Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Should I Back Up an Encrypted Disk?

Make sure you can access it later.

Data Vault

Backing up an encrypted hard drive shouldn't be difficult, but it's important to understand what you'll get.
The Best of Ask Leo!
I encrypt my hard disk with BitLocker. My backup program tells me it can only perform a “sector by sector” backup, whatever that is. So, when I back up, is the backup encrypted or not? If not, how should I back up securely?

As with so many things, it depends.

Different backup programs work in different ways, particularly when it comes to encrypted disks.

And even then, what actually happens may not reflect what probably should happen.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Backing up an encrypted disk

There are two ways to back up an encrypted hard disk. The most common and recommended approach is to back up the files on the disk in their unencrypted form, and then secure the backup some other way. The alternative is a sector-by-sector backup of the drive in its encrypted form, which would require both a complete restore and a separate encryption key in order to recover its contents. Above all: back up.

Whole-disk encryption

Whole-disk encryption (of the type performed by Bitlocker and other software) encrypts everything on your hard disk. (More correctly, it encrypts everything in a partition.)

There are many approaches to encrypting files. Whole-disk encryption bypasses it all by ignoring files completely and encrypting everything at the next level down, when the data is written to disk.

Whole-disk encryption encrypts more than files; it encrypts information about the files, including the information allowing the operating system to locate the files on the disk.

To access the disk’s encrypted contents, disks encrypted using whole-disk encryption are “mounted” using the encryption password or key. Without the encryption password or key, you can’t access the drive’s contents, period. If it’s your system drive, you can’t even boot Windows until the correct password or key is supplied.

This leads to an interesting dilemma when it comes to backing up.

Backing up an encrypted disk

There are two ways to “see” an encrypted hard disk:

  • Mounted: a password or key has been supplied, and the contents of the disk are accessible.
  • Not mounted: the disk contents are just a collection of sectors, each containing encrypted data. Without the decryption key, the data appear to be random.

That leads to two ways to back it up.

  • Content-aware: this means the backup program can see all files on the disk and can back up using that information. Most backup programs work: they locate and back up only the files currently stored on the disk.
  • Sector-by-sector: when a backup program cannot understand the contents of a disk, it has no way to locate individual files or folders and no way to understand what’s on the disk. The only thing it can back up is each physical sector on that disk because it might contain data.

If your system drive is encrypted, there are two scenarios for backing up.

  • Inside Windows: if you install a backup program in Windows and run it from within Windows, it works because you’ve mounted the system drive and supplied the password. The system drive is completely accessible, not only to Windows but to all the programs you run, including your backup program. It should be able to perform a content-aware backup just as if the system drive were not encrypted.
  • Outside Windows: if you instead boot from a backup program’s recovery disk to perform a backup (an option in many backup programs), then you’ll not have mounted your Windows system disk, and its contents will not be accessible to the backup program. The only option the backup program has is to back up sector-by-sector.

Unfortunately, things still aren’t quite so simple.

Backup program confusion

For reasons unknown, not all backup programs work as I’ve described.

Some fail to backup an encrypted drive or partition even though the partition is mounted and accessible.

Some backup programs state you must decrypt the drive (remove BitLocker, for example) to back it up, after which you can re-encrypt it. Not only does that take significantly more time, but it also can’t be automated and, quite honestly, doesn’t make much sense to me.

I think it’s important that you be able to back up from within Windows.

Is the backup encrypted?

A sector-by-sector backup is, by definition, encrypted using whatever whole-disk encryption technology is being used. I say “by definition” because the very reason a backup program might resort to a sector-by-sector backup is that it can’t understand the encrypted data.

Backups taken from within Windows while the disk is mounted and accessible are typically not encrypted. The fact the disk is mounted and accessible means the backup program neither knows nor cares that encryption was used at all. It simply does what it does, which is to back up what it sees: the hard disk’s unencrypted original contents.

If it’s important to you that such a backup be encrypted, you need to take additional steps. That means either of two things:

  1. Choose a password or encryption option within the backup program, assuming it has one.
  2. Encrypt the resulting backup file(s) yourself, using some encryption tool; for example, you might create a password-protected zip file containing the backup after it’s completed, or place the backup in a VeraCrypt-encrypted volume.

My recommendation

Whole-disk encryption is a fine thing,1 and I use BitLocker on my Windows laptop and Apple’s equivalent on my Macs.

I recommend you:

  • Back up using a program that uses “content-aware” backups. In other words, if you install and run it within Windows with your encrypted disk mounted and accessible and it complains, that’s not the program I’d use. It should just work as if the disk were not encrypted at all.2
  • Remember this backup will not be encrypted.
  • Save the backup securely somehow. That could mean encrypting it, as described above. It could also mean that you’ve structured your backups to be secure somehow — perhaps backing up over a network at home to a device you trust is secure enough for your needs.

But above all, do back up.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: Yes, this does represent a change in my position from days long past. The caveat to using whole-disk encryption and BitLocker safely is to a) back up, as we’re discussing here, and b) safely and securely save the encryption key created when the disk is originally encrypted.

2: My two recommended backup programs — Macrium Reflect and EaseUS Todo — both work properly.

25 comments on “How Should I Back Up an Encrypted Disk?”

  1. If I Encrypt a Disk and put it in safe place and my computer is destroyed and I get a new one. How will the new computer recognize the encrypted file?

    Reply
    • If you install the program which encrypted the file on your new computer, it should be able decrypt the file with the same password or encryption key file.

      Reply
      • Quick question. OS is a bit locker drive. If I use the built in system image backup to a external drive is the windows image backup encrypted?
        Or is it decrypted because the os drive is unlocked during the backup?
        I’m manually moving the backup to a veracrypt folder and then deleting the backup. How can I make sure the deleted backup is written over? Thanks!

        Reply
    • IMO, home users should think carefully about whether or not encryption is right for them. I say this because encryption can be a risky business and it’s extremely easy for less experienced users to permanently and irrevocably lose access to their data. In fact, I know far more people who’ve lost access to their encrypted data than people who’ve had their unencrypted data compromised.

      Sure, if you run a business and store other peoples’ personal or financial information, then encryption is a must – in fact, depending on the nature of your business, it may well be a legal requirement. However, if that’s not the case, then you should carefully consider the pros and cons. Is it riskier to encrypt your data or to keep it unencrypted?

      Reply
  2. I use Macrium Reflect and it has no problem backing up the decrypted (mounted) system drive contents from within Windows, and (if you set it up in the advanced options for the backup job) it saves that data to an image file that is itself encrypted with 256 bit AES. Simple, and MUCH smaller and more reliable than a sector-by-sector backup, as long as you do it from within Windows instead of from a rescue disk.

    To restore a backup you simply boot from a Macrium rescue disk, locate the image file and enter the password you set up for the backup job, and the image is decrypted and restored to your hard disk. Occasionally at this point I’ve had to use Bootrec.exe to repair the boot sector, because it’s looking for encryption that is no longer there. But not usually, and once you re-enable your full disk encryption everything is back to normal.

    This process should work with any good image backup software, but Macrium Reflect, free or paid, has never let me or any of my clients down, even once, using BitLocker, VeraCrypt or its predecessor, TrueCrypt. (And no, I do not work for Macrium or have any other business or affiliate relationship with them.)

    Reply
    • I used Macrium Reflect to make a backup of my decrypted (mounted) system drive. When I restore and boot the harddrive, Veracrypt still requests me to enter the password. If I enter the password, Veracrypt confirms it and shows a message that no bootable partition was found. Would Bootrec.exe help with this issue? Thank you for your help.

      Reply
    • Did you use it with Veracrypt on a M.2 drive? I used to have no problems making a non-encrypted image from an encrypted SATA drive with Windows 10, but ran into trouble when I tried to do it with a M.2. It’s been over a year since I attempted it, so I don’t remember which programs I tried. Thanks.

      Reply
  3. Somebody not completely familiar with the system of encrypting and of backing up may misinterpret your statements: He/she may think that encrypted data (e.g. folders and files encrypted by Truecrypt and condensed in a single file which also appear as random data) should not be backed up but should be decrypted first.. This would be a misinterpretation. Such encrypted files may be part of a bitlocker encrypted partition/computer. In reality that is an encryption within an encryption. When the outer encryption (the bitlocker one) is decrypted (“mounted” by supplying the password etc) such a file is also “mounted” but still encrypted at the next level”. It can be backed up without first decrypting it – hopefully by any backup program and not only be using Macrium Reflect.

    Reply
  4. i use paragon hard disk suite 2015.
    runs within windows, on my bitlocker drive.
    creates an IMAGE of the drive, as UNencrypted.
    I then move that to a TRUEcrypt drive (now VERAcrypt) so that the UNencrypted IMAGE is stored on an ENCRYPTED drive.
    if I NEED that backup, I copy that image back to an UNencrypted external hard drive, and restore, in event of emergency.
    I do this because there is financial and business data on main machine.
    I have tested the restore process, and it works; I’ve intentionally just installed another hard drive to test the sequence out.

    it is NOT that difficult to do. In this era of ransomware, wikileaks revelations of emails of political parties, etc, if you want your data backed up and secure, it behooves you to learn the methods available, etc.
    but the tools are out there to do this securely.

    Reply
    • I do this as well. I also encrypt the small external HD (160 GB drive from laptop in an enclosure), then unencrypt it when I need to use it. I have the image on another encrypted drive as a backup. I tweak the heck out of Windows 10 and really loathe installing. It takes days to get everything back right.

      Reply
  5. All the above work well for cloning (well, except Acronis, which I’ve found to be incredibly buggy and produces often nonbootable clones) with the understanding that if you’re cloning an encrypted drive, the resulting cloned disc is unencrypted.  For ALL of the above software. If you want to truly clone an encrypted drive and have the clone be encrypted also (either Bitlocker or Symantec’s PGP), the only software I’ve found that will do that is Casper Secure Disc. I’ve tested it in Win10 with Bitlocker, it does clone an encrypted disc and produces an encrypted result. However, it’s also 129 buckaroos, so using AOMEI Backupper free version and then encrypting the cloned disc after cloning is a definitely more cost effective option.

    Reply
  6. Ok, I use a laptop with Bitlocker encryption. I also subscribe to Carbonite which indicates is backing up my files successfully. Should I assume this is the case, and in the event of damage/loss to my laptop, I will be able to recover my backed up Carbonite files to a new laptop. I do have the Bitlocker key safely tucked away in hardcopy and on a USB.
    Thank you.

    Reply
  7. What solution would you suggest for a daily sector-by-sector backup over the network of a bitlocker encrypted partition (~10MB) ?

    Reply
  8. Thanks for all the tips and leads. I used Macrium Reflect Free Edition to backup a Win 10 machine with Bitlocker. It worked fine and seemed like it made a backup.
    Question: Is there a bootable disc option from Macrium, or does it only work from within a OS? If so, to restore, do I need to have a working Windows 10 to perform a recovery?
    The only bootable disc option to backup bitlocker encrypted drives seems to be Casper Secure Disc, which is $129. Is that true assessment that there is only 1 choice if I need a bootable disc option?
    Thanks all for all the wisdom on this thread.

    Reply
    • Macrium Reflect includes the option to create a bootable rescue disk. Since the contents of the backup are NOT encrypted, you can view/use that on any machine.

      Reply
  9. Been using PGP whole disk encryption for eons, now PGP Symantec Desktop and I am using Casper Secure Backup for backups and restore.
    Backups the entire encrypted disk in encrypted format and you can restore it encrypted or unencrypted.
    The fact, that it can restore in encrypted format is huge benefit, since I do not have to encrypt the disk again.
    I think I have been using Casper Secure Backup for over 10 years now and never ever had a single issue with it.
    And as a disclaimer – I do not have any association with the company, developing/marketing Casper Secure Backup.
    But have fresh memory how much I straggled prior to come across this software, managing the backups of the encrypted drive in the laptop, which contains customer data and it is mostly with me, in the truck or the job site.
    Strongly recommend this software, although it is a bit pricey at 130 USD.

    Reply
  10. Unless we are talking specifically about a computer that is vulnerable to theft, a whole disk encryption may be fun, but it not necessary for the average user. I don’t see the need to encrypt the OS, the installed software, or data that does not need privacy protection.

    I rely on Dropbox for online backup and synchronization among my computers. It contains all of my data. If any data I have is not on Dropbox, it is for some special purpose which is meaningful only to me and need not be backed up by Dropbox. If a thief gets hold of one of my laptops, it is possible that he can delete my data, which would also delete it from the online copy. To avoid this, I create a partition big enough to contain all of what I have and likely to have on Dropbox. Then I create a folder on this partition, and move the Dropbox folder to this new location. After making sure that it works, I use an encryption program to encrypt the entire new partition that now has only Dropbox data on it. This is all done under Windows, and nothing on the system drive needs to be changed. In usage I can mount the partition using the password, and all of my data is there. Within that I can still have encrypted data for sensitive material, so anything backed up on Dropbox online is not exposed. The rest of the data such as photos, reading, and such need not be encrypted. Daily incremental backups will be done by Macrium Reflect while the partition is mounted. When I finish work or play, I dismount the partition. I can leave the computer on, and my data is not vulnerable even to a thief. This avoids having to deal with lengthy encryption and backup processes and the possibility of losing the entire drive with the OS and all installed software. There is no issue with wanting to encrypt an entire drive directly or by sectors or encrypting backups.

    Reply
    • Since you perform regular system backups with daily incrementals, you already have a backup of your your Dropbox files backed up. You can also copy them encrypted to your external drive for an additional backup. I mention this because on most laptops, space on the hard drive is at a premium and I’d want to keep as much free as possible.
      When you say move your Dropbox file to the new partition, do you mean copy them? Otherwise if you move them, you would be removing them from the Dropbox servers.

      Reply
      • I used the Dropbox option to move the Dropbox folder to a new place in the dedicated partition. It is not a copy, it is the folder from which Dropbox does the synchronization with the online servers and the other computers that share my account. That also frees up space on the system drive. My backup procedures to do automated incrementals need not change other than including the new partition that now contains all of my Dropbox data. As for the space, here is an example. I have an ancient laptop that began with Windows 7. I upgraded it to Windows 10, installed 8GB RAM, and replaced the miniscule 250G original drive with a 1TB drive. It is now almost as good as my desktop computer, so space is not an issue.

        Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.