Encryptying data: a big disappointment

You may remember that we had a discussion here a month or so ago
about protecting data on a laptop, where there's a significant
possibility that someone else could get physical possession of the
computer. In such a case, your Windows login password is little
protection, because anyone can boot a live Linux CD and pull all the
files, even off NTFS volumes.

My drive is partitioned: C for Windows and applications, other
partitions for data. So I decided to use TrueCrypt to encrypt one of
my data partitions in place. That went quite well, and the auto-
mount-on-login feature went well.

But tonight I went to back up with Acronis True Image 2011, and it
didn't recognize the mounted encrypted drive even though Windows did!
(Just to be clear, my original drive S: was encrypted by TrueCrypt
and mounted as P:. Windows recognized P: just fine, but Acronis does
not.) So I can't use Acronis to back up a drive encrypted with
TrueCrypt.

I know not whether it's the fault of Acronis or TrueCrypt, but
obviously giving up backups for the sake of encryption is a devil's
bargain.

Does anyone know a way to encrypt my drives such that

* It works on Windows 7 Home Premium

* Backups can be done, both full and incremental

* There's no performance hit in everyday use

* (desirable but not absolutely essential) Decryption can be done if
necessary in Linux

I chose TrueCrypt because it met the first, third, and fourth
criteria. It was a rude shock to find it didn't meet the second.
I'm hoping someone has a good suggestion, because Googling hasn't led
me to any useful results. (It's possible I'm not using productive
search terms, of course, so suggestions on that score will also be
gratefully received.)


--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://OakRoadSystems.com
Shikata ga nai...

I asked Paragon about Truecrypt and they could not garentee that it would
work. Seems like a bit by bit image would be ok.

>You may remember that we had a discussion here a month or so ago
>about protecting data on a laptop, where there's a significant
>possibility that someone else could get physical possession of the
>computer. In such a case, your Windows login password is little
>protection, because anyone can boot a live Linux CD and pull all the
>files, even off NTFS volumes.
>
>My drive is partitioned: C for Windows and applications, other
>partitions for data. So I decided to use TrueCrypt to encrypt one of
>my data partitions in place. That went quite well, and the auto-
>mount-on-login feature went well.
>
>But tonight I went to back up with Acronis True Image 2011, and it
>didn't recognize the mounted encrypted drive even though Windows did!
>(Just to be clear, my original drive S: was encrypted by TrueCrypt
>and mounted as P:. Windows recognized P: just fine, but Acronis does
>not.) So I can't use Acronis to back up a drive encrypted with
>TrueCrypt.
>
>I know not whether it's the fault of Acronis or TrueCrypt, but
>obviously giving up backups for the sake of encryption is a devil's
>bargain.
>
>Does anyone know a way to encrypt my drives such that
>
>* It works on Windows 7 Home Premium
>
>* Backups can be done, both full and incremental
>
>* There's no performance hit in everyday use
>
>* (desirable but not absolutely essential) Decryption can be done if
>necessary in Linux
>
>I chose TrueCrypt because it met the first, third, and fourth
>criteria. It was a rude shock to find it didn't meet the second.
>I'm hoping someone has a good suggestion, because Googling hasn't led
>me to any useful results. (It's possible I'm not using productive
>search terms, of course, so suggestions on that score will also be
>gratefully received.)


KenW

I guess you could use the restore cd to undo the encryption make a
backup then encrypt it again. Which would stink !!

>You may remember that we had a discussion here a month or so ago
>about protecting data on a laptop, where there's a significant
>possibility that someone else could get physical possession of the
>computer. In such a case, your Windows login password is little
>protection, because anyone can boot a live Linux CD and pull all the
>files, even off NTFS volumes.
>
>My drive is partitioned: C for Windows and applications, other
>partitions for data. So I decided to use TrueCrypt to encrypt one of
>my data partitions in place. That went quite well, and the auto-
>mount-on-login feature went well.
>
>But tonight I went to back up with Acronis True Image 2011, and it
>didn't recognize the mounted encrypted drive even though Windows did!
>(Just to be clear, my original drive S: was encrypted by TrueCrypt
>and mounted as P:. Windows recognized P: just fine, but Acronis does
>not.) So I can't use Acronis to back up a drive encrypted with
>TrueCrypt.
>
>I know not whether it's the fault of Acronis or TrueCrypt, but
>obviously giving up backups for the sake of encryption is a devil's
>bargain.
>
>Does anyone know a way to encrypt my drives such that
>
>* It works on Windows 7 Home Premium
>
>* Backups can be done, both full and incremental
>
>* There's no performance hit in everyday use
>
>* (desirable but not absolutely essential) Decryption can be done if
>necessary in Linux
>
>I chose TrueCrypt because it met the first, third, and fourth
>criteria. It was a rude shock to find it didn't meet the second.
>I'm hoping someone has a good suggestion, because Googling hasn't led
>me to any useful results. (It's possible I'm not using productive
>search terms, of course, so suggestions on that score will also be
>gratefully received.)


KenW

Stan Brown wrote:
> You may remember that we had a discussion here a month or so ago
> about protecting data on a laptop, where there's a significant
> possibility that someone else could get physical possession of the
> computer. In such a case, your Windows login password is little
> protection, because anyone can boot a live Linux CD and pull all the
> files, even off NTFS volumes.
>
> My drive is partitioned: C for Windows and applications, other
> partitions for data. So I decided to use TrueCrypt to encrypt one of
> my data partitions in place. That went quite well, and the auto-
> mount-on-login feature went well.
>
> But tonight I went to back up with Acronis True Image 2011, and it
> didn't recognize the mounted encrypted drive even though Windows did!
> (Just to be clear, my original drive S: was encrypted by TrueCrypt
> and mounted as P:. Windows recognized P: just fine, but Acronis does
> not.) So I can't use Acronis to back up a drive encrypted with
> TrueCrypt.
>
> I know not whether it's the fault of Acronis or TrueCrypt, but
> obviously giving up backups for the sake of encryption is a devil's
> bargain.
>
> Does anyone know a way to encrypt my drives such that
>
> * It works on Windows 7 Home Premium
>
> * Backups can be done, both full and incremental
>
> * There's no performance hit in everyday use
>
> * (desirable but not absolutely essential) Decryption can be done if
> necessary in Linux
>
> I chose TrueCrypt because it met the first, third, and fourth
> criteria. It was a rude shock to find it didn't meet the second.
> I'm hoping someone has a good suggestion, because Googling hasn't led
> me to any useful results. (It's possible I'm not using productive
> search terms, of course, so suggestions on that score will also be
> gratefully received.)

This is the first link I could find.

http://ask-leo.com/can_i_or_should_i...y_backups.html

"And when it comes to backup, here's the key: I don't backup the contents
of the TrueCrypt containers - I backup the containers themselves. That
means that my backups are just as secure as the files on my computer.
It means that in order to access any of that information - even from my
backups - the correct passphrase is required."

The problem with that, has to do with the robustness of the container.
If the container design was such, that major failures couldn't happen
(lose a file or two, and not the whole contain), then backing up a
contain might make sense. Say one bad sector in the backup, ruins
the whole container. You'd be pissed.

If the container isn't robust, then decrypting and doing something
with the files themselves, makes more sense.

It's a lot like picking tape formats in the old days. If a tape
format allows "resynchronizing" with the tape, after a faulty section
of the tape, maybe only one file gets lost, and the others can be
recovered. Or, you can imagine a tape format, where just one error
in the tape, prevents access for anything after that point.

*******

If the "mounted volume" is in a sense virtual, that may prevent
the backup software from hooking into it. It could be that
Truecrypt is missing some form of VSS support. I'm not a Truecrypt
user, and haven't a clue what it supports or how.

http://answers.microsoft.com/en-us/w...b-8deceb4786db

I think you'll find a few of the backup tools, like VSS, because
it means the backup tool has to do so little work. An older backup
tool, before the VSS era, might do it the old fashioned way
(file by file). But with the proviso, that if backing up C:,
the system will have to be taken off line.

Paul

Paul wrote:

> Stan Brown wrote:
>> You may remember that we had a discussion here a month or so ago
>> about protecting data on a laptop, where there's a significant
>> possibility that someone else could get physical possession of the
>> computer. In such a case, your Windows login password is little
>> protection, because anyone can boot a live Linux CD and pull all the
>> files, even off NTFS volumes.
>>
>> My drive is partitioned: C for Windows and applications, other
>> partitions for data. So I decided to use TrueCrypt to encrypt one of
>> my data partitions in place. That went quite well, and the auto-
>> mount-on-login feature went well.
>>
>> But tonight I went to back up with Acronis True Image 2011, and it
>> didn't recognize the mounted encrypted drive even though Windows did!
>> (Just to be clear, my original drive S: was encrypted by TrueCrypt
>> and mounted as P:. Windows recognized P: just fine, but Acronis does
>> not.) So I can't use Acronis to back up a drive encrypted with
>> TrueCrypt.
>>
>> I know not whether it's the fault of Acronis or TrueCrypt, but
>> obviously giving up backups for the sake of encryption is a devil's
>> bargain.
>>
>> Does anyone know a way to encrypt my drives such that
>>
>> * It works on Windows 7 Home Premium
>>
>> * Backups can be done, both full and incremental
>>
>> * There's no performance hit in everyday use
>>
>> * (desirable but not absolutely essential) Decryption can be done if
>> necessary in Linux
>>
>> I chose TrueCrypt because it met the first, third, and fourth
>> criteria. It was a rude shock to find it didn't meet the second.
>> I'm hoping someone has a good suggestion, because Googling hasn't led
>> me to any useful results. (It's possible I'm not using productive
>> search terms, of course, so suggestions on that score will also be
>> gratefully received.)
>
> This is the first link I could find.
>
> http://ask-leo.com/can_i_or_should_i...y_backups.html
>
> "And when it comes to backup, here's the key: I don't backup the contents
> of the TrueCrypt containers - I backup the containers themselves. That
> means that my backups are just as secure as the files on my computer.
> It means that in order to access any of that information - even from my
> backups - the correct passphrase is required."
>
> The problem with that, has to do with the robustness of the container.
> If the container design was such, that major failures couldn't happen
> (lose a file or two, and not the whole contain), then backing up a
> contain might make sense. Say one bad sector in the backup, ruins
> the whole container. You'd be pissed.
>
> If the container isn't robust, then decrypting and doing something
> with the files themselves, makes more sense.
>
> It's a lot like picking tape formats in the old days. If a tape
> format allows "resynchronizing" with the tape, after a faulty section
> of the tape, maybe only one file gets lost, and the others can be
> recovered. Or, you can imagine a tape format, where just one error
> in the tape, prevents access for anything after that point.
>
> *******
>
> If the "mounted volume" is in a sense virtual, that may prevent
> the backup software from hooking into it. It could be that
> Truecrypt is missing some form of VSS support. I'm not a Truecrypt
> user, and haven't a clue what it supports or how.
>
> http://answers.microsoft.com/en-us/w...b-8deceb4786db
>
> I think you'll find a few of the backup tools, like VSS, because
> it means the backup tool has to do so little work. An older backup
> tool, before the VSS era, might do it the old fashioned way
> (file by file). But with the proviso, that if backing up C:,
> the system will have to be taken off line.
>
> Paul

Truecrypt encrypting a partition is not creating a container file.
There is the file-hosted container and partition/device-hosted volume.

The forums discuss problems with backup programs and drive encryption
schemes, like:

http://forums.truecrypt.org/search.php?mode=results

Personally I don't see the point of using drive encryption for data
partitions. You still have to load the OS from its partition to load
the TC driver to mount the encrypted partition. Well, you have to do
the same when using TC to mount a container file. The point of doing
drive encryption to protect your computer from, say, intrusion after
theft is to use drive encryption on the OS partition (and use container
files in the data partitions that TC, after the OS partition gets
mounted and usable so you can run TC, will mount).

In message <>, Stan Brown
<> writes:
>You may remember that we had a discussion here a month or so ago
>about protecting data on a laptop, where there's a significant
>possibility that someone else could get physical possession of the
>computer. In such a case, your Windows login password is little
>protection, because anyone can boot a live Linux CD and pull all the
>files, even off NTFS volumes.
[]
>Does anyone know a way to encrypt my drives such that
[]
>* Backups can be done, both full and incremental
[]
As Paul has said, many (I suspect most) encryption methods in effect
make one big file - or, call it something else - of the disc (or
partition) being encrypted. As such, incremental isn't going to be
available.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The scenery only changes for the lead dog.

In message <jjcani$8mm$>, VanguardLH <>
writes:
>Paul wrote:
>
>> Stan Brown wrote:
>>> You may remember that we had a discussion here a month or so ago
>>> about protecting data on a laptop, where there's a significant
>>> possibility that someone else could get physical possession of the
>>> computer. In such a case, your Windows login password is little
>>> protection, because anyone can boot a live Linux CD and pull all the
>>> files, even off NTFS volumes.
[]
>Personally I don't see the point of using drive encryption for data
>partitions. You still have to load the OS from its partition to load
>the TC driver to mount the encrypted partition. Well, you have to do
>the same when using TC to mount a container file. The point of doing
>drive encryption to protect your computer from, say, intrusion after
>theft is to use drive encryption on the OS partition (and use container
>files in the data partitions that TC, after the OS partition gets
>mounted and usable so you can run TC, will mount).

The distinction is subtle; I can't really see much practical difference
between encrypting a drive and encrypting a container file on that drive
(assuming your backup system still sees the encrypted drive as a drive,
of course).
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G.5AL-IS-P--Ch++(p)Ar@T0H+Sh0!:`)DNAf

The scenery only changes for the lead dog.

J. P. Gilliver (John) wrote:
> In message <>, Stan Brown
> <> writes:
>> You may remember that we had a discussion here a month or so ago
>> about protecting data on a laptop, where there's a significant
>> possibility that someone else could get physical possession of the
>> computer. In such a case, your Windows login password is little
>> protection, because anyone can boot a live Linux CD and pull all the
>> files, even off NTFS volumes.
> []
>> Does anyone know a way to encrypt my drives such that
> []
>> * Backups can be done, both full and incremental
> []
> As Paul has said, many (I suspect most) encryption methods in effect
> make one big file - or, call it something else - of the disc (or
> partition) being encrypted. As such, incremental isn't going to be
> available.

I'm mainly concerned with reports of people not being able to
get to their data, after using an encryption product. And I'd need
to see a web site that describes how the method works in this case,
to understand if in fact it is a recoverable format or not. The
fact that Truecrypt supports parallel encryption (multi-core
processor), suggests that damage to it, may be limited to a
chunk of data, rather than the whole thing. So that's a good sign.

I found this on the Truecrypt site, but this didn't particularly
help me.

http://www.truecrypt.org/docs/?s=how...ck-up-securely

This is the kind of topic, where you'd need to know something
of how it works, before committing to it.

I'd also only want to use this, on a power protected system
(laptop battery or desktop UPS), so there can't be damage from
the AC power going off suddenly. And I'd also want to test the
computer occasionally, to see if there are any RAM errors
or problems with computing integrity. There are even computers
(with Nvidia chipset), where there is a bug in the path that
writes data to the disk, which might be another situation
I'd want to avoid. As long as any error multiplication effect
isn't too big in the thing, it might not be so bad.

But if people are losing data, and there aren't any tools
for recovery (i.e. using the user's password), then this
is a pretty dangerous form of protection.

Paul

On Fri, 9 Mar 2012 07:36:26 +0000, "J. P. Gilliver (John)"
<> wrote:

>In message <>, Stan Brown
><> writes:
>>You may remember that we had a discussion here a month or so ago
>>about protecting data on a laptop, where there's a significant
>>possibility that someone else could get physical possession of the
>>computer. In such a case, your Windows login password is little
>>protection, because anyone can boot a live Linux CD and pull all the
>>files, even off NTFS volumes.
>[]
>>Does anyone know a way to encrypt my drives such that
>[]
>>* Backups can be done, both full and incremental
>[]
>As Paul has said, many (I suspect most) encryption methods in effect
>make one big file - or, call it something else - of the disc (or
>partition) being encrypted. As such, incremental isn't going to be
>available.

Do you have a current example of the 'one big file' approach? That
doesn't seem like it would be a common thing at all. In addition, I
don't see any reason to do it that way, and plenty of reasons not to.

--

Char Jackson

In article <>,
says...
>
> You may remember that we had a discussion here a month or so ago
> about protecting data on a laptop, where there's a significant
> possibility that someone else could get physical possession of the
> computer. In such a case, your Windows login password is little
> protection, because anyone can boot a live Linux CD and pull all the
> files, even off NTFS volumes.
>
....

Can't comment on encryption, but it's worth noting that most laptops
have the facility to create a BIOS password, which would deter anyone
not savvy enough to extract the disk and mount it on another system.

--

Phil, London