Making sure you can access it later.
As with so many things: it depends.
Different backup programs work in different ways, particularly when it comes to encrypted disks.
And even then, what actually happens may not reflect what probably should happen.
Become a Patron of Ask Leo! and go ad-free!
There are two ways to backup an encrypted hard disk. The most common and recommended approach is to back up the files on the disk in their unencrypted form and then secure the backup some other way. The alternative is a sector-by-sector backup of the drive in its encrypted form, which would require both a complete restore and a separate encryption key in order to recover its contents. Above all: back up.
There are many approaches to encrypting files. Whole-disk encryption bypasses it all by ignoring files completely and encrypting everything at the next level down when the data is written to disk.
Whole-disk encryption encrypts more than files; it encrypts information about the files, including the information allowing the operating system to locate the files on the disk.
Disks encrypted using whole-disk encryption are “mounted” — using the encryption password or key — which lets the disk’s unencrypted contents be accessed normally. Without the encryption password or key, you can’t access the drive’s contents, period. If it’s your system drive, you can’t even boot Windows until the correct password or key is supplied.
This leads to an interesting dilemma when it comes to backing up.
Backing up an encrypted disk
There are two ways to “see” a hard disk:
- Mounted: a password or key has been supplied, and the contents of the disk are accessible.
- Not mounted: The disk contents are just a collection of sectors, each containing encrypted data. Without the decryption key, the data appear to be random.
That leads to two ways, conceptually, to back it up:
- Content-aware: this means the backup program can see all files on the disk and can back up using that information. Most backup programs work: they locate and back up only the files currently stored on the disk.
- Sector-by-sector: when a backup program cannot understand the contents of a disk, it has no way to locate individual files or folders and no way to understand what’s on the disk. The only thing it can back up is each physical sector on that disk because it might contain data.
If your system drive is encrypted, there are two scenarios for backing up:
- Inside Windows: If you install a backup program in Windows and run it from within Windows, it works because you’ve mounted the system drive and supplied the password. The system drive is completely accessible, not only to Windows but to all the programs you run, including your backup program. It should be able to perform a content-aware backup just as if the system drive were not encrypted.
- Outside Windows: If you instead boot from a backup program’s recovery disk to perform a backup (an option in many backup programs), then you’ll not have mounted your Windows system disk, and its contents will not be accessible to the backup program. The only option the backup program has is to back up sector-by-sector.
Unfortunately, things still aren’t quite so simple.
Backup program confusion
For reasons unknown, not all backup programs work as I’ve described.
Some will fail to backup an encrypted drive or partition, even though the partition is mounted and accessible.
Some backup programs state you must decrypt the drive (remove BitLocker, for example) to back it up, after which you can re-encrypt it. Not only does that take significantly more time, but it also can’t be automated and, quite honestly, doesn’t make much sense to me.
I think it’s important that you be able to back up from within Windows.
Is the backup encrypted?
A sector-by-sector backup is, by definition, encrypted using whatever whole-disk encryption technology is being used. I say “by definition” because the very reason a backup program might resort to a sector-by-sector backup is that it can’t understand the encrypted data.
Backups taken from within Windows while the disk is mounted and accessible are typically not encrypted. The fact the disk is mounted and accessible means the backup program neither knows nor cares that encryption was used at all. It simply does what it does, which is to back up what it sees: the hard disk’s unencrypted original contents.
If it’s important to you that such a backup be encrypted, you need to take additional steps. That means either of two things:
- Choose a password or encryption option within the backup program, assuming it has one.
- Encrypt the resulting backup file(s) yourself, using some encryption tool; for example, you might create a password-protected zip file containing the backup after it’s completed or place the backup in a VeraCrypt-encrypted volume.
Whole disk encryption is a fine thing1, and I use BitLocker on my Windows laptop, as well as Apple’s equivalent on my Macs.
I recommend you:
- Back up using a program that uses “content-aware” backups. In other words, if you install it and run it within Windows with your encrypted disk mounted and accessible, and it complains, that’s not the program I’d use. It should just work as if the disk were not encrypted at all.2
- Remember this backup will not be encrypted.
- Save the backup securely somehow. That could mean encrypting it, as described above. It could also mean that you’ve structured your backups to be secure somehow — perhaps backing up over a network at home to a device you trust is secure enough for your needs. (This is what I do.)
But above all, do back up.
Footnotes & References
1: Yes, this does represent a change in my position from days long past. The caveat to using whole disk encryption and BitLocker safely is to a) back up, as we’re discussing here, and b) safely and securely save the encryption key created when the disk is originally encrypted.
2: My two recommended backup programs — Macrium Reflect and EaseUS Todo — both work properly.