Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How to Best Back Up Your Encrypted Data

I talk about encryption a lot. I talk about backing up even more.

Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.

Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.

Unfortunately, I’d wager that most people are backing up their encrypted data improperly. The result is that they’re not as protected by that backup as they might think they are.

Become a Patron of Ask Leo! and go ad-free!

The common approach

Let’s assume you have some encrypted data. Specifically, that could be any of the following:

  • A password-protected Word document.
  • A “.zip” file with a password.
  • A VeraCrypt/TrueCrypt volume.
  • A collection of files encrypted by BoxCryptor or Cryptomator.
  • A file encrypted using PGP or GPG public key encryption.
  • A system protected with whole-disk encryption.

Naturally, that only skims the surface. There are many ways to encrypt data. For the purposes of this discussion, any of them will do.

Locked FolderThe common approach is to back up the encrypted file. If “improtantdocuments.zip” has a password and is encrypted, then it’s “improtantdocuments.zip” you’re most likely to back up.

It’s good you’ve backed up; don’t get me wrong. That’s much better than not backing up at all, of course.

But you’re still at risk from threats your unencrypted data doesn’t face.

When encryption goes bad

There are a couple of ways that encryption can “break”.

The most common is that you lose the password to the encrypted data. Perhaps you need the contents of an encrypted “.zip” file you created a decade ago, and have no clue as to its password. Without it, the data in that file is lost — as lost as if you simply deleted it on the day you created it. (This applies to public key encryption in cases where the private key is lost as well.)

Less common, and less expected, are disk- and file-damage-related problems — the very problems we think of using backups to protect ourselves from. For example, if the disk on which your backup “.zip” file is stored develops a bad sector anywhere within the file, it’s possible the entire file will be unrecoverable. While some encryption algorithms are resilient to localized errors to minimize the damage done in cases like this, that’s not true for all. Sometimes a tiny error in the wrong place can cause massive data loss if the files are encrypted.

Unencrypted files don’t suffer from these issues. You’ll never forget a password when there isn’t one, and any file damage will be restricted to the single (or few) files within which a disk error happens to reside.

Therein lies our solution.

The better approach

Back up the data while it is unencrypted.

Expand the zip file, copy files out of the VeraCrypt volume, back up the contents of the mounted BoxCryptor volume — you get the idea. Decrypt the data, then back it up.

Depending on the scenario, this doesn’t have to be hard. In the case of VeraCrypt and BoxCryptor-like tools, simply back up the contents of their mounted drives. In fact, if you’re using whole-disk encryption, your backups will probably be unencrypted by default.

Of course, that means your backup now has secure data that is unencrypted. That requires one more step.

Secure differently

Now secure those backups some other way. The most common is to secure them physically — placing backup drives into locked drawers or safes or otherwise restricting physical access.

Another approach is to encrypt those backups using a different technique. For example, most image backup programs allow you to assign a password to the backups they create.

As an example, I take care to export my LastPass database in an unencrypted form, and then encrypt those backup copies using public key encryption. I also back up all the files I store encrypted in OneDrive, using Cryptomator to collect them into a zip file in unencrypted form and encrypting that using public key encryption.

By storing formerly encrypted files in their unencrypted form, we mitigate the possibility of encryption-related damage. Even if we choose to encrypt those files using a different technique, we’ve greatly reduced the risk of permanent damage by distributing the risk. It’s significantly less likely that I would lose both my LastPass master password and my private key simultaneously, for example.

Back up, yes, but make sure you understand the ramifications and potential additional risks of backing up encrypted data. It may not be an issue for you, and that’s great, but think about it now before it turns out that it has become one.

Podcast audio

Play

Video Narration

4 comments on “How to Best Back Up Your Encrypted Data”

  1. Amazing that this article should come out now. A couple of weeks ago, I discovered all of my BoxCryptor files were corrupted. It wasn’t a password issue as I could open the virtual drive, except somehow all of the files were invalid. I was able to restore the files by copying the encrypted files from a backup to their folder in the OneDrive folder where I usually keep them. Problem solved. But since recovery wasn’t easy as it took a while to find a usable backup, I copied all of my encrypted files in unencrypted for to each of my removable drives. I figured that my financial data is safe enough at home and I really only needed them to be encrypted in the cloud.

    Reply
  2. “I figured that my financial data is safe enough at home and I really only needed them to be encrypted in the cloud.” – Aye. I suspect that a similar number of folk have lost access to their data because it was encrypted as have had their data compromised because it wasn’t encrypted. ‘Can you help me access my encrypted data?’ is one of the most frequent questions data recovery companies get – and, of course, the answer is most always no.

    Passwords get forgotten all the time which, obviously, is why most products provide some sort of reset mechanism – except, that is, for encryption products. If you forget your encryption password, your data is gone for good.

    Probably the best advice for the average person is to only encrypt data that, because of its sensitivity and/or location, really needs to be encrypted and to have a clear path to recovery.

    Inheritance should be considered too as it’s very likely that you’ll want your spouse or some other person to be able to access your data in the event of you popping your clogs.

    Reply
  3. When I read the article’s headline, I though, “Ut Oh… I’m backing up my encrypted files in an unencrypted manner. That’s probably what I’m doing wrong.” Then I read the article. Turns out I’m doing it right, and I didn’t even realize it. 🙂

    I have whole-disk encryption on my desktop (Windows 10 Pro, BitLocker) and my laptop (MacOS, FileVault). I use a .sparsebundle folder on my desktop machine as an Apple TimeMachine to back up my laptop, through my home network, to the desktop. (Let me know if you want info on how I did that — it was a pretty cool hack, but too long to go into in this reply.) I have a cloud-based backup service (cheap — $55 per year!) that automatically sends individual files, unencrypted, from my desktop to its servers where the files are then encrypted using the password I use to log in to that cloud backup service. About once a month (more often if I’ve been busy), I copy the unencrypted files from my desktop machine to an external USB hard-drive, that is itself then encrypted with a different key than what encrypts the desktop hard-drives. I have access to all my encryption recovery-keys stored on the desktop, in the cloud-backup, and on the laptop, so I can access them from almost anywhere, but they’re not somewhere that isn’t password protected.

    So, without even realizing it, I’ve been doing it right — copying unencrypted files, and then encrypting them in a different manner than what’s done on the original machine. Glad to know I’m not as dumb as I look. 😉

    Reply
    • I’d be wary of storing any sensitive unencrypted files on the cloud. I keep my financial information encrypted on OneDrive. I have mu unencrypted version in a non-cloud folder on my computer, which is backed up by Macrium Reflect, and additionally backed up on USB flash drive.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.