Correcting my response regarding MBR backups with FDE

Discussion in 'encryption problems' started by Palancar, Feb 1, 2016.

  1. Palancar

    Palancar Registered Member

    Oct 26, 2011
    I am starting a separate thread on this because of its HIGH importance to those using TrueCrypt or VeraCrypt with full device encryption (e.g. USB externals). I am linking a thread where I ran tests and because I wasn't fully thorough my conclusions are not holding up. I am always disappointed with myself when I post an outcome that proves less than fully reliable. This thread is being put up to correct that. Over the weekend I ran some /dev/zero full blow aways of MBR's and found my backups are the only sure way to restore and specifically regain access to encrypted volumes.

    In the thread linked below the OP had fractured or destroyed his partition table rendering him completely unable to mount his large external FDE volumes using TrueCrypt. Being somewhat knowledgeable he was able to manually rebuild the partition table. The manner he used works but is beyond reach for most users of TrueCrypt and is labor intensive. I devised a simple way to restore the mbr using a "vanilla" software rebuild. It worked on several of my volumes and I stopped testing prematurely. It was bothering/nagging at me, so I resumed testing and went completely to full destroy of the tables to work on restoration from that point.

    Please disregard my posts in the other thread because there ARE instances where that simple rebuild does not work. I have verified it by losing several of my volumes intentionally (/dev/zero of the whole table). I have regained complete access using manual MBR backups, which are extremely small - 512 bytes.

    We have had several threads here and I have done tons of them over at the original TC forums where destroyed partition tables leave you with NO access. I was always disappointed that the TC users manual stressed volume header backups (even though many carelessly fail to make them), but never really stressed mbr/partition table backups. They are two separate items and the loss of either leaves you in the dark.

    I don't want to scare anybody but if you ONLY have volume header backups (common sense) do NOT stop there. You should make backups of the MBR for the device because that 512 byte file contains the partition table needed to mount your volume. Restoring an MBR takes about 2 seconds. The MBR is absolutely outside of the TC or VC volume header space of the disk and backing up a header does ZERO for backing up the partition table/MBR. You NEED both.

    Here are a couple easy commands using dd with linux. Windows users could quickly use a linux live disk and use these commands too.

    sudo dd if=/dev/sdX bs=512 count=1 of=MBRbackup

    #X is changed to match your system assignment when you plug in the usb. Mine is usually sdb. You want the device mbr so don't use a partition number. e.g. - NOT sdb1 you want sdb. You can name the output file to anything you want, I used MBRbackup for simplicity of example.

    That file runs in under a second and the of (output file) is sitting in the home folder of the user. Then copy it off to somewhere for safe keeping and you always have it. I recommend just creating a zip file for each encrypted device and each zip contains two files: 1. mbr 2. volume header backup. If you are organized you could easily place a half dozen or more mbr and backup header files into one zip by changing the output file names accordingly. It comes down to how you keep them organized in your mind. If you are just starting out its likely better to have a separate zip for each device just to minimize confusion.

    So there you have it IF you want to be ready when Windows burns you by "fixing" things that aren't broken. A zip with a VOLUME HEADER BACKUP and MBRbackup should have you humming along. A zip for each device containing both of these files is < 135 K. Yes, K not Meg.

    When disaster strikes you restore your volume header using TC/VC and then if needed you restore your MBR with this simple process: Copy your MBRbackup file to the linux user desktop (Windows users remember linux live cds will work fine for you) and open a terminal pasting this in:

    sudo dd if=MBRbackup of=/dev/sdX bs=512 count=1

    I urge you NOT to blow by this caution if you don't have MBR backups for large external drives using FDE with either TC or VC. Do you remember how long it took to encrypt 2 TB? Both of the files mentioned in this thread can be restored in under 5 minutes and most of that time is opening software to click on buttons.

    With due respect -------------- > YOU HAVE BEEN WARNED!
    Last edited: Feb 1, 2016