The best approaches may not involve encryption at all.
I talk about encryption a lot. I talk about backing up even more.
Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.
Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.
Unfortunately, I’d wager most people are backing up their encrypted data improperly. The result is that they’re not as protected as they think they are.
Become a Patron of Ask Leo! and go ad-free!
Backing Up Encrypted Data
The most common approach to backing up encrypted data is to back it up in its encrypted form. This adds risk because passwords can be lost and some encryption formats are less resilient to damage. Instead, back up the data in unencrypted form and then store that backup in some other secure way — perhaps physically, perhaps using a different encryption mechanism — to protect it.
The common approach
Let’s assume you have some encrypted data. That could be any of:
- A password-protected Word document.
- A password-protected .zip file.
- A VeraCrypt volume.
- A collection of files encrypted by BoxCryptor or Cryptomator.
- A file encrypted using PGP or GPG public key encryption.
- A system protected with whole-disk encryption.
With the exception of the last item, the common approach is to back up the encrypted file. If “improtantdocuments.zip” is encrypted, then it’s “improtantdocuments.zip” you would back up.
It’s good you’ve backed up. That’s much better than not backing up at all, of course.
But you’re still at risk from threats unencrypted data wouldn’t face.
Encryption can fail
Encryption can “break” in a couple of ways.
The most common way is losing the password to the encrypted data.
For example, perhaps you can’t recall the password to an encrypted “.zip” file you created a decade ago. Without the password, the data in the encrypted file is lost — just as lost as if you simply deleted it on the day you created it.
Less common are disk- and file-damage-related problems: the very problems backups protect us from. If the disk on which your .zip file is stored develops a bad sector anywhere within the file, it’s possible the entire file will be unrecoverable. While some encryption algorithms might be more resilient, not all are. Sometimes a tiny error in the wrong place can cause massive data loss if the files are encrypted.
Unencrypted files don’t suffer from these issues. You’ll never forget a password when there isn’t one to forget. Any file damage will be restricted to the single (or few) file within which a disk error resides.
Therein lies our solution.
Back up unencrypted
Back up the data in its unencrypted form.
- Save a copy of the Word document without a password.
- Save a copy of the .zip file without a password, or save the unencrypted contents of the zip file separately.
- Copy the files out of a VeraCrypt volume separately.
- Save unencrypted copies of your files and then encrypt them with BoxCryptor or Cryptomator.
- Save an unencrypted copy of your file and then encrypt it using PGP or GPG public key encryption.
In short: decrypt the data, then back it up.
Whole-disk encryption is somewhat easier. Most backup tools back up the unencrypted contents of the disk. Cloning and imaging backup approaches may backup the encrypted partition or ask you if it should. Make sure to understand how your backup tool works and select the options that back up the data unencrypted.
Of course, that means your backup contains unencrypted sensitive data, so you don’t want to leave it laying around unprotected. That requires one more step.
Secure your backups some other way.
The most common is to secure them physically, placing backup drives into locked drawers or safes or otherwise restricting physical access.
Another approach is to encrypt those backups using a different technique. For example, most image backup programs allow you to assign a password to the backups they create.
As an example, I take care to export my LastPass database in unencrypted form (a plain-text .CSV file) and then encrypt the backup copies using zip encryption. I also back up all the files I store encrypted in Dropbox (using Boxcryptor) by collecting them into a password-protected encrypted zip file.
By storing formerly encrypted files in their unencrypted form, we mitigate the possibility of encryption-related damage. Even if we choose to encrypt those files using a different technique, we’ve greatly reduced the risk of loss. It’s significantly less likely that I would lose both my LastPass master password and my private key simultaneously, for example.
Back up, yes, but make sure you understand the ramifications and potential additional risks of backing up encrypted data.
It may not be an issue for you, and that’s great, but think about it now before it turns out that it has become one.
Something else to think about: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.