Helping people with computers... one answer at a time.

Backing up is critical, but exactly how you backup your Truecrypt encrypted data depends on how you're using Truecrypt and how you secure your backups are.

I'm very confused about Truecrypt and how I should back it up. Do I back up the files? The container? What if I'm using whole-drive encryption? How do I back up the encrypted stuff? I'm very confused.

That's actually a condensation of several questions that I get about Truecrypt and backing up.

Backing up is critical, without a doubt. But when you're using Truecrypt to protect sensitive data, there's no one answer on exactly how you should be backing up. It depends a lot on exactly how you're backing up and a couple of decisions that you might want to make along the way.

But first, we have to start with a clear understanding of the two ways that Truecrypt can work and how that looks on disk.

The Truecrypt container file

The most common use of Truecrypt is to create a "container file" that holds your encrypted data. It's just a file on your hard disk – I'll call it "C:\data\mydata.tc" (that's just my example – your Truecrypt container could be any name, located anywhere):

TrueCrypt container, unmounted, on C:

In this case, our C: drive holds a file – C:\data\mydata.tc. When it's not mounted by Truecrypt, it's just a file. In fact, it's just a file whose content looks like totally random data because the "real" content is encrypted and inaccessible until Truecrypt mounts it.

If we mount the container file in Truecrypt – which involves specifying the correct password or passphrase and choosing a drive letter – the contents of the container become visible in their unencrypted form on that drive:

TrueCrypt container, on C: mounted as F:

Now, not only does our computer have a drive C: where we'll still find c:\data\mydata.tc and still find that it contains random data, but a new drive has appeared: drive F: (that's simply the drive letter that I chose – you could choose any available drive letter when mounting the container). Drive F: is nothing more than a completely unencrypted view of the data contained in the Truecrypt container file.

Read data from F: and it's unencrypted. Write data to F: and it is written to the container file C:\data\mydata.tc encrypted, but it is unencrypted every time you read it back from F:.

Unmount F: and the data is no longer visible in an unencrypted form. It's all contained in the encrypted container c:\data\mydata.tc.

Backing up a Truecrypt container

You have two options for backing up what you've placed in this Truecrypt container:

  1. Backup the container file: c:\data\mydata.tc. In fact, if you do a whole-disk backup of drive C:, that container file will be backed up. (Some backup programs may require that the volume be unmounted in order to back up.)

    The pros to this approach are not only that backing up your C: drive causes this container file to be backed up as part of it, but the container file remains encrypted. It still contains all of your private data, but only in encrypted form within the container.

    The downside is that ... the backup contains all of your private data only in encrypted form. If you subsequently need to access that data, you'll need to recover the container and mount it using Truecrypt.

  2. Back up the contents of the container file: F:. Simply mount your Truecrypt container and back up the contents of the drive that it appears as – drive F: in my example – and you'll back up all of the files contained within that Truecrypt container.

    The downside to this approach is that the backup is not encrypted. The files are only encrypted within the container, and by backing up out of drive F:, you are copying the unencrypted files.

    The upside, of course, is that you do not need Truecrypt to access the files from the backup.

Which approach is right for you?

I can't say.

If your backups themselves are encrypted or otherwise secure, then perhaps you don't need to back up the Truecrypt volume itself and only need to back up the unencrypted files.

On the other hand, backing up the Truecrypt volume is by definition secure; Truecrypt volumes are completely portable and can be opened on any computer running Truecrypt (with the correct password, of course).

Me? I back up my Truecrypt volume. That actually allows me to safely back it up to the cloud without worrying that anyone might ever access the files within it, because they don't know my passphrase. If I ever need it, I simply grab it, mount it in Truecrypt, and I'm good to go.

Truecrypt whole-disk encryption

Whole-disk encryption does exactly what it says it does – it encrypts the entire hard disk:

TrueCrypt C: whole-disk encrypted

Before the machine even boots, you must specify the passphrase to allow Truecrypt to mount the drive. Once mounted, it operates exactly like an unencrypted drive.

One important difference with whole-drive encryption is that the encrypted form of the data is not really accessible. Encryption and decryption happen transparently as data is written to and read from the hard disk, sector by sector. There's no concept of backing up "the container." All that you can really do is back up drive C: exactly as if it had not been encrypted at all.

Similarly, a disk image backup will back up an image of the unencrypted disk as the sectors being backed up will be unencrypted as they are read from the disk.

So, what good is whole-drive encryption?

There are several critical benefits:

  • The machine cannot even be booted without specifying the passphrase. Unauthorized individuals cannot use the machine.

  • Everything is written to the disk in encrypted form including programs, documents, downloads, temporary files, caches, and paging files; there's no guessing or worrying about leaving unencrypted traces on the hard disk.

  • Because everything is written to disk in encrypted form, even advanced forensic data recovery techniques cannot be used on the hard drive to recover its contents.

Those benefits don't apply to everyone, but to those for whom they matter, they are very important.

And totally unrelated to backing up.

Backing up a whole-disk encrypted drive

The only way to back up a disk that has been whole-disk encrypted is to back up the contents of the drive in unencrypted form. The encrypted form – the "container", if you will – is simply not available to your backup tools when whole-drive encryption is used.

Note that all of this applies for non-system drives as well. If you have an external hard disk on which you set up whole-drive encryption, the encrypted form of the data is not accessible. The only way to back it up is to mount it with Truecrypt and then back up the unencrypted contents.

That means there's an important implication when backing up whole-drive encrypted computers:

The backups must be secure.

Because you can only back up unencrypted data and the data was evidently important to maintain in encrypted form to begin with, then it would follow that you'd want your backups to be somehow secure. Perhaps that's as simple as making sure that the backups themselves are encrypted or password protected if the backup software you're using provides for that. Perhaps it's making sure that backups happen in a way that is physically secure and cannot be accessed by unauthorized individuals.

Perhaps it's something else entirely.

Regardless, whole-disk encryption protects only that disk and only from access when the computer is not turned on or the passphrase has not been specified. Once the computer is turned on and the disk is mounted by having provided the passphrase, the files on the disk are accessible only in their unencrypted form.

Article C5361 - May 20, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Mike
May 20, 2012 11:51 AM

There is one other advantage of whole disk encryption mentioned in the TrueCrypt manual: it's slightly faster than using a container file.

Steve (PC Resolver)
May 20, 2012 12:06 PM

I create a second Truecrypt volume that is the same size as the original on a separate disk and mount them both on startup. I run Syncback every day to make sure that the second volume's contents is identical to the original. This is free.
I also run Carbonite (carbonite.com) with my own encryption key to backup the contents to the cloud in real-time. This is about $50 a year for unlimited backup.

That Carbonite allows you to use your own encryption key (something I just heard about on a recent Security Now! podcast) is pretty cool, and allows people to make a tradeoff between convenience and security. (For others: When you use your own key Carbonite cannot decrypt your data and cannot recover your key should you ever lose it - and I *think* they also can't provide you with web access to your backups as well.)
Leo
22-May-2012
John McCurdy
May 22, 2012 10:15 AM

I use Macrium Reflect to backup my TrueCrypt encrypted system drive, and in the Advanced Options for the backup job I turn on 256 bit encryption and use a very strong password. That way I have a good reliable backup, and my data is safe whether someone steals my computer or my backup drive. I also use an online backup service that encrypts the data before it leaves my computer as a second backup for my non-replaceable data files, so that even if someone gets both my computer and my backup drive I can still recover my data.

Sometimes restoring a backup of a system drive that was encrypted with TrueCrypt can be a little tricky, in that you may have to repair the boot sector before the computer will boot again, but otherwise it works fine. And of course you have to re-encrypt the drive, because the restored backup is NOT encrypted.

Marty
May 22, 2012 10:16 AM

Truecrypt's default settings do not change the file properties (date stamp and file size) after you make changes to your encrypted container ("file").

When subsequently doing either an incremental or differential backup, the backup software frequently looks to see if file properties have changed, signaling a need to update that file's backup. However due to that default setting, changes to the Truecrypt container won't be recognized . . . or saved/backed up. ("Full" backups copy all files so they aren't effected).

You frequently recommend Truecrypt (and for great reasons), but I think you should also always advise people to either change this default setting when installing Truecrypt or be aware of the limitations and run full backups of Truecrypt containers.

Your very informative articles are targeted to the less informed -- people like me who wouldn't anticipate this default setting issue and the unintended results.

I should have referenced this existing article: Why won't my Truecrypt volume backup? - I'll add it to the list right now.
Leo
22-May-2012
Tony77
May 22, 2012 11:42 AM

Hi,
Is there a way to prevent windows from asking "to format the partition" ? if using entire partition
encryption

Yes. Go to computer management, disk manager. Now, for the drive that Windows thinks is unformatted, remove the drive letter. (Right click on the drive, click on "Change Drive letter and paths", and then remove the letter.) And yes, it persists across insertions - I did this with my laptop and my travelling backup drive.
Leo
22-May-2012
Steve (PC Resolver)
May 22, 2012 1:55 PM

Leo: you're correct about using private encryption with Carbonite: you lose web access to your files.
Here is what they have to say about Private Keys:
"Currently, only PC (Windows) machines are given the option to manage their private encryption key.
If you choose to manage your private encryption key, you cannot access your backed up files through Anywhere File Access or use the Courier Recovery service."

John
May 22, 2012 8:10 PM

Hey Steve and John, did you guys disable your ieee 1394 access; otherwise, truecrypt is worthless.

I totally disagree with your statement. Truecrypt is not "worthless" if you have an enabled 1394 adapter. That's missleading hyperbole. (The issue is that there's apparently an exploit where an attack who has physical access to a computer that's a) running, b) has an enabled 1394 port, and c) has a mounted Truecrypt volume may be able to attach a device that can sniff the Truecrypt encryption key.) Both technically and as a practical risk that impacts an execptionally small number of Truecrypt users and usage scenarios. (For the record the technique can also apparently be used on Bitlocker and the encryption available on Mac's as well.)
Leo
23-May-2012
TKJTKJ
May 25, 2012 9:50 AM

I'm bothered, Leo , by your not noting a correction that i communicated to you regarding your comment that 'one can not backup a full system disk Truecrypt system without decrypting it. In your reply to me personally, you agreed with me: several 'boot CD-based' recovery ware certainy can do this: Eg: terabyteunlimited.com 's "TBI Backup" programs. On such an important matter, your reader's should have this knowledge, don't yu agree?

I'm afraid I'm not recalling what you're refering to. I'm not aware of any boot CDs that can decrypt whole disk encryption without your specifying the passphrase to decrypt. Once mounted a TrueCrypt volume behaves like an unencrypted disk, but I said that above.
Leo
26-May-2012
njorl
May 26, 2012 5:26 PM

Cloud Sync with Private Encryption Key

I wasn't aware of Carbonite, until reading this page, but have been using IDriveSync, for a couple of months, with its private encryption key feature.

IDriveSync offers 5 GB of cloud storage, for free.

The company claim support of OS X, iOS, and Android. I hope the private encryption key is supported for cross-platform syncing, but there'll need to be a Linux version before I explore this.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.