The best approaches may not involve encryption at all.
I talk about encryption a lot. I talk about backing up even more.
Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.
Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.
Unfortunately, I’d wager most people are backing up their encrypted data improperly. The result is that they’re not as protected as they think they are.
Become a Patron of Ask Leo! and go ad-free!
Backing Up Encrypted Data
The most common approach to backing up encrypted data is to back it up in its encrypted form. This adds risk because passwords can be lost and some encryption formats are less resilient to damage. Instead, back up the data in unencrypted form and then store that backup in some other secure way — perhaps physically, perhaps using a different encryption mechanism — to protect it.
The common approach
Let’s assume you have some encrypted data. That could be any of:
- A password-protected Word document.
- A password-protected .zip file.
- A VeraCrypt volume.
- A collection of files encrypted by BoxCryptor or Cryptomator.
- A file encrypted using PGP or GPG public key encryption.
- A system protected with whole-disk encryption.
With the exception of the last item, the common approach is to back up the encrypted file. If “improtantdocuments.zip” is encrypted, then it’s “improtantdocuments.zip” you would back up.
It’s good you’ve backed up. That’s much better than not backing up at all, of course.
But you’re still at risk from threats unencrypted data wouldn’t face.
Encryption can fail
Encryption can “break” in a couple of ways.
The most common way is losing the password to the encrypted data.
For example, perhaps you can’t recall the password to an encrypted “.zip” file you created a decade ago. Without the password, the data in the encrypted file is lost — just as lost as if you simply deleted it on the day you created it.
Less common are disk- and file-damage-related problems: the very problems backups protect us from. If the disk on which your .zip file is stored develops a bad sector anywhere within the file, it’s possible the entire file will be unrecoverable. While some encryption algorithms might be more resilient, not all are. Sometimes a tiny error in the wrong place can cause massive data loss if the files are encrypted.
Unencrypted files don’t suffer from these issues. You’ll never forget a password when there isn’t one to forget. Any file damage will be restricted to the single (or few) file within which a disk error resides.
Therein lies our solution.
Back up unencrypted
Back up the data in its unencrypted form.
- Save a copy of the Word document without a password.
- Save a copy of the .zip file without a password, or save the unencrypted contents of the zip file separately.
- Copy the files out of a VeraCrypt volume separately.
- Save unencrypted copies of your files and then encrypt them with BoxCryptor or Cryptomator.
- Save an unencrypted copy of your file and then encrypt it using PGP or GPG public key encryption.
In short: decrypt the data, then back it up.
Whole-disk encryption is somewhat easier. Most backup tools back up the unencrypted contents of the disk. Cloning and imaging backup approaches may backup the encrypted partition or ask you if it should. Make sure to understand how your backup tool works and select the options that back up the data unencrypted.
Of course, that means your backup contains unencrypted sensitive data, so you don’t want to leave it laying around unprotected. That requires one more step.
Secure your backups some other way.
The most common is to secure them physically, placing backup drives into locked drawers or safes or otherwise restricting physical access.
Another approach is to encrypt those backups using a different technique. For example, most image backup programs allow you to assign a password to the backups they create.
As an example, I take care to export my LastPass database in unencrypted form (a plain-text .CSV file) and then encrypt the backup copies using zip encryption. I also back up all the files I store encrypted in Dropbox (using Boxcryptor) by collecting them into a password-protected encrypted zip file.
By storing formerly encrypted files in their unencrypted form, we mitigate the possibility of encryption-related damage. Even if we choose to encrypt those files using a different technique, we’ve greatly reduced the risk of loss. It’s significantly less likely that I would lose both my LastPass master password and my private key simultaneously, for example.
Back up, yes, but make sure you understand the ramifications and potential additional risks of backing up encrypted data.
It may not be an issue for you, and that’s great, but think about it now before it turns out that it has become one.
Something else to think about: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Download (right-click, Save-As) (Duration: 9:35 — 13.2MB)
5 comments on “How to Back Up Encrypted Data”
Amazing that this article should come out now. A couple of weeks ago, I discovered all of my BoxCryptor files were corrupted. It wasn’t a password issue as I could open the virtual drive, except somehow all of the files were invalid. I was able to restore the files by copying the encrypted files from a backup to their folder in the OneDrive folder where I usually keep them. Problem solved. But since recovery wasn’t easy as it took a while to find a usable backup, I copied all of my encrypted files in unencrypted form to each of my removable drives. I figured that my financial data is safe enough at home and I really only needed them to be encrypted in the cloud.
“I figured that my financial data is safe enough at home and I really only needed them to be encrypted in the cloud.” – Aye. I suspect that a similar number of folk have lost access to their data because it was encrypted as have had their data compromised because it wasn’t encrypted. ‘Can you help me access my encrypted data?’ is one of the most frequent questions data recovery companies get – and, of course, the answer is most always no.
Passwords get forgotten all the time which, obviously, is why most products provide some sort of reset mechanism – except, that is, for encryption products. If you forget your encryption password, your data is gone for good.
Probably the best advice for the average person is to only encrypt data that, because of its sensitivity and/or location, really needs to be encrypted and to have a clear path to recovery.
Inheritance should be considered too as it’s very likely that you’ll want your spouse or some other person to be able to access your data in the event of you popping your clogs.
When I read the article’s headline, I though, “Ut Oh… I’m backing up my encrypted files in an unencrypted manner. That’s probably what I’m doing wrong.” Then I read the article. Turns out I’m doing it right, and I didn’t even realize it. :-)
I have whole-disk encryption on my desktop (Windows 10 Pro, BitLocker) and my laptop (MacOS, FileVault). I use a .sparsebundle folder on my desktop machine as an Apple TimeMachine to back up my laptop, through my home network, to the desktop. (Let me know if you want info on how I did that — it was a pretty cool hack, but too long to go into in this reply.) I have a cloud-based backup service (cheap — $55 per year!) that automatically sends individual files, unencrypted, from my desktop to its servers where the files are then encrypted using the password I use to log in to that cloud backup service. About once a month (more often if I’ve been busy), I copy the unencrypted files from my desktop machine to an external USB hard-drive, that is itself then encrypted with a different key than what encrypts the desktop hard-drives. I have access to all my encryption recovery-keys stored on the desktop, in the cloud-backup, and on the laptop, so I can access them from almost anywhere, but they’re not somewhere that isn’t password protected.
So, without even realizing it, I’ve been doing it right — copying unencrypted files, and then encrypting them in a different manner than what’s done on the original machine. Glad to know I’m not as dumb as I look. ;-)
I’d be wary of storing any sensitive unencrypted files on the cloud. I keep my financial information encrypted on OneDrive. I have my unencrypted version in a non-cloud folder on my computer, which is backed up by Macrium Reflect, and additionally backed up on USB hard drive.
So in the same article, you both lay out the risks involved in encrypting files for backup, and you make the recommendation to encrypt files for backup, although with a different password or method in case you’d outright forget your password (or lose your private key).
It seems to me you didn’t really offer any solutions to the serious issue you outlined up front: that encrypted backups are more vulnerable in case of corruption. Instead, you sort of morphed your article into addressing “what happens if I forget the password to my backup?”
Specifically, that morphing occurred by “When encryption goes bad”. I wouldn’t characterizing forgetting your password or losing your private key as “encryption going bad.” That’s the deal you make up front: the data I hereby encrypt is now iron-clad, with the caveat that I don’t lose the key.
Encryption actually going bad is when, as you explained, one corrupted sector takes the whole entire file with it. That’s what I want to read about. If I’m considering encrypting my backups, that’s what I need to understand thoroughly so I can best decide if how and when to encrypt my backups. Don’t then talk to me about forgetting my passwords, please.