Ask Slashdot: Simplifying Encryption and Backup?

New submitter FuzzNugget writes "A recent catastrophic hard drive failure has caused me to ponder whether the trade-off between security and convenience with software-based OTFE is worthwhile. My setup involves an encrypted Windows installation with TrueCrypt's pre-boot authentication, in addition to having data stored in a number of TrueCrypt file containers. While it is nice to have some amount of confidence that my data is safe from prying eyes in the case of loss or theft of my laptop, this setup poses a number of significant inconveniences." Read on below; FuzzNugget lists some problems with this set-up, and seeks advice on a simpler system for backing up while keeping things locked down.

FuzzNugget continues: "1. Backup images of the encrypted operating system can only be restored to the original hard drive (ie.: the drive that has failed). So, recovery from this failure requires the time-consuming process of re-installing the OS, re-installing my software and re-encrypting it. Upgrading the hard drive where both the old and new drives are still functional is not much better as it requires decryption, copying the partition(s) and re-encryption.

2. With the data being stored in large file containers, each around 100-200GB. It can be come quite burdensome to deal with these huge files all the time. It's also a particularly volatile situation, as the file container is functionally useless if it's not completely intact.

3. As much as I'd like to use this situation as an opportunity to upgrade to an SSD, use with OTFE is said to pose risks of data leaks, cause decreased performance and premature failure due to excessive write operations.

So, with that, I'm open to suggestions for alternatives. Do you use encryption for your hard drive(s)? What's your setup like and how manageable is it?"

Disk encryption

[Max DollarCash]

I use encryption across all my desktops and laptops. On my laptops I just use dmcrypt/cryptsetup and encrypt the whole disk running ubuntu. For storage I use my fileserver which is 1x500gb encrypted with dmcrypt for the OS and for the "storage" of the fileserver I have redundancy against failure: LVM with 2x 1TB sata disks. The LVM has both physical volumes as seperate "mirror" slices (encrypt 1 disk, add a mirror disk). The total usable storage is around 790 GB but I already had one disk fail and I could simply "mount" my data without one disk being present & rebuild the LVM mirror using a new disk! Secure & reliable! The only issue I have not been able to solve in this setup is if/when one disk fails, your data is only available read-only because the lvm-mirror is only "partial" and physical volumes are missing. If anybody knows a solution for that, please comment. This was just a temporary issue though, as soon as a new disk was added and the mirror rebuilt, all was back to normal.

Re:backup orthogonal to encryption

[julesh]

+1 to this. I have a setup similar to the OP's (albeit with different software) and it has no impact at all on my backups, which I take in exactly the same way as I would were the system not encrypted, i.e. they access the files using the ordinary file system API and copy them to a different location (where they are, of course, reencrypted). I suppose the decrypt-compress-reencrypt cycle involved here is a little inefficient, but it doesn't seem to be a huge issue in reality.

As for increased number of write cycles, it's all down to the software you use. If the driver will emulate an SSD and pass through the 'trim' commands, you won't see any problems. At least some OTFE packages can do this. Truecrypts docs [truecrypt.org] suggest that at least some configurations will work, although it does warn that using it means attackers will be able to potentially identify empty sectors. This means its use is incompatible with hidden volumes, but nothing in OP's description suggests he was using them.

FUD in disguise

[Anonymous Coward]

Intelligence agencies do NOT want you using Truecrypt. So Slashdot obliges with a carefully constructed attack against Truecrypt that is designed to encourage betas to seriously consider the commercial options that always contain back-doors.

You see the same thing in nonsense reports that tell you intelligence agencies have the ability to recover properly erased files, or files from smashed hard-drives. Slashdot frequently promotes stories suggesting that smashing platters or properly erasing files is a waste of time. Each story is carefully created to lower the likelihood of people in general using proper security protocols.

What do hard-drive failures and encryption security have to do with one another? Absolutely NOTHING. Why would someone wish you to conflate the two things in your mind?

Simple bit errors in Truecrypt volumes do not destroy access to all the encrypted files, but I can understand why certain people have an interest in telling you so. All forms of file storage, encrypted or not, are vulnerable to hardware failures in pretty much the same way. A catastrophic failure will make you wish you had used proper back-up protocols, regardless of file security. Indeed, back-up and encryption have nothing to do with one another, and encryption certain doesn't compromise back-up methods.

"I used Truecrypt, and when something went wrong, I lost all my files". Read this sentence. The read again. Then imagine someone saying it at the beginning of an advertisement. Why does the ad start this way? What is the ad trying to get you to think? Then, perhaps, you might want to Google a bloke named Edward Bernays.

Once again, every commercial security system has back-doors, and therefore the so-called encryption provided this way isn't worth a damn. Rock-solid encryption algorithms are in the public domain, and no, the NSA does NOT have secret UFO technology allowing them to break such encryption. By law, every single security vendor that operates in the West or does business in the West has to give NSA people full co-operation to allow intelligence agencies ways to bypass security offered by their products.

Slashdot does not daily carry stories attacking North Korea, Syria and Iran by accident. Remember, this is supposed to be a 'nerd' tech site, and yet one might think, form the content, that it was one of Rupert Murdoch's media outlets instead from the sickening political propaganda. Every story promoted here is thus suspect, if you have even one functioning brain-cell. You must always ask "why is this story chosen to be promoted?"