Can I, or should I, use TrueCrypt for my backups?

I shall tell you a terrible and true tale about
encrypting backups.

Three years ago I went on a trip, leaving my Turkish wife at home in Turkey with her family. Her niece dug out a back-up disk of my emails and went through ten years of emails looking for incriminating evidence. Her English
is good, but not great. They found three apparently suspicious emails from which my wife went berserk., led on by her mad, fat sister (aka The Mad Cow). I am divorced at age 63 because I did not encrypt non-incriminating, innocent
emails from my wife. Go figure.

Thanks,

Truecrypt warns that users should NEVER create volumes/backup volumes by copying the container file.
Apparently, since the two volumes use the same master key, it "aids cryptanalysis"

" Never create a new TrueCrypt volume by cloning an existing TrueCrypt volume. Always use the TrueCrypt Volume Creation Wizard to create a new TrueCrypt volume. If you clone a volume and then start using both this volume and its clone in a way that both eventually contain different data, then you might aid cryptanalysis (both volumes will share a single key set). This is especially critical when the volume contains a hidden volume. See also the chapter How to Back Up Securely."

Fascinating. Yes, creating a new volume should always be done from scratch. Backing up by copying an existing container does introduce some small amount of risk, but that also has to be mitigated against the practical consideration: how likely is it that someone's going to have access to the backups, and take the time to do the cryptanalysis to use it to crack the encryption? It's an important consideration for extremely tight security. However, backing up this way doesn't make cracking "trivial" by any means, it's still a ton of work by someone truely focussed on getting in. It's a risk I'm willing to take.

30-Nov-2009

Note that most drive imaging packages, including Acronis and Symantec, have the ability to encrypt their backups. You only need to encrypt the stuff that your imaging software doesn't take care of.

I have been creating clones of my TrueCrypt volumes, as I don't seem to be able to create virtual drive "W" and virtual drive "X". Every time I create a TrueCrypt volume, it uses the same drive "number" as before, so I can never have two TrueCrypt volumes at the same time. What am I doing wrong?

Peter

I'm confused... you don't create them as drives, you simply create containers. When you mount the container you select what drive letter you want to use for it in the TrueCrypt interface. I have at least two mounted right now.

03-Dec-2009

One thing to remember about TrueCrypt and backups is that TrueCrypt does not update the date modified or date accessed information in Windows. Therefore, if you add files to your TrueCrypt volume today, your incremental backup for today that runs tonight will not back up the TrueCrypt volume because the system does not think the file containing the volume has changed. The only way around this is to force these files to be copied to a backup every time your incremental backups run. (This might have to be a separate backup job.) Full backups are OK because these backups will get all of your files including the TrueCrypt volumes.

Peter M.

Truecrypt has an option for this. Specifically uncheck "Preserve timestamps of file containers". Then the container's timestamp will be updated and the file will be backed up or copied as you might expect.

The reason this option defaults to on is that if the container's timestamp is five years old (or whatever) it gives no indication that the data within it was updated yesterday, securing any traces of usage.

And yes, I learned this the hard way when my TrueCrypt volume didn't back up as expected some years ago.

03-Dec-2009

personally, I'd encrypt even encrypted stuff (and then even encrypt that)

seriously, though

Until Acronis 2010, encryption was not possible; it was only password protected, and the password protection was not strong

truecrypt volumes - I put some of those into DROPBOX (a shared cloud system between computers) - and If I entered stuff into that truecrypt volume, that volume, upon dismounting, would update to the other machines, so it must be reading the date/time somehow

I have my hard drive encrypted (tablet PC). I then do a backup of it, through windows, with acronis. This creates an UNENCRYPTEd backup of actual partitions, that can be loaded back in a RESTORE operation, to a new hard drive. BUT, since unencrypted, they possibly should be stored in an encrypted external drive.
BUT, acronis version 2010 has encryption, BUT that version is not too reliable, from reading their forum, and from my personal install experience

to ALL of you, you are ALL doing much more than your insurance companies . Blue Cross Blue Shield lost ANOTHER laptop, UNENCRYPTED, with names/socialsecurity numbers/PROVIDER numbers, of over 850,000 physicians on it. This is ludicrous, when programs such as truecrypt are available for FREE, and good paid programs such as SecureDoc exist, for just over $100.00 per machine

Create encrypted backup volumes with a different password, large enough for the volumes you want to back up. Mount your primary, mount your backup volume, and use a synchronization app e.g. Syncback on Windows or Chronosync on MacOSX to sync from the unencrypted innards of your primary volume to it's dedicated backup volume. Then unmount them. This way they both stay encrypted, you're not aiding any cryptanalysis because both are different volumes, and you gain the major advantage of being able to use incremental compare/sync tools like I mention, as opposed to copying an entire volume to a backup every time you change one line in a single document :)