Forgot your password?
typodupeerror
Encryption Security Hardware

Ask Slashdot: Simplifying Encryption and Backup? 148

Posted by timothy
from the write-everything-backwards-but-twice dept.
New submitter FuzzNugget writes "A recent catastrophic hard drive failure has caused me to ponder whether the trade-off between security and convenience with software-based OTFE is worthwhile. My setup involves an encrypted Windows installation with TrueCrypt's pre-boot authentication, in addition to having data stored in a number of TrueCrypt file containers. While it is nice to have some amount of confidence that my data is safe from prying eyes in the case of loss or theft of my laptop, this setup poses a number of significant inconveniences." Read on below; FuzzNugget lists some problems with this set-up, and seeks advice on a simpler system for backing up while keeping things locked down.
FuzzNugget continues: "1. Backup images of the encrypted operating system can only be restored to the original hard drive (ie.: the drive that has failed). So, recovery from this failure requires the time-consuming process of re-installing the OS, re-installing my software and re-encrypting it. Upgrading the hard drive where both the old and new drives are still functional is not much better as it requires decryption, copying the partition(s) and re-encryption.

2. With the data being stored in large file containers, each around 100-200GB. It can be come quite burdensome to deal with these huge files all the time. It's also a particularly volatile situation, as the file container is functionally useless if it's not completely intact.

3. As much as I'd like to use this situation as an opportunity to upgrade to an SSD, use with OTFE is said to pose risks of data leaks, cause decreased performance and premature failure due to excessive write operations.

So, with that, I'm open to suggestions for alternatives. Do you use encryption for your hard drive(s)? What's your setup like and how manageable is it?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Simplifying Encryption and Backup?

Comments Filter:
  • by Anonymous Coward on Saturday March 23, 2013 @12:41PM (#43257563)

    Aka: you are doing it wrong. First think of backup: you have a machine, and you copy its contents to another drive. Ok. Easy. Now take a breath, and use OTFE for the original hard disk, and now add OTFE for the external drive/media. There. The backup has NOTHING to do with encryption. If you have forced yourself into a backup solution which requires encryption integration to the point that it only restores to a specific hardware, you are failing hard time, precisely for the reason backups are for when you don't have the original hardware.

    Again, separate backup from encryption. I mean, next you will want an integrated internet/remote backup and you will cry us a river? Compartimentalize each function and then you can mix them freely.

    • by julesh (229690) on Saturday March 23, 2013 @01:07PM (#43257739)

      +1 to this. I have a setup similar to the OP's (albeit with different software) and it has no impact at all on my backups, which I take in exactly the same way as I would were the system not encrypted, i.e. they access the files using the ordinary file system API and copy them to a different location (where they are, of course, reencrypted). I suppose the decrypt-compress-reencrypt cycle involved here is a little inefficient, but it doesn't seem to be a huge issue in reality.

      As for increased number of write cycles, it's all down to the software you use. If the driver will emulate an SSD and pass through the 'trim' commands, you won't see any problems. At least some OTFE packages can do this. Truecrypts docs [truecrypt.org] suggest that at least some configurations will work, although it does warn that using it means attackers will be able to potentially identify empty sectors. This means its use is incompatible with hidden volumes, but nothing in OP's description suggests he was using them.

      • by AmiMoJo (196126) *

        It matters of you try to ghost the OS. Unless your imaging software can mount a TrueCrypt volume it will have to copy every block verbatim, creating a much larger image file and preventing incremental backups.

        • by julesh (229690)

          So don't do that. There are other ways of performing backups, and recent versions of Windows are quite happy being deployed with a file level copy onto a newly formatted disk (older versions may have objected, however). Linux has always been happy with this approach.

          • by AmiMoJo (196126) *

            You can't just file copy Windows installations, the permissions will be broken. That is one reason why FAT32 is no longer supported for the boot drive. Also there are lots of symbolic links in the winsxs directory that most software can't cope with other than by duplicating masses of data.

    • Re: (Score:3, Informative)

      by FuzzNugget (2840687)
      Sorry, I could have been more clear about the crux of the matter. I *do* have multiple onsite and offsite backups which I update them regularly and religiously (I did have to spend two days reconstituting some data as my backup software had failed 5 days prior to this drive failure and not warned me ... but that issue has been resolved and is completely external to the matter at hand)

      Aka: you are doing it wrong. First think of backup: you have a machine, and you copy its contents to another drive. Ok. Easy. Now take a breath, and use OTFE for the original hard disk, and now add OTFE for the external drive/media. There. The backup has NOTHING to do with encryption. If you have forced yourself into a backup solution which requires encryption integration to the point that it only restores to a specific hardware, you are failing hard time, precisely for the reason backups are for when you don't have the original hardware.

      Great, I completely agree.

      How?

      I've done everything I can think of to create a raw, autonomous image, thinking that it wa

      • Re: (Score:2, Insightful)

        (1) Make sure you are using an OS that doesn't make surreptitious copies of stuff without your knowledge. (That eliminates Windows, and for that matter most Microsoft software.) Just about all OSes keep logs, but be aware of how to clear your logs.

        (2) Install a SECOND hard drive for your private data. Just data.

        (3) Use full-drive encryption on that drive. You will have to enter a (preferably long) password when you log in, but that's the biggest hassle.

        (4) Back up your encrypted drive. There should
        • by fa2k (881632)

          This would sacrifice some security on any OS. You could stick /tmp , /var/tmp, /home and swap on the encrypted drive, that would improve things. (I don't know if it handles well to have /var/log there, but as the parent says, logs can leak some significant information about when you were using the computer). Backup could be done at the file level.

          Anyway, if you're throwing out windows anyway, and have one drive, it's fine to use full disk encryption. It is literally just a checkbox in the installer.

          • by rioki (1328185)

            How about you encrypt the OS partition too? That does not change the advice for the data partitions. I for example keep true crypt volumes lying around. They are simple to manage, just copy the entire volume.

            That is what I don't get for many backup solutions, unless you have a high available service to maintain, but normal users need only backup stuff that they can't restore form a different source and that is only data. The OS and programs can be "restored" in the conventional way of installing them.

      • by Anonymous Coward

        Errr... no, sorry, if you are backing up IMAGES of your hard disk, you are not separating backup from encryption. Backup FILES. Backing up images is useful for cases where you want to clone your machine or come back to a previous known state of the OS, but it is a brain dead approach to backup. You run out of disks matching your image and what, SOL?

      • You want a backup that generally should never be a raw image. Most backup software can deal with encryption rather than trying to backup the encrypted raw data.

      • by nabsltd (1313397)

        Great, I completely agree.

        How?

        Install the OS to an unencrypted drive and create an image. This is easily restored (even to a different drive), and easily updated as you install more software.

        Put all your data on a separate partition and encrypt that using whatever tool you want. Unless your computer has some insanely proprietary software on it, this is all that needs encryption. Whole disk encryption is usually used for cases where the supplier of the computer doesn't trust the user of the computer to be able to keep important stuff

        • by rioki (1328185)

          It depends on the attack and threat you are trying to anticipate. Encryption also provides some form of tamper resistance. I can patch your unencrypted OS and read all your data once you unencrypt your data. As always it depends on the use, if you have a laptop with potential sensible data, encrypting the entire thing makes sense, but remember to protect from the evil maid...

      • by Spazmania (174582)

        You're just discovering this about Windows software-based disk encryption schemes? Spend the extra $50 on an FDE drive and save yourself the heartache.

      • Sorry, I could have been more clear about the crux of the matter.

        I *do* have multiple onsite and offsite backups which I update them regularly and religiously (I did have to spend two days reconstituting some data as my backup software had failed 5 days prior to this drive failure and not warned me ... but that issue has been resolved and is completely external to the matter at hand)

        How often, if at all, were you doing restore tests? And how complete were your restore tests? Were you doing test restores of individual files or bare metal restore tests?

    • by nazsco (695026)

      So, if your backup is already online, let's say a vps, you would be sending everything unencrypted to the machine you can't really trust and encrypting there?

    • by fa2k (881632)

      The problem seems to be with system backups. It *can* be a royal pain to reinstall the OS if you have a lot of custom software and configuration. I think the submitter is wrong in that the images can only be restored on the same drive as they were taken. If this is the case, it seems to be a failure of the drive imaging software or TrueCrypt.

    • Aka: you are doing it wrong. First think of backup: you have a machine, and you copy its contents to another drive. Ok. Easy. Now take a breath, and use OTFE for the original hard disk, and now add OTFE for the external drive/media. There. The backup has NOTHING to do with encryption. If you have forced yourself into a backup solution which requires encryption integration to the point that it only restores to a specific hardware, you are failing hard time, precisely for the reason backups are for when you don't have the original hardware.

      Again, separate backup from encryption. I mean, next you will want an integrated internet/remote backup and you will cry us a river? Compartimentalize each function and then you can mix them freely.

      If you are interested, here is an explanation of software I wrote to address encrypted backups or file transmissions.
      I wrpte a Linux based encryption software that I developed for backup and file transfers as well as for database field encryption. The concept is simple.

      I maintain a table of keys (16 "8 byte" keys). I am using 3DES, but the concept is similar if you wish to use AES for encryption.

      In the header of the encrypted file, maintain some signature to say it is your encrypted file. Then in four succ

  • by Anonymous Coward

    I use encryption across all my desktops and laptops. On my laptops I just use dmcrypt/cryptsetup and encrypt the whole disk running ubuntu.
    For storage I use my fileserver which is 1x500gb encrypted with dmcrypt for the OS and for the "storage" of the fileserver I have redundancy against failure:
    LVM with 2x 1TB sata disks. The LVM has both physical volumes as seperate "mirror" slices (encrypt 1 disk, add a mirror disk). The total usable storage is around 790 GB but I already had one disk fail and I could sim

    • by nullchar (446050)

      Software raid via mdadm is a good option. Setup a raid 1 or 1+0 md device for your two disks. E.g. /dev/md1 = raid1 of /dev/sda1 + /dev/sdb1. Now format and use the /dev/md1 partition as full disk encryption, or a truecrypt container with ext4 inside, whatever you like. Now when one disk dies, mdadm emails you, and you can still read/write to the array (where only one disk is active).

      I tend to partition and max out the available space on every drive, so LVM is an unnecessary layer for me.

      You still need bac

  • Disk encryption (Score:3, Interesting)

    by Max DollarCash (2874161) on Saturday March 23, 2013 @12:44PM (#43257587)
    I use encryption across all my desktops and laptops. On my laptops I just use dmcrypt/cryptsetup and encrypt the whole disk running ubuntu. For storage I use my fileserver which is 1x500gb encrypted with dmcrypt for the OS and for the "storage" of the fileserver I have redundancy against failure: LVM with 2x 1TB sata disks. The LVM has both physical volumes as seperate "mirror" slices (encrypt 1 disk, add a mirror disk). The total usable storage is around 790 GB but I already had one disk fail and I could simply "mount" my data without one disk being present & rebuild the LVM mirror using a new disk! Secure & reliable! The only issue I have not been able to solve in this setup is if/when one disk fails, your data is only available read-only because the lvm-mirror is only "partial" and physical volumes are missing. If anybody knows a solution for that, please comment. This was just a temporary issue though, as soon as a new disk was added and the mirror rebuilt, all was back to normal.
    • by kwark (512736)

      "The only issue I have not been able to solve in this setup is if/when one disk fails, your data is only available read-only because the lvm-mirror is only "partial" and physical volumes are missing. If anybody knows a solution for that, please comment."

      You could have used lvm on md. Disks fail all the time, I wouldn't risk my data on a setup that fails if 2 disks fail "at the same time". But the good news is that you still can switch: remove one disk, setup a raid1 with 1 missing, sync, add other disk to r

    • you are not backing up your data. Let me make it easy for you. What happens when a file becomes corrupted? What happens to your "mirror" copy? Does it too become corrupted? If so, you might want to reconsider and start making real backups.

    • by nullchar (446050)

      See comment to your original post: http://ask.slashdot.org/comments.pl?sid=3575755&cid=43283631 [slashdot.org]

  • by ColdWetDog (752185) on Saturday March 23, 2013 @12:45PM (#43257597) Homepage

    On OS X, you can easily create bootable images of drives using programs like SuperDuper! and Carbon Copy Cloner (stupid names). You can encrypt these files, put them on various types of drives and OS X can boot off of USB and FireWire drives which makes backups and restores pretty easy.

    OS X also allows for encrypted sparseimages (folders) that can be stored on Dropbox or similar. Between the two concepts, I avoid the hassle of whole drive encryption and just worry about encrypting some of my data.

    I would think that Windows would have similar functionality - mostly the ability to create bootable backup drives - is this not so?

    • He doesn't say what OS he is using. If he is not using a mac I would reccomend a combination of full disk encyption on the local machine and use crashplan (java application) to back up an incremental set of encrypted backups. Crashplan works very well and is very reliable in my experience. (It's only problem is the bloat java program tend to do when they have been running for a long time.)

      If he is using Mac OS then since 10.7 it is possible to manage encrypted disk backup most easily with the to

      • by goombah99 (560566) on Saturday March 23, 2013 @01:39PM (#43257949)

        A few more words about Crashplan.
        Crashplan markets itself as a competitor to things like Mosy and other purveyors of managed remote backup. But Crashplan is distintly different than all these others in a way that is unbeatable. Namely, you don't have to use their archives to store your data. With crashplan you can target any disk as backup storage. This could be an external disk connected by USB 3.0 or one over at your freinds house (they run crashplan too), or you can use crashplans servers. They sell the app not the service if just want to use it with your own disks or a freinds.

        The difference here is what happens when you need to restore. With any other service (like Mosy) you are hosed. How the heck are you going to recover a terrabyte from the remote storage to your local disk over the internet????? Not going to happen. FOr a fee Mosy will burn DVDs and mail them to you. But that assumes you know what date you want the back up for. If you are trying to recover from some slow disk corruption or a trojan you want to inspect the backups first to find the latest possible date before the corruption started, then you want to add back the newer files you can salvage. That's not going to happen with the DVDs you have sent to you.

        But crash plan is different. You just drive across town to your freinds house and pick up the drive. Mount it locally and find all the files you need for the backup. Just like what you would like to have! perfect.

        If crashplan would just solve their Java memory management issues it would be perfect. when you launch it it starts off with 100MB but a week later it's up to a gigabyte of memory use. Fortunately it seems the Virtual Memory manager is able to page out most of this when it's not active, but java programs are such out of control pigs.

        • by goombah99 (560566)

          1. Crashplan does the encryption for you as well has managing the differential backups and restores. It even does a lot of work calculating the minimal differences and de-duplications so the internet traffic and disk space are optimally managed. Your friend cannot read your backups on his computer and you can't read your freinds computer.

          2. But from your point of view you are always wokring the GUI with unencrypted files and folders when choosing what to back up so the enxryption is all transparent to you

        • by hawkeyeMI (412577)
          Yes yes yes, CrashPlan solves this with or without their service (which is a bargain, BTW, especially the unlimited family plan). Been using it both to back up (and a few times to restore) for > 1 year now, and I'm so happy with them.
      • He doesn't say what OS he is using.

        Yes, he does: "My setup involves an encrypted Windows installation ".

  • by bill_mcgonigle (4333) * on Saturday March 23, 2013 @12:46PM (#43257601) Homepage Journal

    aside: "OFTE" seems to stand for "On The Fly Encryption" - an initialism I hadn't heard used by IT folks before ... but anyway....

    Why aren't you backing up your files from one encrypted volume to another, at the file level? It sounds like you're doing block level backups of your container files. Do you not trust your backup computer to have those volumes open and decrypted at backup time? Dealing with block-level diffs isn't an easy way to approach the problem, but you could look at mirroring a copy-on-write filesystem, or a dedicated backup application that does its own block diffs and maps for incrementals.

    I use LUKS on linux for my backups, and then the backup drives go offsite. But the backup computer is allowed to access the files while the backup is running - which isn't a problem for the risks I'm trying to defend against. If you can't trust your backup computer, another approach is to run Windows as a VM and handle your backups with linux, which has a lower intrusion rate.

    • "Why aren't you backing up your files from one encrypted volume to another, at the file level?"

      That's probably a better suggesting than mine, if you want full-disk encryption. Just enable both disks, and copy your files over.

      My suggestion (to keep from backing up the whole disk, that is) was to make several large encrypted volumes (files) using something like TrueCrypt, and then copying them... but you still end up backing up blank space.

      I agree, it would be better to use two or more fully encrypted disks and just copy your files.

      I cringe at the mere thought of encrypting my whole main drive

      • I cringe at the mere thought of encrypting my whole main drive, OS and all. Bleaaggghhh! But if you don't, you have to clear your logs once in a while.

        Yeah, if you're not encrypting your swapfile or temp space, you should make sure your laptop is never stolen or seized. :)

        Even at that, with automatic bad block reallocation, fixing it after the fact isn't good enough for the highest level security.

        • "Even at that, with automatic bad block reallocation, fixing it after the fact isn't good enough for the highest level security."

          True. But the cost of the "highest" level, in convenience and reliability, is pretty high as well. Most people would do fine simply encrypting their data, and clearing their logs and unused drive space once in a while.

          • "Even at that, with automatic bad block reallocation, fixing it after the fact isn't good enough for the highest level security."

            True. But the cost of the "highest" level, in convenience and reliability, is pretty high as well. Most people would do fine simply encrypting their data, and clearing their logs and unused drive space once in a while.

            Wrong. Most people dont do the daily things they need to be doing for security until after they realize they have been comprimised or they lost their laptop or similar security breach. The simplest approach is the one you dont need to think about and requires the least number of steps from a user perspective. That is: full disk encryption.

      • by imsabbel (611519)

        > I cringe at the mere thought of encrypting my whole main drive, OS and all. Bleaaggghhh! But if you don't, you have to clear your logs once in a while.

        Why exactly?

        With Truecrypt, I have >>1GB/s possible throughput, so even saturated SATA-6 from an SSD will not be limited by CPU power - hell, 1 or 2 cores are not in use anyway, nearly all of the time.

        And defect sectors or other snafus? Well, if a 4k block is dead, it does not matter if it was encrypted or not. Its not like the whole thing breaks d

        • "Why exactly?

          With Truecrypt, I have >>1GB/s possible throughput, so even saturated SATA-6 from an SSD will not be limited by CPU power - hell, 1 or 2 cores are not in use anyway, nearly all of the time."

          I will remind you of the situation that started this whole thread. If anything DOES go wrong, good luck getting it back.

          Whereas if you encrypt your data, but not your OS, you may not be getting the highest security it is possible to get but it's still pretty damned good and far more fault-tolerant.

          It also means all you have to do for backup is copy your files. No backing up of empty drive space, and no losing the time it takes to do so. Heck, you can double or even quadruple or more the number of back

      • I cringe at the mere thought of encrypting my whole main drive, OS and all. Bleaaggghhh! But if you don't, you have to clear your logs once in a while.

        Maybe thats because your operating system doesnt make it easy for you to do. Ive been using full LUKS AES 512 encryption on linux for several years on multiple computers including work computers. I have never had an issue with Full encryption being an issue. Its way easier then having partial encryption such as encfs user account encryption... which has posed some issues for our admins during automated backup situations.

        Full disk encryption is a much better solution because the user is not required to remem

  • by devent (1627873) on Saturday March 23, 2013 @12:52PM (#43257627) Homepage

    I'm using LUKS encryption and LVM2 on my Linux Desktop and there are no problems.

    I don't see the point to encrypt the system partition because there is no private data on it. I just encrypt my home partition.
    Backup and restore I have multiple possibilities: just use dd and copy the whole partition, use rsync or rsync-backup to backup the files. To store my backups I have created a cheap software RAID10 with external USB hard disks: https://www.anr-institute.com/projects/projects/raid-10-usb-2-5zoll-extern/wiki [anr-institute.com]
    With the RAID I have some security of the data in case of driver failure and I can just add more disks if I need more space.

    If I have a new computer I can just install a new os (takes about 20 minutes) and copy the home partition.

    • by julesh (229690)

      I don't see the point to encrypt the system partition because there is no private data on it. I just encrypt my home partition.

      On Windows it is actually incredibly difficult to set up system and home to be on separate partitions. It can be done, but it means either using a hacked installer to make changes to the registry before users are created or messing around with symlinks after the users are created - plus i've heard reports of common software misbehaving after it has been done. It is therefore highly unlikely that this is a realistic option for OP.

      • Re:LUKS and LVM2 (Score:4, Informative)

        by SScorpio (595836) on Saturday March 23, 2013 @02:59PM (#43258433)

        I've kept my system drive and "home" separate on Windows since I've used XP over ten years ago.

        The process I used in XP, Vista, 7 and 8 is as follows.
        1) Install Windows with only one drive connected to make sure bootldr is on the system drive.
        2) During installation, setup a temporary throw away administrative account.
        3) Connect another other hard drives to your system and boot into the throw away account
        4) Setup the drive / partition you want to have user data on. I recommend creating a root "Documents and Settings" or "Users" folder but you can call it whatever you want, and place it anywhere you want.
        5) Open regedit and modify the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList - Change the ProfilesDirectory key from "%SystemDrive%\Users" to "d:\Users" or where you want user data to go.
        6) Create a new administrator account that you will keep.
        7) Log out of the throw away account and into your new main account. Your "home" directory will be placed under D:\Users\username or where ever you setup for key.
        8) Delete the throw away account, and delete user files for it.

        This process keeps the Default and Public user folders on the C: drive, but it is possible to move them and modify the registry keys for them in the same location as the ProfilesDirectory key if you want. I never have anything under them so I leave them on the system drive.

        I've never ran into any software that doesn't behave correctly while having my user data on a secondary partition. Other instructions to move a user directory have you changing the path in multiple keys in the registry. This method causes the user account to be setup with all of the paths already pointing to the desired location.

        • Some programs have their own notion of what a "user" is and store all users' data in a central location OUTSIDE of where Windows stores its user profiles.

          This MAY wind up being on the C:\ drive.

          "Temporary" copies of user data may also wind up on the Windows system drive, Windows Boot drive, or even the C:\ drive (yes, even if you "Boot" from "D:" some old programs have C:\ hard-coded into them, sigh).

          And of course, pagefile.sys, hiberfil.sys, and similar files are by default also on the Windows system drive

          • by SScorpio (595836)

            That's true, and if you are worried enough to encrypt your user data partition, you should do your system partition as well to make sure everything is being properly encrypted.

            This post was to address the fact that that it isn't difficult to separate the users directory from the C: drive. Software throwing files all over the place isn't new, but thankfully most are following recommend procedure which puts everything in the user's directory.

        • by Inda (580031)
          Neat.

          Not sure about the registry stuff though. I think I remember moving the user file folders on someone's PC and it can be done in a GUI.

          Right click My Docs > target folder destination ?????? or something like that.
          • by SScorpio (595836)

            That just moves the MyDocs folder. There are more folders than that, and not all of them have a GUI set target folder option. My method has all files and folders with the account on the new drive.

    • by Gothmolly (148874)

      You fail at RAID. You should have used far copies.

    • It depends on how important encrypting all critical data is. In particular leaving your swap file/partition unencrypted could allow someone to gain some access to sensitive data.

  • by brit74 (831798)
    > "Do you use encryption for your hard drive(s)? What's your setup like and how manageable is it?"

    I have two backup drives, placed in different locations so that, even if my house burns down, I still have the data. I encrypt my data. My data is not tied to a specific hard drive. It's just a bunch of files in a TrueCrypt container (either encrypting the whole drive or an encrypted file container). I can go in and access/move/delete/rename any files when I need to - from any computer the backup driv
  • Linux (Score:2, Informative)

    Here's the thing, encryption and backups are two separate things. I once didn't encrypt, nor did I backup. I then accidentally deleted some very important things. Whoops. I then started backing up (and taking greater care with the command line). I then got paranoid and started encrypting stuff using the built in encrypting stuff that comes with Ubuntu (and Debian and similar). Backups were still going to an unencrypted external HD though. So then I started using the built in encryption thing for that too.

    An

    • by kwark (512736)

      "3) Don't backup huge encrypted containers. Mount them, and then backup the contents (to another encrypted location)."

      Or don't use containers but a filebased encryptions scheme (like encfs).

  • No data, important or confidential data, resides on any system drive, including smartphones. It gets written to a thumbdrive. Stuff like music and video is just backed up the usual way with the system up and running. The thumbdrives reside in a safe, along with the wallet and other hard to replace stuff. And I rotate the stuff out to another site. It all just became a habit as I found things that worked.

  • Imaging + Encryption (Score:5, Informative)

    by heypete (60671) <pete@heypete.com> on Saturday March 23, 2013 @01:30PM (#43257901) Homepage

    On Windows, I prefer to use Acronis software for imaging and TrueCrypt for encryption.

    Since the TrueCrypt operations happen at a low level that's transparent to Windows and other applications that interact with the disk, once I enter the pre-boot password for TrueCrypt and load Windows I can interact with the disk as if it were not encrypted: by making images with Acronis after Windows has booted, Acronis sees the disk as a standard NTFS drive. I can save the image of the unencrypted contents of the disk to some sort of secure backup media.

    The backup media may be encrypted on its own, or I could use the encryption mechanisms built into Acronis to protect the image files. If I were use Acronis bootable media and try imaging the disk, I'd only get an image of the encrypted data -- by booting into Windows first I can make an image of the unencrypted contents of the disk.

    If the encrypted drive were to ever fail I could write the image back to a new drive sans encryption. This also allows me more flexibility in regards to resizing the filesystem to new disks: since I took the image of the unencrypted contents of the disk I can resize the filesystem to a new disk. If I had encrypted the raw disk itself then I would not have this option. After restoring, I can then encrypt-in-place using TrueCrypt to secure the new drive.

    As for the encrypted containers, mount them and back up their contents.

    • Have you successfully tried restoring your acronis backup? I have been "almost" burned by my backup software (not acronis) not understanding such underlying low level changes (such as encryption). The software only complained when I tried restoring!!
  • My solution is to only encrypt the data, and then only encrypt the data that needs encryption.

    I partition the hard drive into system and "user" disks, then make sure that I always save data/do projects on the user disk. That reduces the encryption/backup load immensely. No need to make a backup of the installed programs, or the system executables, or my installed libraries, or browser plugins, or anything like that.

    I do monthly backups, but for each project I have a "work" abbreviation that changes director

  • FUD in disguise (Score:3, Interesting)

    by Anonymous Coward on Saturday March 23, 2013 @01:34PM (#43257917)

    Intelligence agencies do NOT want you using Truecrypt. So Slashdot obliges with a carefully constructed attack against Truecrypt that is designed to encourage betas to seriously consider the commercial options that always contain back-doors.

    You see the same thing in nonsense reports that tell you intelligence agencies have the ability to recover properly erased files, or files from smashed hard-drives. Slashdot frequently promotes stories suggesting that smashing platters or properly erasing files is a waste of time. Each story is carefully created to lower the likelihood of people in general using proper security protocols.

    What do hard-drive failures and encryption security have to do with one another? Absolutely NOTHING. Why would someone wish you to conflate the two things in your mind?

    Simple bit errors in Truecrypt volumes do not destroy access to all the encrypted files, but I can understand why certain people have an interest in telling you so. All forms of file storage, encrypted or not, are vulnerable to hardware failures in pretty much the same way. A catastrophic failure will make you wish you had used proper back-up protocols, regardless of file security. Indeed, back-up and encryption have nothing to do with one another, and encryption certain doesn't compromise back-up methods.

    "I used Truecrypt, and when something went wrong, I lost all my files". Read this sentence. The read again. Then imagine someone saying it at the beginning of an advertisement. Why does the ad start this way? What is the ad trying to get you to think? Then, perhaps, you might want to Google a bloke named Edward Bernays.

    Once again, every commercial security system has back-doors, and therefore the so-called encryption provided this way isn't worth a damn. Rock-solid encryption algorithms are in the public domain, and no, the NSA does NOT have secret UFO technology allowing them to break such encryption. By law, every single security vendor that operates in the West or does business in the West has to give NSA people full co-operation to allow intelligence agencies ways to bypass security offered by their products.

    Slashdot does not daily carry stories attacking North Korea, Syria and Iran by accident. Remember, this is supposed to be a 'nerd' tech site, and yet one might think, form the content, that it was one of Rupert Murdoch's media outlets instead from the sickening political propaganda. Every story promoted here is thus suspect, if you have even one functioning brain-cell. You must always ask "why is this story chosen to be promoted?"

    • lulz ... well, thanks for the entertainment. I was actually beginning to think was nobody more paranoid than I am. Thanks for quelling that.
    • by dbIII (701233)

      Rupert Murdoch's media outlets

      No conspiracy theory is required because he shapes what people are talking about and doesn't actually have to own the other bits of the media. North Korea, Iran and Syria are in the news a lot from those outlets so of course slashdot joins in - it's in the news after all.

  • by emil (695)

    7zip is nice because it quietly adds encryption (unlike xz).

    tar cvf - (directory_path) | 7za a -si -mx=9 -pPASSWORD directory.tar.7z

    7za x -so -pPASSWORD directory.tar.7z | tar xpf -

    You are thinking of doing this on Windows, so beware that tar will not preserve NTFS ACLs. You can use cygwin tar if you want, but I find that the mingw tar [sourceforge.net] works all right too.

    If you really want to use flash media, make sure it's SLC, rated for 100,000 write cycles. If you use cheaper MLC media, media failures begin at only

  • Duplicty [nongnu.org] allows for scripted backups with the archives being encrypted by GPG and therefore can be restored to any drive, so long as you know the password.

  • I use it for all my Windows encryption stuff. Not tied to hardware, can encrypt partitions as files or partitions in situ, you can even make hidden encrypted volumes for plausible deniability's sake. Oh, and it's open source. Enough said.

  • This stuff is handled perfectly in the Truecrypt FAQ isn't it? RTFM

    - You can create backups of TC containers, it'll actually be much faster to create a differential or incremental backup of the container since only 1 file needs to be read (cache hits will be more efficient) compared vs millions of little individual files (each costing IOPS on both sides to initiate the backup as well as compare and store it).

    - 1 (or multiple) bits falling over in an encrypted file system does not cause the entire system to

    • by ckedge (192996)

      > You can create backups of TC containers

      If you use a file based container, BEWARE any backup software that first looks at the timestamp of the file to determine if the file should be backed up or refreshed.

      Truecrypt does not modify the timestamp of file containers.

      Thank God I noticed that before I someday needed to use one of my backups. I would have opened up a "recent backup" to discover that it was in fact very very old.

  • Overkill (Score:5, Insightful)

    by Tony Isaac (1301187) on Saturday March 23, 2013 @02:28PM (#43258247) Homepage

    Do you live in an underground bunker, with automated blast doors and multi-layer security? I doubt it. Does anybody really care enough to defeat such measures to get into your house? I suspect you're like the rest of us, with standard locks and maybe an alarm system or a dog, or both. That is sufficient to deter all but the most determined criminals. And if anyone is determined enough, your extra security won't stop them anyway.

    Your data isn't that different. Nobody is really after your data, at least not to the point of being willing to spend serious money and time getting into your system. The real threats are things like malware (which won't even be slowed down by your encrypted drive), or somebody snooping around on your hard drive after stealing your laptop (when actually they are more likely to want to just sell it).

    Common sense is the best protection for most of us. Don't save passwords in an unencrypted file. Use a non-trivial password to log on to your system. Hang on to your stuff. You get the idea.

    • Nobody is really after your data, at least not to the point of being willing to spend serious money and time getting into your system.

      Finally, some common sense gets injected into the discussion!

      As I interpret this whole thing: The submitter basically has set up what amounts to a "roll your own" system for encryption using TrueCrypt, as well as a custom system for backups - but isn't happy with the level of complexity, because that's often the enemy of robustness (and free time). Now I'm not a Windows guy anymore, I'm on OS X - but I'm pretty sure Windows 7 and 8 have whole-disk encryption and built-in backup utilities that would solve th

    • This is a key point, that encryption only protects data when the encrypted part is off-line. If you get a malware and your My Financial Data volume is mounted then the malware can access it. And if you get a malware and then *ever again* pay your bills then it can just wait until that encrypted volume is mounted and then steal the data.

      Encrypted drives only protect against theft. Encrypted volumes protect against 'temporary theft' like a roommate poking around while you're taking a shower and logged in.

  • There are a lot of similar and tangentially related responses, so I'll make this one post instead of responding inline to each one.

    SETUP
    My partitions look like this in gparted:

    [ PRI/BOOT: Windows w/ TrueCrypt OS encryption ] [ EXTENDED: [ LOGICAL: normal, unencrypted partition where TrueCrypt file containers reside ] ]

    Note that TrueCrypt replaces whatever existing bootloader is on the drive with its own so it can run pre-boot authentication to decrypt the OS.

    Yes, I realize that I don't store any data

  • by gnasher719 (869701) on Saturday March 23, 2013 @05:57PM (#43259537)
    Get a Mac. Turn full disk encryption via Filevault2 on. Backup using Time Machine with an encrypted backup drive. The encryption is invisible except that you have to enter the password from time to time.
    • Get a Mac.

      I know I said I was open, but ... not *that* open.

  • You might want to have a look at Duplicati - that's what I ended up using after I spent a while looking into how to do backup securely. It'll handle scheduling, partials (i.e. diffs, if you want), compression, encryption of the result, and finally upload to a whole range of different cloud providers (or a local directory, of course). It's free, and available for Windows, OSX, and Linux.
  • Enable BitLocker on your drives. When you connect a drive for backing up, bitlocker it then use any backup mechanism (win backup or file history in 8) problem solved. Everything's encrypted and backed up.

  • If you ever expect the data in there to be useful to others then don't bother to encrypt your backups, it's an accident waiting to happen. Rely on physical security of the backup media instead.
    Even if it's you own stuff, do you really want to mess around at 4am with a recovery procedure you can't quite remember that is written down somewhere you can't get to?
  • by fa2k (881632)

    I can't speak to the security of SSDs.

    There are two reasons why it may reduce the lifespan: 1) no TRIM support. Here is a Q/A which confirms this for LUKS on Linux, I doubt Truecrypt have TRIM support either. http://superuser.com/questions/124310/does-luks-encryption-affect-trim-ssd-and-linux [superuser.com] . TRIM is relatively new, and while most filesystems do now support it, you're not losing out on much performance. An alternative is to leave a percentage (e.g. 10 %) of the drive completely unused, as an unformatted p

    • by fa2k (881632)

      An alternative is to[...]

      Sorry, I made a mistake. This is *not* an alternative as in replicating exactly what TRIM does. It will however give you slightly better write performance

All constants are variables.

Working...