Is this backup solution secure? I love it...
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
If I have a fully encrypted tower PC, and on my carpet is just an external drive holding an encrypted container, is it still secure if I use my tower to (without bringing the container back onto my tower) look inside that container and to drop new files into it? Could ordinary external drives be saving to ex. their cache the viewed or saved files? (which, would expose them)
Asking because the site mentioned something about having to do image backups, or something specific, to be secure.
Because I love being able to check that my backuped up files are still there by comparing them, including dropping in new files from last month. Versus creating a new container each time, which takes time, and if I ever had to retrieve lost files would make it time consuming to look through many containers or know which file version can be deleted and replaced with new version. Also, takes less space and time versus creating a new whole disk image.
Hope someone can help me, thanks for this community!
By default in Windows these days, external drives are set not to cache data being written to them. If you are backing up your files to an encrypted container file, or an encrypted partition, on an external drive, you are probably not compromising the security of that data because of caching.
This 'no caching' policy is known as 'Quick removal'. You can check the situation of an individual external drive by connecting it to your PC, and launching Disk Manage'ment (run > diskmgmt.msc). Find your drive and right click its entry on the left hand side ie where its just identified as a Disk, then left click 'Properties'. Left click the 'Policies' tab, and check what it says (or change it!).
But what about reading? Or simply my external drive's encrypted files aren't decrypted until on my tower PC?
One source says:
"Hard drives include a cache area for storing frequently accessed data, but this memory only affects reading processes."
Also, are files dropped from my tower PC into my external drive's container going to be encrypted? Or must the container be on same drive?
Last edit: Brian Winfield 2022-08-01
Hi Brian,
Please read the documentation's Introduction that explains how VeraCrypt works when reading/writing data.
https://www.veracrypt.fr/en/Introduction.html
All hard drives have onboard cache whether they are internal or external hard drives.
So for reading from my attached drive container, I think the encrypted files come off it and go into my tower and only then there and in RAM are they decrypted, which is safe then. Right?
As for writing from my tower(drive#1) to the attached drive(drive#2), is it correct that, even IF (which I think they are) it is decytped and re-encrypted with drive#2's password, this still has to happen on my tower in the main system's RAM (to encrypt or decrypt them)? So no actual files leave my tower? In this case, I should be able to check that drive#2's container files need a decryption on my laptop (drive#3). ?
Last edit: Brian Winfield 2022-08-02
Correct to both.
I don't understand your last two questions.
Ok let me improve that paragraph since the paragraph kind of was all one question. The 2nd paragraph asks it in a different way, you could skip the first paragraph if want:
As for writing from my full system encrypted tower (drive#1) to the attached external drive's (drive#2) on my carpet (its VeraCrypt container), is it correct that, even IF (which I think they are) it is decytped and re-encrypted with drive#2's password, this still has to happen on my tower in the main system's RAM (to encrypt or decrypt them)? So no actual files leave my tower when I drop them into the container on my external drive (drive#2)? In this case, I should be able to check that drive#2's container files need a decryption on my laptop (drive#3). ?
Or in other words my question is: I think when I drag and drop files from my full system encrypted tower PC into a container on my external drive on the carpet, the files first are decrypted in my tower's RAM, then in my tower's RAM they are encrypted with the external drive's container's passcode, then they are sent to the external drive as encrypted blocks. I'm imagining this can't happen on the external drive since it has no RAM and isn't the main drive of my tower's Windows 7 system. Hence, no un-encrypted files ever go through the cord / cable to my external drive on my carpet?
Last edit: Brian Winfield 2022-08-02
To clarify, VeraCrypt is using the encryption keys and not the passwords to perform the RAM on-the-fly encryption/decryption. The password, PIM and/or keyfiles are used only at mount to unlock the header key in order to extract the encryption key for the VeraCrypt volumes.
https://www.veracrypt.fr/en/Header%20Key%20Derivation.html
So when you copy and paste from tower to the external drive, two different encryption keys are used and performed by the computer. The tower system encryption key is to decrypt in memory the file being copied and the external's encryption key to encrypt in memory during the copy to your external drive.
But is my 2nd paragraph correct that no un-encrypted files ever pass through the cord / cable when dropping files from my tower into a container stationed on the external drive?
Per my answer above yes.
Ok thanks for walking me through this, it is much clearer now / answers my question. Thanks.