status.plist – latest backup status properties
  • iMazingBackupChecksum.txt – iMazing backup checksum (for backups made via iMazing)
  • DDNABackup.plist - other backup properties used by iMazing (for backups made via iMazing)
  • 255 two-letter folders containing thousands of files named with SHA-1 hashes of their on-device full paths, storing the raw (possibly encrypted) file contents

7. Incremental Backup Strategy

One of the BackupAgent's most important optimizations is its incremental backup mechanism. After the first full backup, the device doesn't resend every file during subsequent backups. Instead:

  • The existing Manifest.db on the computer is compared against the current state on the device.
  • Only files that have changed, been added, or been deleted since the last backup are transferred.
  • Unchanged files remain referenced by their hash, avoiding duplicate storage and saving time.

This incremental design allows backups to run much faster after the initial one and keeps storage requirements manageable on the host machine.

If you're experiencing slow backups, please consult our guide:
Understanding & fixing slow iPhone or iPad backups

8. iMazing Snapshots

One of iMazing's distinctive features is that it allows storing multiple iOS backup snapshots of a device while optimizing storage usage.

Learn more: iMazing Backup Snapshot



Summary

The BackupAgent is not just a file copier. It is a streaming data system, designed to respect Apple's rules, minimize device storage usage, and enforce encryption where required. By handling encryption on-device and sending a structured stream to the host, Apple's iOS BackupAgent ensures backups are both secure and efficient.

This design enables tools like Finder, iTunes, and third-party utilities like iMazing to reliably capture the full snapshot of an iOS device while protecting sensitive data.