Helping people with computers... one answer at a time.

It sounds counter-intuitive, but keeping an unencrypted copy of encrypted data not only makes sense, but it can protect it from certain types of loss.

In a previous newsletter, someone was explaining how they lost data because they encrypted it and they couldn't decrypt it. You said it is always a good idea to keep an unencrypted copy of your data to prevent you from losing it. Doesn't doing this completely defeat the purpose of encrypting your data in the first place?

Not at all.

In fact, as that reader discovered, it's actually an important part of keeping your data secure - both from prying eyes and from failure.

The "trick", if you want to call it that, is in how you do it.

Good encryption can't be cracked

Any sufficiently good encryption (with a sufficiently strong password or encryption key) is impractical to crack. While it might be theoretically possible to mount an attack, the practical reality is that it would take longer to crack than the data would have value.

“Above all, protect yourself against losing the only copy of your data or losing access to all of the encrypted copies that you have.”

For example, with current technologies, we're talking thousands of years if a sufficiently strong passphrase is selected.

What that means is that without the password, the data cannot be recovered.

Lose the password, lose your encrypted data - it's as simple as that.

But we know the solution to data loss and it's called "backing up".

Backing up encrypted data

There are two approaches to take if you have data that has been encrypted that you want to back up:

  • You can backup the encrypted data - meaning the .zip file that has a password, the Truecrypt container or whatever technology that you used to encrypt. The backed-up data remains encrypted and secure, but you'll still need the password to get at it. It's a perfect solution to protect against things like hardware failure or anything that falls under the "if it's in only one place, it's not backed up" criteria. However, it doesn't really solve data lost due to a lost password.

  • You can backup the unencrypted data - meaning the contents of the .zip file, Truecrypt volume or whatever in their unencrypted form. You don't need the password to access the data, but that does mean that the backup is by itself not secure and not protected. That has to happen some other way.

And that last point is key: it's perfectly legitimate - perhaps even important - to have an unencrypted backup of your data as long as it's protected some other way.

Different data has different needs

I encrypt data on my laptop to protect myself should my laptop ever be lost or stolen. I backup that same data in its unencrypted form on machines that don't leave my home. That's a level of security that - for that data - I'm very comfortable with.

I have other data that I backup only in its encrypted form. It's critical enough for me that it, should never be stored unencrypted. Again, password loss is a risk (if I ever forget it I'm screwed) but I've protected myself against even that by keeping the password in a different secure location if I ever need a reminder. (Given that I type it in at least twice a day chances of my forgetting are pretty small.)

If I did want to backup that important data in an unencrypted form, I'd make very sure that the unencrypted data was stored securely; perhaps I'd keep it in a locked safe or safety deposit box. In a case like that, having the backup be of the unencrypted data doesn't compromise overall security - it's simply secured a different way.

And should I ever actually forget the password, I would have that unencrypted data to go back to.

What you need to do

Because different data has different needs, you simply need to make an informed decision on how you'll secure and backup your data.

If it's in one and only one place, then it's not backed up - encrypted or otherwise. If it is in only one place, fix that first. Back up. Even if it's just the encrypted data, a backup of that would be better than no backup at all.

Then, consider the risks associated with losing the password or in some cases even the underlying encryption technology. Do you need to backup the unencrypted data? If so, how will you keep that secure in some different way? Would it be enough to simply save the password - again, securely - some other way?

Above all, protect yourself against losing the only copy of your data, or losing access to all of the encrypted copies that you have.

Article C4924 - September 7, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
KRS
September 13, 2011 2:49 PM

The easiest and most secure way to keep an unencrypted backup is to copy the data to a thumb drive, CD or DVD, which you keep in another room, another building, or, if you're paranoid, in a safe deposit box.

I use an eSATA dock which lets me hot-swap and rotate three internal 360GB SATA drives I've removed from old computers.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.