Encryptying data: a big disappointment

[Stan Brown]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)

 

[Ken1943]

I asked Paragon about Truecrypt and they could not garentee that it would
work. Seems like a bit by bit image would be ok.

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)

KenW

 

[Ken1943]

I guess you could use the restore cd to undo the encryption make a
backup then encrypt it again. Which would stink !!

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)

KenW

 

[Paul]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)

This is the first link I could find.

http://ask-leo.com/can_i_or_should_i_use_truecrypt_for_my_backups.html

"And when it comes to backup, here's the key: I don't backup the contents
of the TrueCrypt containers - I backup the containers themselves. That
means that my backups are just as secure as the files on my computer.
It means that in order to access any of that information - even from my
backups - the correct passphrase is required."

The problem with that, has to do with the robustness of the container.
If the container design was such, that major failures couldn't happen
(lose a file or two, and not the whole contain), then backing up a
contain might make sense. Say one bad sector in the backup, ruins
the whole container. You'd be pissed.

If the container isn't robust, then decrypting and doing something
with the files themselves, makes more sense.

It's a lot like picking tape formats in the old days. If a tape
format allows "resynchronizing" with the tape, after a faulty section
of the tape, maybe only one file gets lost, and the others can be
recovered. Or, you can imagine a tape format, where just one error
in the tape, prevents access for anything after that point.

*******

If the "mounted volume" is in a sense virtual, that may prevent
the backup software from hooking into it. It could be that
Truecrypt is missing some form of VSS support. I'm not a Truecrypt
user, and haven't a clue what it supports or how.

http://answers.microsoft.com/en-us/...ce-error/90847f3a-d019-4eab-98eb-8deceb4786db

I think you'll find a few of the backup tools, like VSS, because
it means the backup tool has to do so little work. An older backup
tool, before the VSS era, might do it the old fashioned way
(file by file). But with the proviso, that if backing up C:,
the system will have to be taken off line.

Paul

 

[VanguardLH]

This is the first link I could find.

http://ask-leo.com/can_i_or_should_i_use_truecrypt_for_my_backups.html

"And when it comes to backup, here's the key: I don't backup the contents
of the TrueCrypt containers - I backup the containers themselves. That
means that my backups are just as secure as the files on my computer.
It means that in order to access any of that information - even from my
backups - the correct passphrase is required."

The problem with that, has to do with the robustness of the container.
If the container design was such, that major failures couldn't happen
(lose a file or two, and not the whole contain), then backing up a
contain might make sense. Say one bad sector in the backup, ruins
the whole container. You'd be pissed.

If the container isn't robust, then decrypting and doing something
with the files themselves, makes more sense.

It's a lot like picking tape formats in the old days. If a tape
format allows "resynchronizing" with the tape, after a faulty section
of the tape, maybe only one file gets lost, and the others can be
recovered. Or, you can imagine a tape format, where just one error
in the tape, prevents access for anything after that point.

*******

If the "mounted volume" is in a sense virtual, that may prevent
the backup software from hooking into it. It could be that
Truecrypt is missing some form of VSS support. I'm not a Truecrypt
user, and haven't a clue what it supports or how.

http://answers.microsoft.com/en-us/...ce-error/90847f3a-d019-4eab-98eb-8deceb4786db

I think you'll find a few of the backup tools, like VSS, because
it means the backup tool has to do so little work. An older backup
tool, before the VSS era, might do it the old fashioned way
(file by file). But with the proviso, that if backing up C:,
the system will have to be taken off line.

Paul

Truecrypt encrypting a partition is not creating a container file.
There is the file-hosted container and partition/device-hosted volume.

The forums discuss problems with backup programs and drive encryption
schemes, like:

http://forums.truecrypt.org/search.php?mode=results

Personally I don't see the point of using drive encryption for data
partitions. You still have to load the OS from its partition to load
the TC driver to mount the encrypted partition. Well, you have to do
the same when using TC to mount a container file. The point of doing
drive encryption to protect your computer from, say, intrusion after
theft is to use drive encryption on the OS partition (and use container
files in the data partitions that TC, after the OS partition gets
mounted and usable so you can run TC, will mount).

 

[J. P. Gilliver (John)]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes. []
Does anyone know a way to encrypt my drives such that []
* Backups can be done, both full and incremental

[]
As Paul has said, many (I suspect most) encryption methods in effect
make one big file - or, call it something else - of the disc (or
partition) being encrypted. As such, incremental isn't going to be
available.

 

[J. P. Gilliver (John)]

[]
Personally I don't see the point of using drive encryption for data
partitions. You still have to load the OS from its partition to load
the TC driver to mount the encrypted partition. Well, you have to do
the same when using TC to mount a container file. The point of doing
drive encryption to protect your computer from, say, intrusion after
theft is to use drive encryption on the OS partition (and use container
files in the data partitions that TC, after the OS partition gets
mounted and usable so you can run TC, will mount).[/QUOTE]

The distinction is subtle; I can't really see much practical difference
between encrypting a drive and encrypting a container file on that drive
(assuming your backup system still sees the encrypted drive as a drive,
of course).

 

[Paul]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes. []
Does anyone know a way to encrypt my drives such that []
* Backups can be done, both full and incremental

[]
As Paul has said, many (I suspect most) encryption methods in effect
make one big file - or, call it something else - of the disc (or
partition) being encrypted. As such, incremental isn't going to be
available.

I'm mainly concerned with reports of people not being able to
get to their data, after using an encryption product. And I'd need
to see a web site that describes how the method works in this case,
to understand if in fact it is a recoverable format or not. The
fact that Truecrypt supports parallel encryption (multi-core
processor), suggests that damage to it, may be limited to a
chunk of data, rather than the whole thing. So that's a good sign.

I found this on the Truecrypt site, but this didn't particularly
help me.

http://www.truecrypt.org/docs/?s=how-to-back-up-securely

This is the kind of topic, where you'd need to know something
of how it works, before committing to it.

I'd also only want to use this, on a power protected system
(laptop battery or desktop UPS), so there can't be damage from
the AC power going off suddenly. And I'd also want to test the
computer occasionally, to see if there are any RAM errors
or problems with computing integrity. There are even computers
(with Nvidia chipset), where there is a bug in the path that
writes data to the disk, which might be another situation
I'd want to avoid. As long as any error multiplication effect
isn't too big in the thing, it might not be so bad.

But if people are losing data, and there aren't any tools
for recovery (i.e. using the user's password), then this
is a pretty dangerous form of protection.

Paul

 

[Char Jackson]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes. []
Does anyone know a way to encrypt my drives such that []
* Backups can be done, both full and incremental

[]
As Paul has said, many (I suspect most) encryption methods in effect
make one big file - or, call it something else - of the disc (or
partition) being encrypted. As such, incremental isn't going to be
available.

Do you have a current example of the 'one big file' approach? That
doesn't seem like it would be a common thing at all. In addition, I
don't see any reason to do it that way, and plenty of reasons not to.

 

[Philip Herlihy]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

....

Can't comment on encryption, but it's worth noting that most laptops
have the facility to create a BIOS password, which would deter anyone
not savvy enough to extract the disk and mount it on another system.

 

[VanguardLH]

The distinction is subtle; I can't really see much practical
difference between encrypting a drive and encrypting a container file
on that drive (assuming your backup system still sees the encrypted
drive as a drive, of course).

While there appear to be problems attempting to decrypt the contents of
a TrueCrypt-encrypted drive (i.e., whole-drive/partition encryption) by
a backup program, there should be no problem with backing up a Truecrypt
container file. Instead of mounting the container file as a drive, just
backup the container file itself.

 

[VanguardLH]

...

Can't comment on encryption, but it's worth noting that most laptops
have the facility to create a BIOS password, which would deter anyone
not savvy enough to extract the disk and mount it on another system.

Some laptops incorporate a special hardware chip (TPM: Trusted Platform
Module) that works in concert with the hard disk to perform
hardware-based encryption. You need the password to get into the hard
disk. If you move the hard disk to another computer, it is still
encrypted so it is unreadable.

There is also work on getting hard disk makers to build self-encrypting
hard disks which can work along with TPM or without it. See:

http://arstechnica.com/hardware/new...facturers-unveil-disk-encryption-standard.ars

For example, there are the Seagate Momentus FDE (Full Disk Encryption)
hard disks. Instead of relying on replacing the 446-byte bootstrap code
in the MBR (which, if wiped or corrupted, means the decryption module
won't get loaded) on the hard disk, the encryption is in the firmware in
the hardware interface to the hard disk.

http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
http://www.seagate.com/www/en-us/products/laptops/laptop-hard-drives/
http://www.seagate.com/www/en-us/products/self-encrypting-drives/
http://knowledge.seagate.com/articles/en_US/FAQ/207035en?language=en_US
http://knowledge.seagate.com/articles/en_US/FAQ/206011en?language=en_US

Obviously once you enter the password to provide access to the encrypted
hard disk, it remains available for access until you power down the
laptop. This is *hardware*-based encryption, not software based that
loads after the OS loads. So when you enter the password, you are
entering it before the OS loads. Access remains in effect until you
power down the hardware (i.e., shutdown the OS and power *down*). That
does not mean you go into low-power (sleep) mode but actually power down
the hardware so on powering up you get prompted for the password again.
So those with laptops with self-encrypting hard disks need to configure
closure of the lid to power down the laptop, not put it into sleep mode.
Since hibernation powers down the hardware, I suppose that's an option,
too (because the hibernation file would be on the encrypted hard disk so
what got copied out of memory into hiberfil.sys would still be
encrypted).

 

[Gene E. Bloch]

On Fri, 9 Mar 2012 07:36:26 +0000, "J. P. Gilliver (John)"

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes. []
Does anyone know a way to encrypt my drives such that []
* Backups can be done, both full and incremental

[]
As Paul has said, many (I suspect most) encryption methods in effect
make one big file - or, call it something else - of the disc (or
partition) being encrypted. As such, incremental isn't going to be
available.

Do you have a current example of the 'one big file' approach? That
doesn't seem like it would be a common thing at all. In addition, I
don't see any reason to do it that way, and plenty of reasons not to.

I have such a file on the thumb drive I use to back up a handful of
items. It is nowhere near a whole partition backup, just a copy of a
few files that I wish to keep from prying eyes. It's just under 4GB,
since the stick is FAT32.

OTOH, I haven't been updating it recently - like almost forever

OMG - I just looked. 6/12/2010. That's June 12, 2010, for those of you
who write dates in the other order...I better look inside to see if I
remember what any of the data is.

Looks like my support for (and interest in) the idea is pretty weak.

 

[Ken1943]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)

There is another way to go, expensive, self-encrypting hard disks


KenW

 

[Char Jackson]

On Fri, 9 Mar 2012 07:36:26 +0000, "J. P. Gilliver (John)"

In message <[email protected]>, Stan Brown
You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.
[]
Does anyone know a way to encrypt my drives such that []
* Backups can be done, both full and incremental
[]
As Paul has said, many (I suspect most) encryption methods in effect
make one big file - or, call it something else - of the disc (or
partition) being encrypted. As such, incremental isn't going to be
available.

Do you have a current example of the 'one big file' approach? That
doesn't seem like it would be a common thing at all. In addition, I
don't see any reason to do it that way, and plenty of reasons not to.

I have such a file on the thumb drive I use to back up a handful of
items. It is nowhere near a whole partition backup, just a copy of a
few files that I wish to keep from prying eyes. It's just under 4GB,
since the stick is FAT32.

I stand corrected. It appears that creating an encrypted container is
an option recommended for inexperienced users.

OTOH, I haven't been updating it recently - like almost forever

OMG - I just looked. 6/12/2010. That's June 12, 2010, for those of you
who write dates in the other order...I better look inside to see if I
remember what any of the data is.

Looks like my support for (and interest in) the idea is pretty weak.

Way to go. ;-)

 

[Ken Blake]

6/12/2010. That's June 12, 2010, for those of you
who write dates in the other order.

By "the other order" you undoubtedly mean 12/6/2010, the 12th of June,
2010. But there is a third order, although it's seldom
used--2010/12/6. That's the order I would use (but without the
slashes) if for example I were naming a file with a date. The
advantage of that order is that it's directly sortable.

 

[Gene E. Bloch]

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)

After following this thread, I have come to think that the best way to
backup TrueCrypt drives is to use a bit-by-bit (byte-by-byte, really)
copy, but don't just back it up to one drive, make two or even more
copies, since the encrypted drive/file might be vulnerable to small
errors.

You lose the chance of incremental backups, so a good idea might be to
keep the encrypted drives (or file, if you do it that way) reasonably
small. That's probably not feasible if you're a business keeping
records for 2,237,604 customers or whatever.

I read the link from VanguardLH, but I haven't understood it yet, so it
doesn't figure in the above

 

[Gene E. Bloch]

On Fri, 09 Mar 2012 12:23:35 -0800, Gene E. Bloch


By "the other order" you undoubtedly mean 12/6/2010, the 12th of June,
2010. But there is a third order, although it's seldom
used--2010/12/6. That's the order I would use (but without the
slashes) if for example I were naming a file with a date. The
advantage of that order is that it's directly sortable.

Yes, I also name files like that, for the same reason. Today's backup
might be:

Backup-2012-03-09.bup

but I don't normally cite dates that way.

In file names I always use a leading zero for single digit items, again
for sorting, but I don't always use the hyphens.

When I was in the Navy, dates were in the form 9 Mar 2012, but I
finally drifted into the US civilian way. Time was in the form 2304Z,
where Z is GMT; it was 15:04 here in California as I typed that. I
still use 24-hour time, but I use the colon & drop the Z, and I usually
stick to local mean time.

 

[Ken Blake]

Yes, I also name files like that, for the same reason. Today's backup
might be:

Backup-2012-03-09.bup

but I don't normally cite dates that way.

Nor I, but I wish everybody did. It's the best way.

In file names I always use a leading zero for single digit items,

Yes, I do too, but in my example I forgot to do so.

I still use 24-hour time, but I use the colon & drop the Z, and I usually
stick to local mean time.

I wish we all used 24 hour time and I wish the hour hand on analog
clocks would run at half speed. But because clocks don't work that
way, and the great majority of Americans use 12 hour time, I do too.

 

[Bob I]

By "the other order" you undoubtedly mean 12/6/2010, the 12th of June,
2010. But there is a third order, although it's seldom
used--2010/12/6. That's the order I would use (but without the
slashes) if for example I were naming a file with a date. The
advantage of that order is that it's directly sortable.

I believe you meant to say "2010-06-12"

Otherwise you have Dec 6th of 2010. and the slashes hose some apps as
the read it as parameters or pathing.