Ask Slashdot: Simplifying Encryption and Backup?

New submitter FuzzNugget writes "A recent catastrophic hard drive failure has caused me to ponder whether the trade-off between security and convenience with software-based OTFE is worthwhile. My setup involves an encrypted Windows installation with TrueCrypt's pre-boot authentication, in addition to having data stored in a number of TrueCrypt file containers. While it is nice to have some amount of confidence that my data is safe from prying eyes in the case of loss or theft of my laptop, this setup poses a number of significant inconveniences." Read on below; FuzzNugget lists some problems with this set-up, and seeks advice on a simpler system for backing up while keeping things locked down.

FuzzNugget continues: "1. Backup images of the encrypted operating system can only be restored to the original hard drive (ie.: the drive that has failed). So, recovery from this failure requires the time-consuming process of re-installing the OS, re-installing my software and re-encrypting it. Upgrading the hard drive where both the old and new drives are still functional is not much better as it requires decryption, copying the partition(s) and re-encryption.

2. With the data being stored in large file containers, each around 100-200GB. It can be come quite burdensome to deal with these huge files all the time. It's also a particularly volatile situation, as the file container is functionally useless if it's not completely intact.

3. As much as I'd like to use this situation as an opportunity to upgrade to an SSD, use with OTFE is said to pose risks of data leaks, cause decreased performance and premature failure due to excessive write operations.

So, with that, I'm open to suggestions for alternatives. Do you use encryption for your hard drive(s)? What's your setup like and how manageable is it?"

Linux

[magic maverick]

Here's the thing, encryption and backups are two separate things. I once didn't encrypt, nor did I backup. I then accidentally deleted some very important things. Whoops. I then started backing up (and taking greater care with the command line). I then got paranoid and started encrypting stuff using the built in encrypting stuff that comes with Ubuntu (and Debian and similar). Backups were still going to an unencrypted external HD though. So then I started using the built in encryption thing for that too.

And then I started using DejaDup (GUI front end to Duplicity) instead of my home rolled rsync based script. And it does backups the correct way.

So, my suggestions:
1) Use a Linux based OS, such as Ubuntu. Encryption comes free. If you have some stuff that needs M$ Windoze you can run it in a VM.
2) Forget about your OS and programs. Your data is number 1!
3) Don't backup huge encrypted containers. Mount them, and then backup the contents (to another encrypted location).

Imaging + Encryption

[heypete]

On Windows, I prefer to use Acronis software for imaging and TrueCrypt for encryption.

Since the TrueCrypt operations happen at a low level that's transparent to Windows and other applications that interact with the disk, once I enter the pre-boot password for TrueCrypt and load Windows I can interact with the disk as if it were not encrypted: by making images with Acronis after Windows has booted, Acronis sees the disk as a standard NTFS drive. I can save the image of the unencrypted contents of the disk to some sort of secure backup media.

The backup media may be encrypted on its own, or I could use the encryption mechanisms built into Acronis to protect the image files. If I were use Acronis bootable media and try imaging the disk, I'd only get an image of the encrypted data -- by booting into Windows first I can make an image of the unencrypted contents of the disk.

If the encrypted drive were to ever fail I could write the image back to a new drive sans encryption. This also allows me more flexibility in regards to resizing the filesystem to new disks: since I took the image of the unencrypted contents of the disk I can resize the filesystem to a new disk. If I had encrypted the raw disk itself then I would not have this option. After restoring, I can then encrypt-in-place using TrueCrypt to secure the new drive.

As for the encrypted containers, mount them and back up their contents.

Re:backup orthogonal to encryption

[FuzzNugget]

Sorry, I could have been more clear about the crux of the matter. I *do* have multiple onsite and offsite backups which I update them regularly and religiously (I did have to spend two days reconstituting some data as my backup software had failed 5 days prior to this drive failure and not warned me ... but that issue has been resolved and is completely external to the matter at hand)

Aka: you are doing it wrong. First think of backup: you have a machine, and you copy its contents to another drive. Ok. Easy. Now take a breath, and use OTFE for the original hard disk, and now add OTFE for the external drive/media. There. The backup has NOTHING to do with encryption. If you have forced yourself into a backup solution which requires encryption integration to the point that it only restores to a specific hardware, you are failing hard time, precisely for the reason backups are for when you don't have the original hardware.

Great, I completely agree.

How?

I've done everything I can think of to create a raw, autonomous image, thinking that it was self-contained and would be portable as long as it's not reformed when moved, but apparently I was wrong. As far as I can tell, this seems to be a foible of TrueCrypt's encrypted OS feature.

Re:LUKS and LVM2

[SScorpio]

I've kept my system drive and "home" separate on Windows since I've used XP over ten years ago.

The process I used in XP, Vista, 7 and 8 is as follows.
1) Install Windows with only one drive connected to make sure bootldr is on the system drive.
2) During installation, setup a temporary throw away administrative account.
3) Connect another other hard drives to your system and boot into the throw away account
4) Setup the drive / partition you want to have user data on. I recommend creating a root "Documents and Settings" or "Users" folder but you can call it whatever you want, and place it anywhere you want.
5) Open regedit and modify the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList - Change the ProfilesDirectory key from "%SystemDrive%\Users" to "d:\Users" or where you want user data to go.
6) Create a new administrator account that you will keep.
7) Log out of the throw away account and into your new main account. Your "home" directory will be placed under D:\Users\username or where ever you setup for key.
8) Delete the throw away account, and delete user files for it.

This process keeps the Default and Public user folders on the C: drive, but it is possible to move them and modify the registry keys for them in the same location as the ProfilesDirectory key if you want. I never have anything under them so I leave them on the system drive.

I've never ran into any software that doesn't behave correctly while having my user data on a secondary partition. Other instructions to move a user directory have you changing the path in multiple keys in the registry. This method causes the user account to be setup with all of the paths already pointing to the desired location.

Mac + FileVault + Time Machine encrypted

[gnasher719]

Get a Mac. Turn full disk encryption via Filevault2 on. Backup using Time Machine with an encrypted backup drive. The encryption is invisible except that you have to enter the password from time to time.