I’m very confused about Truecrypt and how I should back it up. Do I back up
the files? The container? What if I’m using whole-drive encryption? How do I
back up the encrypted stuff? I’m very confused.
That’s actually a condensation of several questions that I get about Truecrypt and
Backing up is critical, without a doubt. But when you’re using Truecrypt to
protect sensitive data, there’s no one answer on exactly how you should be
backing up. It depends a lot on exactly how you’re backing up and a couple of
decisions that you might want to make along the way.
But first, we have to start with a clear understanding of the two ways that
Truecrypt can work and how that looks on disk.
The Truecrypt container file
The most common use of Truecrypt is to create a “container file” that holds your encrypted data. It’s just a file on your hard disk – I’ll call it “C:\data\mydata.tc” (that’s just my example – your Truecrypt container could be any name, located anywhere):
In this case, our C: drive holds a file – C:\data\mydata.tc. When it’s not mounted by Truecrypt, it’s just a file. In fact, it’s just a file whose content looks like totally random data because the “real” content is encrypted and inaccessible until Truecrypt mounts it.
If we mount the container file in Truecrypt – which involves specifying the correct password or passphrase and choosing a drive letter – the contents of the container become visible in their unencrypted form on that drive:
Now, not only does our computer have a drive C: where we’ll still find c:\data\mydata.tc and still find that it contains random data, but a new drive has appeared: drive F: (that’s simply the drive letter that I chose – you could choose any available drive letter when mounting the container). Drive F: is nothing more than a completely unencrypted view of the data contained in the Truecrypt container file.
Read data from F: and it’s unencrypted. Write data to F: and it is written to the container file C:\data\mydata.tc encrypted, but it is unencrypted every time you read it back from F:.
Unmount F: and the data is no longer visible in an unencrypted form. It’s all contained in the encrypted container c:\data\mydata.tc.
Backing up a Truecrypt container
You have two options for backing up what you’ve placed in this Truecrypt container:
Backup the container file: c:\data\mydata.tc. In fact, if you do a whole-disk backup of drive C:, that container file will be backed up. (Some backup programs may require that the volume be unmounted in order to back up.)
The pros to this approach are not only that backing up your C: drive causes this container file to be backed up as part of it, but the container file remains encrypted. It still contains all of your private data, but only in encrypted form within the container.
The downside is that … the backup contains all of your private data only in encrypted form. If you subsequently need to access that data, you’ll need to recover the container and mount it using Truecrypt.
Back up the contents of the container file: F:. Simply mount your Truecrypt container and back up the contents of the drive that it appears as – drive F: in my example – and you’ll back up all of the files contained within that Truecrypt container.
The downside to this approach is that the backup is not encrypted. The files are only encrypted within the container, and by backing up out of drive F:, you are copying the unencrypted files.
The upside, of course, is that you do not need Truecrypt to access the files from the backup.
Which approach is right for you?
I can’t say.
If your backups themselves are encrypted or otherwise secure, then perhaps you don’t need to back up the Truecrypt volume itself and only need to back up the unencrypted files.
On the other hand, backing up the Truecrypt volume is by definition secure; Truecrypt volumes are completely portable and can be opened on any computer running Truecrypt (with the correct password, of course).
Me? I back up my Truecrypt volume. That actually allows me to safely back it up to the cloud without worrying that anyone might ever access the files within it, because they don’t know my passphrase. If I ever need it, I simply grab it, mount it in Truecrypt, and I’m good to go.
Truecrypt whole-disk encryption
Whole-disk encryption does exactly what it says it does – it encrypts the entire hard disk:
Before the machine even boots, you must specify the passphrase to allow Truecrypt to mount the drive. Once mounted, it operates exactly like an unencrypted drive.
One important difference with whole-drive encryption is that the encrypted form of the data is not really accessible. Encryption and decryption happen transparently as data is written to and read from the hard disk, sector by sector. There’s no concept of backing up “the container.” All that you can really do is back up drive C: exactly as if it had not been encrypted at all.
Similarly, a disk image backup will back up an image of the unencrypted disk as the sectors being backed up will be unencrypted as they are read from the disk.
So, what good is whole-drive encryption?
There are several critical benefits:
The machine cannot even be booted without specifying the passphrase. Unauthorized individuals cannot use the machine.
Everything is written to the disk in encrypted form including programs, documents, downloads, temporary files, caches, and paging files; there’s no guessing or worrying about leaving unencrypted traces on the hard disk.
Because everything is written to disk in encrypted form, even advanced forensic data recovery techniques cannot be used on the hard drive to recover its contents.
Those benefits don’t apply to everyone, but to those for whom they matter, they are very important.
And totally unrelated to backing up.
Backing up a whole-disk encrypted drive
The only way to back up a disk that has been whole-disk encrypted is to back up the contents of the drive in unencrypted form. The encrypted form – the “container”, if you will – is simply not available to your backup tools when whole-drive encryption is used.
Note that all of this applies for non-system drives as well. If you have an external hard disk on which you set up whole-drive encryption, the encrypted form of the data is not accessible. The only way to back it up is to mount it with Truecrypt and then back up the unencrypted contents.
That means there’s an important implication when backing up whole-drive encrypted computers:
The backups must be secure.
Because you can only back up unencrypted data and the data was evidently important to maintain in encrypted form to begin with, then it would follow that you’d want your backups to be somehow secure. Perhaps that’s as simple as making sure that the backups themselves are encrypted or password protected if the backup software you’re using provides for that. Perhaps it’s making sure that backups happen in a way that is physically secure and cannot be accessed by unauthorized individuals.
Perhaps it’s something else entirely.
Regardless, whole-disk encryption protects only that disk and only from access when the computer is not turned on or the passphrase has not been specified. Once the computer is turned on and the disk is mounted by having provided the passphrase, the files on the disk are accessible only in their unencrypted form.