TrueCrypt

Restoration Test
1. To make the restoration test even more extreme, I wiped out my second harddisk [D:] completely with zeroes first.
So my second harddisk was like NEW after that.

2. Then I did the restoration from my external harddisk to my second harddisk .tib-file = 69 gb.
It took 1h57m to verify and restore the .tib-file. Much faster than I thought, because I used the backup/restore times of my system partition [C:], where backup = 15 minutes and restore = 45 minutes.
Of course my data partition is very simple compared with my system partition.

3. Then I opened TrueCrypt and mounted the device volume in "D:"
This time, I used the button "Auto-Mount Devices", which requires only a password and that worked also as expected.

4. Then I opened Windows Explorer
- "Data Partition [D:]" was listed
- all folders were listed
- all files were listed in each folder
So everything worked fine.

5. Conclusion :
The backup and restore with "Acronis True Image Home" of a dismounted and encrypted data partition, created with "TrueCrypt v4.2a" WORKS FINE.

For those who are interested : keep in mind that this test was for a complete harddisk of 69,24 Gigabyte and that's why it took 2 hours for backup/restore.
The smaller the encrypted partition is, the shorter the backup/restore time will be.

I'm not happy with 2 hours of course, but I will do other tests with ATI based on the suggestions of Devinco.
I don't quit that easy, because encryption was a part of my plans and TrueCrypt seems to be one of the best for encryption and it's freeware of course.
--------------------------------------------------------------------------
Backup
Each time I do a backup of encrypted partition, I get this popup warning.

Each time I clicked the YES-button. I still have to find out what it is.
But this is not an error message, it is just a warning message.
I don't get that message with a normal partition.
--------------------------------------------------------------------------
Partition Letter
Readers might wonder why I didn't assign a letter to my partition, while I was preparing my second harddisk for encryption in "Disk Management". I had two good reasons for this.

1. If you open TrueCrypt, the upper part of the main screen gives a view of all free available partition letters.
If I would have assigned the letter "D" to my second harddisk, the letter "D" wouldn't be free anymore and
wouldn't appear on the list of TrueCrypt either and I wanted my letter "D" back in Windows Explorer.

2. MS Word allows you to assign a default folder to store documents and each folder starts with the partition letter "D". The same for MS Excel, FirstDefense-ISR, ...
I didn't want to change all these letters in each software and that's why I wanted the letter "D" back.

The funny thing is that you can use any free letter.
I choosed the letter "Z" for fun and Windows Explorer showed the letter "Z" instead of "D".
Of course when I use "Z" all my folder paths in each software need to be changed.
--------------------------------------------------------------------------
So this thread isn't finished yet.

 

Backup/Restore time and space problem
For myself, the .tib-file of 69gb isn't such a big problem, because my external harddisk (150gb) can handle it.
However, 2 hours for a DAILY backup and a seldom required restore of my data is unacceptable.

ATI provides 2 types of backups :
1. The entire disk contents or individual partition.
2. Files or folders
The first type causes the problem of time and space.
I had no other option, than using the second type : Files and folders.

So I tried "Files or Folders" for the very first time with these results :

1. The size of the .tib file was 1,844,657 KB instead of 72,636,725 KB.
The size is about the same before encryption.

2. The backup took 5 minutes instead of 120 minutes.
Important : the encrypted partition needs to be MOUNTED for this type of backup.

3. I deleted all my folders in partition [D:] for a restoration test.
The restore took 7 minutes instead of 120 minutes.

All this is acceptable, which means that all major problems are solved regarding encryption.

I have to admit, that Acronis True Image Home did a very good job again.
--------------------------------------------------------------------------
All major problems are solved indeed, but that doesn't mean I'm going to use TrueCrypt. I have to think about this.

 

Three issues that are still bothering me :

Issue #1
There is no visible indication that files or encrypted or not encrypted.
The winXPproSP2 encryption shows at least a green file name, when a file or folder is encrypted.
This is not a very important issue, I can live with that.

Issue #2
If I mount my data partition [D:] all my files are not encrypted anymore.
Frankly, I didn't expect this, because I thought it would work like this :

1. After mounting, my files are still encrypted.
2. If I open an encrypted file, the file will be decrypted automatically in memory.
3. If I close the decrypted file, the file is encrypted again automatically.
This issue is rather disappointing.

Issue #3
The password to mount an encrypted partition is also a pain.
I understand it's necessary and I only have to do this one time per reboot, but I have another problem.
I also have FirstDefense-ISR on my computer, that works with maximum 10 bootable snapshots.
Each time I boot in another snapshot, I have to mount and type my password again.

 

Erik,
You are making excellent progress!
I have some ideas, but first some questions.

In Start / Control Panel / Administrative Tools / Computer Management / Disk Management what does it say about the Backup Partition [E:]? Is it NTFS?

What did you use to "wipe out" the second harddisk?

In your daily back up plan for the data, do you overwrite the previous day's .tib file, or do you create a series of .tib files that you rotate? For example: DataMonday.tib, DataTuesday.tib, DataWednesday.tib, etc.

The FD-ISR snapshots are stored on the C: partition?

The snapshots are only for the C: partition not the data?

How many times a day on average do you boot into different snapshots?

Do you use a password to log in to Windows?

Your CD/DVD drive letter is F:?

 

Devinco,
Here are the answers to your questions :

Volume = Backup Partition [E:]
Layout = Partition
Type = Basic
File System = NTFS
Status = Healthy
Capacity = 149,05 GB
Free Space = 55,80 GB
% Free = 37%
Fault Tolerance = No
Overhead = 0%

It looks like I haven't much free space anymore on my external harddisk, but I had to take some precautions for all the testings regarding the encryption.
In normal situations, I have alot more free space.

This is freeware tool provided by Western Digital
http://support.wdc.com/download/?cxml=n&pid=1&swid=30
On this webpage you have two selection boxes :
1. In the left selection box you choose : Serial ATA WD Raptor-10,000 RPM
2. In the right selection box you choose : Data Lifeguard Diagnostic for DOS (CD)
3. Under the selection box you will read "Files available for download".
I choosed "Diag504cCD.iso" and burned the iso-file on a CD.

To wipe out your harddisk :
1. Insert the CD
2. Reboot your computer
3. A menu appears (very userfriendly)
4. Select the harddisk first.
The rest speaks for itself. I had no problem with understanding this tool. Easy stuff. Just pay attention.
Warning!!!
Keep in mind that this tool is only for specific Western Harddisks. So read the provided info well.

You will see that there are also many other tools.

I have indeed 7 backup files for each internal harddisk : one for each day of the week, numbered from 1 (=Monday) to 7 (=Sunday).
On monday I overwrite the backup file of the previous monday, etc ...

The main reason for this : when one of these 7 .tib-files fails to restore, I still have 6 other possibilities.
All .tib-files are verified and created without internet connection and without security softwares.
I have a special snapshot for this.

Yes, FDISR works only on system partition [C:] and all bootable snapshots (maximum 10) are on system partition [C:]
Only archiving and restoring of snapshots to another partition than [C:] is possible, but archived snapshots are not bootable.

Although it's possible to keep your personal data in snapshots stored on [C:], I didn't do this.
So all my personal files are stored on my data partition [D:]
Whatever happens to my system partition [C:], I won't lose any of my personal files, emails or email-address books.

In normal situation : two times per day
Unfortunately, I test all new softwares in test snapshots and sometimes I have 10 snapshots running.
It's hard to say how many times, it depends on what I'm trying to do.
It's also possible, that I don't need to mount my partition [D:] to try a new softwares.
If I decide to use TrueCrypt, it will be another ball game, because I always had immediately access to my data
in each snapshot without doing anything.

No, I don't. It's a home computer and I'm the only one who knows how to work with it.

EDIT:

Sorry I didn't answer the last question.
Yes my DVD/CD-rewriter has letter [F:] and I don't have a second DVD/CD-reader/writer.
The next available partition letter = [G:]

 

Devinco,
Before you think about anything else or do something else, I would like to discuss Issue #2 of post #28 first.

 

Not a problem.
This is the neat feature of TrueCrypt.

Will explain more in about a day or so. Need to think about it more.

 

This is not true.

Straight from the TrueCrypt Manual page 5 :

And this is what I expected. Once a file is stored in an encrypted partition the file remains encrypted, even when the partition is mounted.

So "Issue #2" of post #28 is solved.

 

Technically, you are correct.
I should have said:
Yes, all your data is available to be decrypted as needed in memory On The Fly on a file by file basis and is accessible by Windows and all the programs.

This was a functional over-simplification (mounting=decrypting) on my part for better understanding.
It should have been mounting=decrypting OTF.
I chose to skip the technical explanation and get to the end result that is easier to understand for practical use.
Which is:
When the partition is mounted all your data is accessible by the system and all the programs AS IF it were all decrypted. Any file that is requested from the mounted partition is decrypted at once.

In my explanations earlier in this thread, I wanted to keep things less technical. So I did not explain how OTFE (On The Fly Encryption) works. It would have confused the issue unecessarily.
The end result is the same however. The data stored on the hard drive is actually encrypted, but once the partition is mounted, all the files can be read by the system as if they were decrypted. Each file is actually decrypted one by one in memory as it is requested.

Old style conventional encryption programs work similar to compression programs like WinZip or WinRAR. The difference being that instead of shrinking the file size (compressing), the encryption program would scramble the file contents (encrypt).
You have a regular file on the hard drive and run it through the program and it creates a second file that is encrypted. You then delete the original file.
When you want to work with the file you decrypt and a new decrypted copy of the file is placed on the hard drive alongside the encrypted file. You save the changes to the decrypted copy then re-encrypt the changed file and delete the original file.
As you can see, this process is not very user friendly. It is also less secure as the deleted file that was worked on could be recovered with undelete utilities.

As you have discovered, OTFE programs work much better and do not store a decrypted copy of the file on the hard disk. It is done at once all in memory "On The Fly."

Unfortunately, my over-simplifying has made things more complex.

True. All the files are encrypted on the hard drive even when the partition is mounted. But as mentioned above, the file is decrypted in memory on request when the partition is mounted. So any file in the mounted partition is accesible through this in-memory-decryption process. In practical terms, this means that any malware or hacker active on the computer would also have access to all the files on the mounted partition even though they are still stored encrypted on the hard drive.

 

In practice my encrypted partition will be mounted constantly, because all my data is there.
So malwares and hackers have constantly access to all my files.
My assumption is that both can NOT read it and I hope that is true otherwise I don't see the point of encryption. Is it true ?

If my encrypted partition is mounted constantly during the day, I don't see any reason why I need a password.
IMO a password is only usefull when I want to keep other people at home away from my personal files or in case my computer is stolen.
For myself, the password is a pain and superfluous.

 

Yes. The mounted partition is on request decrypted OTF. The request to decrypt the files can be from you or from malware or hackers that are allowed to be active on the computer. As you already provided the password to mount the partition, the active malware and hackers have free access to the data. IF you allow the malware/hackers to enter the computer.

False as stated above.
As mentioned here:

Encrypting your data protects it from physical theft.
It does not protect your data from malware or hackers that enter your computer while "the door is unlocked."

Correct. Encryption is to protect from computer theft.
Passwords are an inconvenience as are keys to unlock the front door.
If you live in a very nice neighborhood where no one ever breaks into a house or ever will, then you don't need to lock your door.
If no one will ever try to steal your computer, then you don't need encryption.

Another option if you are completely averse to typing a password would be to use a keyfile instead. This is a file of your choice that is used in place of a password. It is usually used in combination with a password to make it more difficult for keyloggers. But it could be used by itself then you wouldn't need to type the password. You put the file on a USB Flash Drive, CD, or Floppy. To mount the partition, you put in the USB Flash Drive, CD, or Floppy and the partition mounts. You can leave the USB Flash Drive plugged in all the time. Then when you leave, you take the USB Flash Drive with you or put it in a safe place. Anyone who has that keyfile will be able to decrypt your data. That is why you keep it separate from the computer when you want to keep it protected.

 

To continue with the ideas for backing up the encrypted partition...

While there is a way for you to use the Sector-by-Sector(raw) backup method and make the backups much smaller and faster, the end result is going to require more setup, maintenance, space, and trouble than the "Files or Folders" backup.

The benefits of doing Sector-by-Sector(raw) backup are the backup image contents (what is inside the .tib image) are ENCRYPTED and you will not have to type in a second password to mount the encrypted destination partition when doing then backup.
This is important because if your external backup drive is stolen, thieves who restore the .tib image will get nothing but a blank empty partition (encrypted). Even if the thieves use forensic techniques like reading the .tib file contents with a hex editor program, they will see nothing but random letters and numbers.

Using the "Files or Folders" backup (file-by-file) the backup image contents are DECRYPTED. This is because the files and folders are copied from memory where they are decrypted from the mounted D: partition to the unencrypted backup drive. This means thieves who steal the backup drive will get ALL your data by simply restoring the data. UNLESS you take additional steps (mentioned in Post #19) to backup the "Files or Folders" to an encrypted destination on your backup drive.

This is very important because a lot of companies have had their backup media (drives, tapes) stolen. These backups are most of the time DECRYPTED.
If you are going to encrypt your valuable data, you might as well take steps to encrypt the backup too. Otherwise, they can just steal the backup drive and game over.

Should you have the data backup encrypted?
Yes. If you decide to encrypt, you should encrypt the data backup too.
But the choice is again up to the individual. Maybe the backup drive is stored in a secure physical location and so encryption is not needed.

What this means is that you store your data in an encrypted partition (D: ) and you backup the files and folders into an encrypted backup container(Probably G: or H: depending on your DVD drives) on your backup drive.
This means you need to use another drive letter for the encrypted backup container.
This container could be a partition or a file container.

Why not make the whole backup drive an encrypted partition just like the D: data partition?
Because you need to store the C: system partition backups on a non-encrypted part of the backup drive. TrueCrypt requires the OS to run so you can't store system partition backups encrypted. TrueCrypt cannot encrypt the OS. ATI cannot read the contents of the dismounted encrypted partition. If you need to restore the System OS partition, it has to be from an unencrypted partition on the backup drive.

You could repartition the backup drive into 2 partitions E: unencrypted and G: encrypted. Your data is currently 2GB. To allow for future expansion add 2GB. Allow for 7 backups: 4GB x 7 = 28GB. The encrypted G: partition could be 28GB.
This size could be increased if more expansion is expected.
But you do have to risk repartitioning the backup drive.

Perhaps a better alternative would be a Dynamic Container.

This would allow for the dynamic file container to expand as your 7 data backups expand and so not waste space. No need to repartition the backup drive.

 

Devinco,
In that case, I drop the idea of encryption.
I thought encryption was there to protect my personal data against malware and hackers, because that happens alot more.
I don't mind my data is stolen by malware or hackers as long they can NOT READ it in a million year, but that seems NOT to be true.
I must have misunderstood the whole idea around encryption, my mistake.
I'm not going to protect my computer against other people in my neighborhood or theft, considering the inconvenience that encryption will cause EVERY DAY and certainly with FDISR on my computer.

The thread was at least usefull to prove that TrueCrypt and Acronis True Image Home are compatible with eachother.

 

Devinco,

You have the patience of a saint. I don't know how TrueCrypt's purpose could have been described any better than with our analogies of a home safe (when it's open, all documents can be removed and replaced) and yours with the house key. With all the discussion of encryption in the media and on this board, for someone to still think it is somehow a protection from malware, is disconcerting. EricAlbert's statement "Otherwise what's the purpose of encryption?" is actually scary. The protection of data from theft and/or misuse is one of the most serious issues facing the security community. To think some here at Wilders fail to see that and be so, excuse me EricAlbert, but selfish about it's value, it's really sad. Encryption is a critical component of computer security, whether it protects EricAlbert's personal computer from malware or not.

 

I also have the patience of a saint, I did all the testing during 5 days in my freetime to make it work in practice.

Encryption is a personal choice and each person has to decide for himself to use it or not to use it and I call that freedom, not selfish.

The possibility that my computer is stolen or read by other people at home is rather small, compared with the millions of threats and hackers on the internet, who still can read my data in spite of encryption.
With or without encryption my computer is still an open book for millions of people on the internet.

 

I detected an "if it doesn't affect me it's not important" attitude toward encryption. I seem to have read similar posts by you on other subjects. That's what I meant by selfish.

 

Erik,

The choice of whether to use encryption is up to you. If it's not for you, that's fine with me.
The ideas, concepts, and strategies explored here in this thread are much bigger than merely whether ATI and TrueCrypt work together or if you end up using encryption.
Thank you for starting this thread and trying the tests in spite of the risk to your data.
I learned a lot.

Remember that just because you won't use encryption on the hard drive to protect your data from physical theft doesn't mean you won't use encryption at all.
Every time you connect to your bank website, you will be using encryption (SSL) to protect the data traveling within that connection. It's just a different type of encryption.

 

No problem. I don't mind all the work. It was exciting, fun and I learned a lot also.

 

Just a few more general ideas...
Encryption is not for everyone.
Even if you have private data that could be lost by physical theft, maybe the threat is too small for that individual to want to implement it.
Maybe nothing of value is stored on the computer that a thief could use.

Many people do have reasonable concerns about physical theft of their data and encryption will suit them well. Passwords are not a big inconvenience for most people. Every other website asks you to create an account with a user name and password.
Anyone involved in security for any sort of business, big or small, should seriously consider using encryption to protect the company's data and the client's data. There may be legal issues involved with data loss as well. Make sure the backups are also encrypted. If theft can happen to mega billion dollar corporations with unlimited security budgets, it can happen to you.

Another option rather than encrypting the whole data partition as Erik did would be to create a smaller encrypted file container (or partition) that holds just the most sensitive but less used data (like tax documents, etc.). This way the user would only need to use a password to access the encrypted volume rarely when needed. And since the encrypted file container would normally not be mounted, malware or hackers active on the system would not be able to get the data unless they wait for the user to access the volume (or install a keylogger and then wait for user access).

I've seen hardly any discussion in this forum or the TrueCrypt forum about making reliable encrypted backups.
Even though this whole process wasn't concluded, plenty of progress was made to be of use.

 

I fully agree with you, but encryption wasn't important enough for me and I had another use of encryption in mind (malware and hackers).
It was my mistake not yours.

Companies and other individuals have most probably much better reasons to encrypt their data and than it's a necessity to encrypt.
I would use encryption too in such cases, but I'm just a home user without secrets.

 

I've discussed it on the TC Forum. The general consensus is this: if you want a data drive and your data is under 4.5GB, then make use of volume encryption. Few people have actual data that they regularly back up over 4.5GB. This is enough for most, but obviously not all, people. Then a backup is as simple as backing up your unmounted volume to a DVD or a USB drive. Just burn the single file to a DVD and all your data is backed up with strong encryption. Basically just as EricAlbert had it, but using a volume rather than a partition. Easy encryption, simple to use, and a snap to backup.

 

Acronis True Image Home v9.0 build 3677
If you want to use an encrypted partition and you use

1. "Files or folders" of ATI,
than it doesn't matter how large your encrypted partition is, which is IMO the very best solution,
because the backup/restore time is dependent on the size of your data.

2. "The entire disk contents or individual partition" of ATI
than I suggest a partition of less than 10gb = 15 minutes,
because the backup/restore time is dependent on the size of your encrypted partition.

 

Genady,

The 4.5GB size was just so the file container fits on a DVD?
If the file container is 8GB and you want to store it on 2 DVDs, can you use a file splitter like Chainsaw or even ATI in "Files and Folders" mode to span the file container across 2 DVDs AND successfully restore the file container? (container is dismounted)
Or would the file container volume be corrupted by this process?
What if the backup program uses compression on the file container?
Will it maintain integrity?

Was there a concensus for encrypted backups for file sizes larger than 4.5GB?
Was there a concensus on what's best for backing up encrypted partitions?

The tutorial article you pointed out is excellent. Thank you.
http://b-con.us/security/truecrypt_intro.php

 

Good questions. You always need a solution for any situation.

 

Devinco, Actually, I was talking about a simple backup of the volume container without the need for a backup program per se, compression, etc. I meant, with a 4.5GB file volume, or container as some call it, you simply drag it to your DVD burner. The encrypted volume is, of course, is just a single 4.5GB file.

Good question about file-splitting an encrypted volume. I haven't tried it and don't recall discussion concerning that. I have burned a larger file volume (8.5GB) using a DVD+R-Dual Layer Disk.

I'll do some checking on some of your other questions. Backing up partitions has always brought about lots of questions, but no solid answers.

You're welcome for that tutorial. Brad did a very good job of explaining the process step-by-step. As a matter of fact, it's probably better with the basics than the official TC users guide.