I talk about encryption a lot. I talk about backing up even more.
Encryption is a critical component of keeping data safe and secure and out of the hands of those who shouldn’t see it.
Backing up, of course, is our safety net for when things go wrong. A recent backup can save you from almost anything.
Unfortunately, I’d wager that most people are backing up their encrypted data improperly. The result is that they’re not as protected by that backup as they might think they are.
Become a Patron of Ask Leo! and go ad-free!
The common approach
Let’s assume you have some encrypted data. Specifically, that could be any of the following:
Naturally, that only skims the surface. There are many ways to encrypt data. For the purposes of this discussion, any of them will do.
The common approach is to back up the encrypted file. If “improtantdocuments.zip” has a password and is encrypted, then it’s “improtantdocuments.zip” you’re most likely to back up.
It’s good you’ve backed up; don’t get me wrong. That’s much better than not backing up at all, of course.
But you’re still at risk from threats your unencrypted data doesn’t face.
When encryption goes bad
There are a couple of ways that encryption can “break”.
The most common is that you lose the password to the encrypted data. Perhaps you need the contents of an encrypted “.zip” file you created a decade ago, and have no clue as to its password. Without it, the data in that file is lost — as lost as if you simply deleted it on the day you created it. (This applies to public key encryption in cases where the private key is lost as well.)
Less common, and less expected, are disk- and file-damage-related problems — the very problems we think of using backups to protect ourselves from. For example, if the disk on which your backup “.zip” file is stored develops a bad sector anywhere within the file, it’s possible the entire file will be unrecoverable. While some encryption algorithms are resilient to localized errors to minimize the damage done in cases like this, that’s not true for all. Sometimes a tiny error in the wrong place can cause massive data loss if the files are encrypted.
Unencrypted files don’t suffer from these issues. You’ll never forget a password when there isn’t one, and any file damage will be restricted to the single (or few) files within which a disk error happens to reside.
Therein lies our solution.
The better approach
Back up the data while it is unencrypted.
Expand the zip file, copy files out of the VeraCrypt volume, back up the contents of the mounted BoxCryptor volume — you get the idea. Decrypt the data, then back it up.
Depending on the scenario, this doesn’t have to be hard. In the case of VeraCrypt and BoxCryptor-like tools, simply back up the contents of their mounted drives. In fact, if you’re using whole-disk encryption, your backups will probably be unencrypted by default.
Of course, that means your backup now has secure data that is unencrypted. That requires one more step.
Now secure those backups some other way. The most common is to secure them physically — placing backup drives into locked drawers or safes or otherwise restricting physical access.
Another approach is to encrypt those backups using a different technique. For example, most image backup programs allow you to assign a password to the backups they create.
As an example, I take care to export my LastPass database in an unencrypted form, and then encrypt those backup copies using public key encryption. I also back up all the files I store encrypted in OneDrive, using Cryptomator to collect them into a zip file in unencrypted form and encrypting that using public key encryption.
By storing formerly encrypted files in their unencrypted form, we mitigate the possibility of encryption-related damage. Even if we choose to encrypt those files using a different technique, we’ve greatly reduced the risk of permanent damage by distributing the risk. It’s significantly less likely that I would lose both my LastPass master password and my private key simultaneously, for example.
Back up, yes, but make sure you understand the ramifications and potential additional risks of backing up encrypted data. It may not be an issue for you, and that’s great, but think about it now before it turns out that it has become one.
Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.
I'll see you there!