Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How Should I Back Up an Encrypted Hard Disk?

//
I encrypt my hard disk with BitLocker. My backup program tells me it can only perform a “sector by sector” backup, whatever that is. So, when I back up, is the backup encrypted or not? If not, how should I back up securely?

As with so many things, the answer is: it depends.

Different backup programs work in different ways, particularly when it comes to encrypted disks.

And even then, what actually happens may not reflect what probably should happen.

Become a Patron of Ask Leo! and go ad-free!

Whole-disk encryption

As the name implies, whole disk encryption (of the type performed by Bitlocker and other software) encrypts everything on your hard disk. More correctly, it encrypts everything in a partition.

Traditionally, when we think about encryption, we’re worried about our files. There are many different approaches to encrypting individual files or groups of files. Whole-disk encryption bypasses all this by ignoring files completely, and encrypting everything at the next level down, where the data is actually written to disk.

What’s important to realize is that whole-disk encryption encrypts more than files; it encrypts information about the files, including the file system information that allows the operating system to locate where files are on the disk.

Since the operating system needs that information in order to work, disks encrypted this way are “mounted” – using the encryption password or key – which allows the unencrypted contents of the disk to be accessed normally. Without the encryption password or key, you can’t access the drive’s contents, period. If that’s your system drive, you can’t even boot Windows until the correct password or key is supplied.

This leads to an interesting dilemma when it comes to backing up.

Backing up an encrypted disk

Data VaultThere are two ways to “see” a hard disk:

  • Mounted: a password or key has been supplied, and the contents of the disk are accessible.
  • Not mounted: the contents of the disk are just a collection of sectors, each containing encrypted data. Without the decryption key, they appear to be random data.

That leads to two ways, conceptually, to back it up:

  • Content-aware: this means the backup program can see all files on the disk, and can back up using that information. This is how most backup programs (including image backups) work: they locate and back up only the actual files that are currently stored on a hard disk.
  • Sector-by-sector: when a backup program is unable to understand the contents of a disk, it has no way to locate individual files or folders, and no way to understand what’s on the disk. The only thing it can back up is each physical sector on that disk, because it might contain data.

If your system drive is encrypted, there are two general scenarios for backing up:

  • Inside Windows: If you install a backup program in Windows, and run that program from within Windows, it works because you’ve mounted the system drive and supplied the password. The system drive is completely accessible, not only to Windows itself, but all the programs you run in Windows, presumably including your backup program. It should be able to perform a content-aware backup just as if the system drive were not encrypted.
  • Outside Windows: If you instead boot from a backup program’s recovery disk in order to perform a backup (an option in many backup programs), then you’ll not have mounted your Windows system disk, and its contents will not be accessible to the backup program. The only option the backup program has is to back up sector-by-sector.

Unfortunately, things aren’t quite so simple.

Backup program confusion

Note my use of the words “presumably” and “should” when describing how a backup program works in Windows. For reasons unknown, not all work that way. Some fail to backup an encrypted drive or partition, even though the partition is mounted and accessible in Windows itself.

In fact, I’ve had reports of failures I can’t reproduce. For example, backing up a BitLocker-encrypted system drive in Windows 10 using EaseUS Todo works for my laptop without any change to the normal process of backing up. Others have reported that it fails, and explicitly points to BitLocker when doing so.

Some backup programs state you must decrypt the drive (remove BitLocker, for example) in order to back it up, at which point you can re-encrypt it. Not only does that take significantly more time, it can’t be automated, and, quite honestly, doesn’t make much sense to me.

As we’ll see in a moment, I think it’s important that you be able to back up from within Windows.

Is the backup encrypted?

A sector-by-sector backup is, by definition, encrypted using whatever whole-disk encryption technology is being used. I say “by definition” because the very reason a backup program might resort to a sector-by-sector backup is because it can’t understand the encrypted data.

Backups taken from within Windows while the disk is mounted and accessible are typically not encrypted. The fact that the disk is mounted and accessible means that the backup program neither knows nor cares that encryption was used at all. It simply does what it does, which is to backup what it sees: the unencrypted original contents of the hard disk.

If it’s important to you that such a backup be encrypted, you need to take additional steps. That means either of two things:

  1. Choose a password or encryption option within the backup program itself, assuming it has one.
  2. Encrypt the resulting backup file(s) yourself, using some kind of encryption tool; for example, you might create a password-protected zip file containing the backup after it’s completed, or place the backup in a VeraCrypt-encrypted volume.

My recommendation

Whole disk encryption is a fine thing1, and I use BitLocker on my Windows laptop, as well as Apple’s equivalent on my Macs.

I recommend that you:

  • Back up using a program that allows “content-aware” backups. In other words, if you install it and run it within Windows with your encrypted disk mounted and accessible, and it complains, that’s not the program I’d use. It should just work.
  • Remember that this backup will, itself, not be encrypted.
  • Save the backup securely somehow. That could mean encrypting it, as described above. It could also mean that you’ve structured your backups to be secure some other way – perhaps backing up your laptop over a network at home to a device you trust is sufficiently secure for your needs. (This is what I do.)

But above all, do back up.

Podcast audio

Play

Footnotes & references

1: Yes, this does represent a change in my position from days past. The caveat to using whole disk encryption and BitLocker safely is to a) back up, as we’re discussing here, and b) safely and securely save the encryption key created when the disk is originally encrypted.

18 comments on “How Should I Back Up an Encrypted Hard Disk?”

  1. If I Encrypt a Disk and put it in safe place and my computer is destroyed and I get a new one. How will the new computer recognize the encrypted file?

    • If you install the program which encrypted the file on your new computer, it should be able decrypt the file with the same password or encryption key file.

    • IMO, home users should think carefully about whether or not encryption is right for them. I say this because encryption can be a risky business and it’s extremely easy for less experienced users to permanently and irrevocably lose access to their data. In fact, I know far more people who’ve lost access to their encrypted data than people who’ve had their unencrypted data compromised.

      Sure, if you run a business and store other peoples’ personal or financial information, then encryption is a must – in fact, depending on the nature of your business, it may well be a legal requirement. However, if that’s not the case, then you should carefully consider the pros and cons. Is it riskier to encrypt your data or to keep it unencrypted?

  2. I use Macrium Reflect and it has no problem backing up the decrypted (mounted) system drive contents from within Windows, and (if you set it up in the advanced options for the backup job) it saves that data to an image file that is itself encrypted with 256 bit AES. Simple, and MUCH smaller and more reliable than a sector-by-sector backup, as long as you do it from within Windows instead of from a rescue disk.

    To restore a backup you simply boot from a Macrium rescue disk, locate the image file and enter the password you set up for the backup job, and the image is decrypted and restored to your hard disk. Occasionally at this point I’ve had to use Bootrec.exe to repair the boot sector, because it’s looking for encryption that is no longer there. But not usually, and once you re-enable your full disk encryption everything is back to normal.

    This process should work with any good image backup software, but Macrium Reflect, free or paid, has never let me or any of my clients down, even once, using BitLocker, VeraCrypt or its predecessor, TrueCrypt. (And no, I do not work for Macrium or have any other business or affiliate relationship with them.)

    • I used Macrium Reflect to make a backup of my decrypted (mounted) system drive. When I restore and boot the harddrive, Veracrypt still requests me to enter the password. If I enter the password, Veracrypt confirms it and shows a message that no bootable partition was found. Would Bootrec.exe help with this issue? Thank you for your help.

    • Did you use it with Veracrypt on a M.2 drive? I used to have no problems making a non-encrypted image from an encrypted SATA drive with Windows 10, but ran into trouble when I tried to do it with a M.2. It’s been over a year since I attempted it, so I don’t remember which programs I tried. Thanks.

  3. Somebody not completely familiar with the system of encrypting and of backing up may misinterpret your statements: He/she may think that encrypted data (e.g. folders and files encrypted by Truecrypt and condensed in a single file which also appear as random data) should not be backed up but should be decrypted first.. This would be a misinterpretation. Such encrypted files may be part of a bitlocker encrypted partition/computer. In reality that is an encryption within an encryption. When the outer encryption (the bitlocker one) is decrypted (“mounted” by supplying the password etc) such a file is also “mounted” but still encrypted at the next level”. It can be backed up without first decrypting it – hopefully by any backup program and not only be using Macrium Reflect.

  4. i use paragon hard disk suite 2015.
    runs within windows, on my bitlocker drive.
    creates an IMAGE of the drive, as UNencrypted.
    I then move that to a TRUEcrypt drive (now VERAcrypt) so that the UNencrypted IMAGE is stored on an ENCRYPTED drive.
    if I NEED that backup, I copy that image back to an UNencrypted external hard drive, and restore, in event of emergency.
    I do this because there is financial and business data on main machine.
    I have tested the restore process, and it works; I’ve intentionally just installed another hard drive to test the sequence out.

    it is NOT that difficult to do. In this era of ransomware, wikileaks revelations of emails of political parties, etc, if you want your data backed up and secure, it behooves you to learn the methods available, etc.
    but the tools are out there to do this securely.

    • I do this as well. I also encrypt the small external HD (160 GB drive from laptop in an enclosure), then unencrypt it when I need to use it. I have the image on another encrypted drive as a backup. I tweak the heck out of Windows 10 and really loathe installing. It takes days to get everything back right.

  5. All the above work well for cloning (well, except Acronis, which I’ve found to be incredibly buggy and produces often nonbootable clones) with the understanding that if you’re cloning an encrypted drive, the resulting cloned disc is unencrypted.  For ALL of the above software. If you want to truly clone an encrypted drive and have the clone be encrypted also (either Bitlocker or Symantec’s PGP), the only software I’ve found that will do that is Casper Secure Disc. I’ve tested it in Win10 with Bitlocker, it does clone an encrypted disc and produces an encrypted result. However, it’s also 129 buckaroos, so using AOMEI Backupper free version and then encrypting the cloned disc after cloning is a definitely more cost effective option.

  6. Ok, I use a laptop with Bitlocker encryption. I also subscribe to Carbonite which indicates is backing up my files successfully. Should I assume this is the case, and in the event of damage/loss to my laptop, I will be able to recover my backed up Carbonite files to a new laptop. I do have the Bitlocker key safely tucked away in hardcopy and on a USB.
    Thank you.

  7. What solution would you suggest for a daily sector-by-sector backup over the network of a bitlocker encrypted partition (~10MB) ?

  8. Thanks for all the tips and leads. I used Macrium Reflect Free Edition to backup a Win 10 machine with Bitlocker. It worked fine and seemed like it made a backup.
    Question: Is there a bootable disc option from Macrium, or does it only work from within a OS? If so, to restore, do I need to have a working Windows 10 to perform a recovery?
    The only bootable disc option to backup bitlocker encrypted drives seems to be Casper Secure Disc, which is $129. Is that true assessment that there is only 1 choice if I need a bootable disc option?
    Thanks all for all the wisdom on this thread.

    • Macrium Reflect includes the option to create a bootable rescue disk. Since the contents of the backup are NOT encrypted, you can view/use that on any machine.

  9. Been using PGP whole disk encryption for eons, now PGP Symantec Desktop and I am using Casper Secure Backup for backups and restore.
    Backups the entire encrypted disk in encrypted format and you can restore it encrypted or unencrypted.
    The fact, that it can restore in encrypted format is huge benefit, since I do not have to encrypt the disk again.
    I think I have been using Casper Secure Backup for over 10 years now and never ever had a single issue with it.
    And as a disclaimer – I do not have any association with the company, developing/marketing Casper Secure Backup.
    But have fresh memory how much I straggled prior to come across this software, managing the backups of the encrypted drive in the laptop, which contains customer data and it is mostly with me, in the truck or the job site.
    Strongly recommend this software, although it is a bit pricey at 130 USD.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.