Helping people with computers... one answer at a time.

Backup and encryption can go together depending on your needs. There are options, beginning with which comes first: the backup or the encryption?

Two of your favorite themes are image backup and TrueCrypt. I've not seen you write about the two together. I've bought an eSata 1TB drive and I'm planning to put TrueCrypt on it and then back up my Vista system and files before upgrading to Windows 7. How does that sound to you?

Sounds just fine, but my initial reaction is - why?

Not that there aren't valid reasons for doing do, but by and large it's not something most people need. That being said, it is a good solution for certain scenarios, and I'll look at a couple.

It all does kind of beg a chicken-and-egg type of question: do you backup encrypted files, or do you encrypt the backup?

The purpose of encryption is simple: security. More specifically, encryption prevents unauthorized people from accessing your sensitive data. As you mentioned, TrueCrypt is my bulk encryption solution of choice. I rely on it heavily.

Backing up, of course, is all about recovering from failure and data loss. If your hard drive dies or if you accidentally delete a file having a recent full backup of your system that you can rely on for recovery will ultimately save the day.

"... you'd want to encrypt your backup if for some reason it could fall into the hands of people whom you'd not want to be able to see its contents."

So, why encrypt a backup?

In short: you'd want to encrypt your backup if for some reason it could fall into the hands of people whom you'd not want to be able to see its contents.

In most cases, that's actually not necessary. For example, many people perform their backups to an external drive sitting right next to their machine. There's no reason to encrypt the backup if the machine right next to it isn't encrypted itself. Encrypting the backup gives you no real additional protection.

Except...

The most common scenario that people consider in a situation like this is theft. A knowledgeable thief who's actually after your data may well steal only the external drive. If the backup data on that drive is encrypted it's of no use to him.

That's if he's actually after your data. I'm of the opinion that thieves are actually more likely to steal computers and other higher value electronics rather than today's inexpensive external drives.

Needless to say, I don't encrypt my external drives or my daily backups.

On the other hand, if theft of the external drive is a real concern, or you do plan to take that external drive to less secure location - perhaps for off-site backup - then encrypting it using a tool like TrueCrypt is perfect approach.

But we're not done encrypting backups just yet. Smile

As I said above, I figure that it's my PC that's more likely to be stolen than some random external drive. Or even more likely, my laptop could easily disappear since it's designed to be portable and easy to carry off.

And of course, the data on either of those computers - desktop or laptop - would go along with it.

That's why I encrypt my sensitive data regardless of what computer it's on.

My Roboform password database, my financial records and more all reside in a TrueCrypt volume for which I must provide the passphrase in order to access.

And when it comes to backup, here's the key: I don't backup the contents of the TrueCrypt containers - I backup the containers themselves. That means that my backups are just as secure as the files on my computer. It means that in order to access any of that information - even from my backups - the correct passphrase is required.

All of this is done with no additional effort on my part when it comes to the backup. I don't encrypt my backups - I backup my already encrypted files.

And it also means I don't use whole-disk encryption - I use standard TrueCrypt volumes as files, specifically so that they can be backed up and copied around as needed.

Ultimately, exactly what combination of encryption and backup technologies you would use will depend on your specific needs and situations. Whether you encrypt your backup, or back up your encrypted data - or whether you do anything additional at all - TrueCrypt and your backup strategy can absolutely play well together.

Article C3935 - November 26, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Steve
November 27, 2009 6:38 AM

I shall tell you a terrible and true tale about
encrypting backups.

Three years ago I went on a trip, leaving my Turkish wife at home in Turkey with her family. Her niece dug out a back-up disk of my emails and went through ten years of emails looking for incriminating evidence. Her English
is good, but not great. They found three apparently suspicious emails from which my wife went berserk., led on by her mad, fat sister (aka The Mad Cow). I am divorced at age 63 because I did not encrypt non-incriminating, innocent
emails from my wife. Go figure.

Thanks,

Sue
November 29, 2009 3:34 PM

Truecrypt warns that users should NEVER create volumes/backup volumes by copying the container file.
Apparently, since the two volumes use the same master key, it "aids cryptanalysis"


" Never create a new TrueCrypt volume by cloning an existing TrueCrypt volume. Always use the TrueCrypt Volume Creation Wizard to create a new TrueCrypt volume. If you clone a volume and then start using both this volume and its clone in a way that both eventually contain different data, then you might aid cryptanalysis (both volumes will share a single key set). This is especially critical when the volume contains a hidden volume. See also the chapter How to Back Up Securely."

Fascinating. Yes, creating a new volume should always be done from scratch. Backing up by copying an existing container does introduce some small amount of risk, but that also has to be mitigated against the practical consideration: how likely is it that someone's going to have access to the backups, and take the time to do the cryptanalysis to use it to crack the encryption? It's an important consideration for extremely tight security. However, backing up this way doesn't make cracking "trivial" by any means, it's still a ton of work by someone truely focussed on getting in. It's a risk I'm willing to take.
Leo
30-Nov-2009
Reid
December 1, 2009 11:42 AM

Note that most drive imaging packages, including Acronis and Symantec, have the ability to encrypt their backups. You only need to encrypt the stuff that your imaging software doesn't take care of.

Peter McMillan
December 2, 2009 7:39 AM

I have been creating clones of my TrueCrypt volumes, as I don't seem to be able to create virtual drive "W" and virtual drive "X". Every time I create a TrueCrypt volume, it uses the same drive "number" as before, so I can never have two TrueCrypt volumes at the same time. What am I doing wrong?

Peter

I'm confused... you don't create them as drives, you simply create containers. When you mount the container you select what drive letter you want to use for it in the TrueCrypt interface. I have at least two mounted right now.
Leo
03-Dec-2009

Peter Mackin
December 2, 2009 12:53 PM

One thing to remember about TrueCrypt and backups is that TrueCrypt does not update the date modified or date accessed information in Windows. Therefore, if you add files to your TrueCrypt volume today, your incremental backup for today that runs tonight will not back up the TrueCrypt volume because the system does not think the file containing the volume has changed. The only way around this is to force these files to be copied to a backup every time your incremental backups run. (This might have to be a separate backup job.) Full backups are OK because these backups will get all of your files including the TrueCrypt volumes.

Peter M.

Truecrypt has an option for this. Specifically uncheck "Preserve timestamps of file containers". Then the container's timestamp will be updated and the file will be backed up or copied as you might expect.

The reason this option defaults to on is that if the container's timestamp is five years old (or whatever) it gives no indication that the data within it was updated yesterday, securing any traces of usage.

And yes, I learned this the hard way when my TrueCrypt volume didn't back up as expected some years ago. Smile
Leo
03-Dec-2009

nick
December 6, 2009 4:36 PM

personally, I'd encrypt even encrypted stuff (and then even encrypt that)

seriously, though

Until Acronis 2010, encryption was not possible; it was only password protected, and the password protection was not strong

truecrypt volumes - I put some of those into DROPBOX (a shared cloud system between computers) - and If I entered stuff into that truecrypt volume, that volume, upon dismounting, would update to the other machines, so it must be reading the date/time somehow

I have my hard drive encrypted (tablet PC). I then do a backup of it, through windows, with acronis. This creates an UNENCRYPTEd backup of actual partitions, that can be loaded back in a RESTORE operation, to a new hard drive. BUT, since unencrypted, they possibly should be stored in an encrypted external drive.
BUT, acronis version 2010 has encryption, BUT that version is not too reliable, from reading their forum, and from my personal install experience

to ALL of you, you are ALL doing much more than your insurance companies . Blue Cross Blue Shield lost ANOTHER laptop, UNENCRYPTED, with names/socialsecurity numbers/PROVIDER numbers, of over 850,000 physicians on it. This is ludicrous, when programs such as truecrypt are available for FREE, and good paid programs such as SecureDoc exist, for just over $100.00 per machine

Robert Campbell
May 13, 2010 11:02 AM

Create encrypted backup volumes with a different password, large enough for the volumes you want to back up. Mount your primary, mount your backup volume, and use a synchronization app e.g. Syncback on Windows or Chronosync on MacOSX to sync from the unencrypted innards of your primary volume to it's dedicated backup volume. Then unmount them. This way they both stay encrypted, you're not aiding any cryptanalysis because both are different volumes, and you gain the major advantage of being able to use incremental compare/sync tools like I mention, as opposed to copying an entire volume to a backup every time you change one line in a single document :)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.