Insecure because of backups?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hello,
I did a system partition encryption of my laptop with sensitive data on it. It only has one drive C:. So if anyone will steal my laptpop I think nobody will be able to skip/solve the login password or extract any data in any other way.
But what about backups? Does one destroy the high security by oneself if I make automated backup of my laptop?
I plan to make an automated weekly backup of my whole laptop (incremental backup is only a nice to have) to my NAS using Acronis True Image or Veeam Agent for Windows. To be able to make such a backup Windows must be started and so the data is unencrypted at the time of backup. So I think, that the data is written unencrypted into the backups, right?
It is unlikely, that someone will steal my NAS or the files from it, but in my eyes it just stupid to secure the laptop completely and store unencrypted backups. That makes no sense to me.
If someone will get my backup files an he will be able to restore and will be even prompted for the boot password I think (cause it's a 1:1 copy), right? But as the data in the backup is not encrypted (cause data copied from booted system) maybe it is easy to get out all the data by some tools easily?
What do you think about that?
Which is a good, comfortable and secure way to create encrypted backups?
Or am I completely wrong and even a backup tooken from a running VC encrypted Windows machine is absolutely secure, like the machine itself?
I am just uncertain, if the VeraCrypt encryption will be decrypted because of the backup.
Last edit: Juergen 2017-11-02
You are right - a backup of a running encrypted Windows system in unencrypted. You need to back it up using software that writes it to a file that you can encrypt or password protect.
A simple solution is to create veracrypt volumes on your NAS that you mount, write the backup into, then dismount. I'd recommend using free Macrium Reflect (as I do) to create weekly highly compressed, intelligent (ie only used sector) disk images of the C: drive, writing the files into a mounted veracrypt volume on the NAS. This process can be easily automated using batch files. The password and encryption parameters for your NAS veracrypt volumes might as well be the same as for your system encryption, since there is no logic in having different security levels for original and backup.
The paid edition of Reflect allows you to password protect disk images, but why bother? Veracrypt itself provides the solution you need.
Looks as much as I researched I came to a conclusion:
1. Use a hard disk of 80 or at least 160 GB
2. Do not back up where Windows is encrypted with three types of ciphers, since virtually all programs use AES.
3. Best way is backup sector by sector. I use AOMEI Backupper.
PS. I say HD 80 or 160 GB for a backup to be the fastest. For a lot of the other programs I have a 150 GB partition being all probed.
An industry-by-sector image backup with Windows using three digits does not have to use a password in that backup. Ah! Remembering at least the function in the VeraCrypt documentation, where it shows how to backup does not work.
Hi, thanks for all your replies and explanations.
So at the moment now I switched to the solution using a VeraCrypt Container on my NAS. I ok, but not the highest comfort. And in case of a restore I would have to do the disk encryption again.
Is there any backup software / tool which can really make an 1:1 backup of my complete system disk, where the VeraCrypt encryption is not broken up. Or is this technically impossible?
Maybe using a Boot CD and do this could be possible, right?
But is it there any solution which can do that 1:1 backup out of a running Windows 10 system? I think this is technically impossible, cause for "cloning" the software would need exclusive access, right?
Last edit: Juergen 2017-11-05
http://www.caspersecure.com/
Thanks, but is that product really working? Also with VeraCrypt? Cause I can only read about BitLocker on their website.
Can this make an 1:1 clone out of a running Windows 10 from itself? I thought that's technically impossible. Why should that product be able to act different?
Or is it also required to boot in a special mode to do the backup?
Last edit: Juergen 2017-11-05
Hello Juergen,
of cause it is possible to make a backup out of the running system, the solution is called shadow copy. Windows is using it starting from XP as I remember. I don't think MS stopped the support for W10. A very nice tool is drivesnapshot; give it a try.
The appropriate solution would be to run the backup from the running W10 into an encrypted container on an external drive. I never tried a restore. What You get after restore is an unencrypted W10 with a possible problem in the boot sector, but that shouldn't be a main problem and be possible to fix. Afterwards You have to encrypt the system again.
Regards
Andreas
I was using Macrium Reflect to do my backups. However, I was alarmed by finding I was unable to mount a clone of my system disk that I made using Reflect. The disk was not running an OS when I was cloning, and the partitions were not mounted in Veracrypt during the process.
Reflect is a GREAT product, but I think it only backs up partitions, plus certain other areas with information about the disk's layout. I think that it leaves very much of the unpartitioned space uncopied.
I am concerned that I should be backing up my unpartitioned space, because I suspect Veracrypt uses unpartitioned areas to store information that the computer must read before it can decrypt the system. I have not found any documentation or discussion confirming that possibility though. Why else should my cloned system have been unmountable while the source system was mountable? DD for Windows can dump an entire disk into a file, including unpartitioned space. It isn't half as glittery and self-explanatory as Reflect though.
So isn't there any really working solution for Windows 10?
Best practice to make an unencrypted backup into an encrypted VeraCrypt Container on my NAS?
@Juergen
I indicated this link by other previous searches. Ah! I did not use it, because I have a license from Aomei.
Hi @all!
I tried Windows Shadow copy now.
And I also tried Casper Secure Drive Backup.
Both did not help, cause both do store the data un-encrypted into the backup.
So isn't there any solution which can do a full backup during Windows running and KEEP the Veracrypt encryption in the backup active? So after a restore it is not possible to boot without the password or access any data without the password?
Who said, that Casper would be able to do that?? It won't. I tested it a lot now.
What's about that "Aomei"? Is that product able to do that?
I've been doing secure backups for years now, backing up PGP and TrueCrypt and VeraCrypt partitions, using either Acronis or my latest fav Macrium Reflect. Here's the way it works when I use "intelligent sector copy" (Macrium's phrase). Macrium Reflect (running in Windows 10) backs up only the used sectors which are first decrypted by VeraCrypt. So the backup software receives the same decrypted data you would see, and therefore can compress the data to make a significantly smaller backup file. Macrium (or Acronis) can also re-encrypt the data using its own internal encryption so you don't have to store your backups on an encrypted partition or container. Macrium does place one extra demand on you, though. In order to use full 256-bit encryption, you must have a password at least 32 characters long. With shorter passwords, you'll have to settle for either 192 or 128-bit encryption on the backup file.
In my opinion, this is the best backup scheme for me, and probably most users. Macrium Reflect and Acronis both work well with VeraCrypt (although my experience with Acronis is now out-of-date). When you start your backup under Windows, "shadow copy" (or its equivalent) freezes the backup state so you can keep working, although your subsequent work will not be included in the backup. The backup file can be a compressed version of only the used space on your partition, so it may be quite small compared to your partition size depending on the compressibility of your data and program files, and you can also exclude the swap and hibernation files from backups (not possible with sector-by-sector backups). And of course, the backup file can be fully secure based on the encryption supplied by the backup program. Finally, both Acronis and Macrium allow you to mount one of their backup files to a drive letter and access all the individual files in your backup (after supplying the backup password).
If you want to restore to disk from one of these encrypted backups, the data will be unencrypted when first restored, and one of your first orders of business should be to re-encrypt the system after booting and returning to normalcy. If you restore to a disk that has a VeraCrypt boot sector (or if you restore the boot sector from the backup file, which is the default with Macrium) you can just press ESC every time you boot to skip the password screen. Entering the VeraCrypt password when the system is not encrypted will result in boot failure, only scary if you don't understand why.
(I'm trying to cut back on my use of parentheses, but I just can't help myself)
Hello Gary,
In my opinion the encryption done by macrium is a security problem. By using VC Your data is encrypted by an open source program that is trusted, because the code is known and the implementation is verified. The processes executed by Macrium are unknown. So the only way to keep Your achieved security level is to save the backup file onto a VC volume.
Andreas
"A backup of a running encrypted Windows system in unencrypted.", alright, I get this, but the question is, does it boot after restoring? If so, the only thing left to do is encrypting it again? Strikes me easy.