How do we Backup the Encrypted Systems Partition (TrueCrypt)

Discussion in 'privacy technology' started by george75, Jul 28, 2010.

Thread Status:
Not open for further replies.
  1. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Hi guys!

    I have a TrueCrypt fully encrypted HDD with a number of partitions, including the c:\systems partition. Backing up the data partitions to an encrypted external HDD is easy. But how do I backup the encrypted c:\systems partition? This is TrueCrypt system encryption of a Windows XP Pro SP3 system, single boot.

    I have a BART PE DVD constructed for the system; I can run it, load TrueCrypt portable from a USB stick and mount the system partition without pre-boot authorization and also mount the encrypted external HDD. The problem is how do I back up the system partition in such a way as to get all the information, and how do I do a restore if necessary? Doing a 'copy' of all the files from the system partition to the external HDD seems to be only a partial solution.

    (Note to Moderator: I touched on this issue in another thread https://www.wilderssecurity.com/showthread.php?t=277332, but that thread was opened for a different operational issue with TrueCrypt and it seems better to make this issue a separate thread in the hopes of getting it solved. Thanks.)

    George
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    It's great that you have a working BartPE and can use it to mount all of your encrypted partitions, even going so far as to use TC in traveler mode to mount your system without preboot authentication. However, for your next task you'll definitely want to use an imaging program.

    Backing up the system (whether it's encrypted or not) is best done by using imaging software such as Acronis True Image, Norton Ghost, and many others. Very few people copy the system files directly, as that method involves a variety of serious limitations such as the inability to copy the boot sector and Track 0, issues with various locked and immovable files, etc. (That said, I've done it myself using Robocopy and it worked fine once I figured it all out, but I would not recommend that approach for most users). I'm currently using Acronis True Image, so my explanations will focus on that program, but it's not the only way to go.

    There are two main ways to image your encrypted system:

    A. Image the live, mounted system:
    The simplest method is to use imaging software such as Acronis True Image to back up the live (mounted) system from within Windows. Since the system is mounted, the imaging software sees only the unencrypted system and thus the resulting image file will also be unencrypted. The image contents will be fully compressible and the image software will be able to skip over all unnecessary files (pagefile.sys etc.) and unused space. However, if you choose to restore the image then the resulting system will also not be encrypted. To get your bootloader to match, you would probably also want to restore the original Windows bootloader from the TrueCrypt rescue disk. At this point you could start the whole system encryption process over again from scratch.

    The image file itself will also be unencrypted. If (for security reasons) you need to store it in an encrypted or otherwise secured state, there are three approaches:
    1) Store the image file within an encrypted TrueCrypt container. In this case you will most likely need some way (such as a BartPE) to run both TrueCrypt and the imaging software so you can access the image and then restore it to your hard drive when needed. In the case of Acronis True Image, you will need to include the Acronis plugins when you build the BartPE. Certain other imaging programs also have BartPE plugins available.

    2) Use the imaging software itself to save the image in an encrypted format. Acronis True Image offers AES-based "archive encryption", so you would merely boot to the Acronis Bootable Rescue Media and provide your password when prompted. No BartPE required. Much simpler!

    3) Store the unencrypted image file in a secure location such as a safe-deposit box. Restore it as needed using the Acronis bootable media. No password or BartPE required.

    B. Image the unmounted partition:
    The other approach is to boot using the imaging program media in order to make a sector-by-sector image of the unmounted system partition. Since the data within the partition is fully encrypted, it is basically incompressible, and of course the unused space and unnecessary files are hidden by the encryption. Thus, the resulting image will be as large as the system partition, and obviously the job will take a lot longer.

    Since you imaged an unmounted partition, the data within the image is already fully encrypted and is quite secure, so it's not necessary to further encrypt or otherwise lock away the image file. The image can be restored by using the imaging software's bootable rescue media, so there's no need for a BartPE. Also, the system will remain encrypted after you restore the image. If you need to restore the image to a new hard drive then you will also want to restore Track 0 using the Acronis interface, or use the TrueCrypt rescue CD to restore both the bootloader and the key data, otherwise the new hard drive will not boot.

    I've written all of this from memory, so I can't guarantee that every description is perfect, but that's the general idea. There are numerous variations, of course. If anyone has anything to add, please do so.

    There are a number of posts in the TrueCrypt forums about this sort of thing, and I assume you've already viewed some of them. Here are a few links, but unfortunately the last three can only be opened by members of the TrueCrypt forum:

    http://forums.truecrypt.org/viewtopic.php?t=9360
    http://forums.truecrypt.org/viewtopic.php?t=11375

    http://forums.truecrypt.org/viewtopic.php?t=15599
    http://forums.truecrypt.org/viewtopic.php?t=20670
    http://forums.truecrypt.org/viewtopic.php?t=19795

    If anyone has a reasonable explanation as to why the administrator of the TrueCrypt forum chooses to limit non-member access to only the "General" forum, I'm all ears.
     
  3. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Thanks Dantz. One of the problems I was facing is that there simply was not a succinct description of a procedure to follow--everyone was all over the place about what to do. You've provided that succinct description. I'm going to have to study what you say; I will comment and ask questions then.

    However, two immediate questions:

    1. encrypting Acronis system partition image

      If you use Acronis (or similar) from within Windows to create an unencrypted backup of c:\system, pointing it to an external USB HDD, it's not clear whether the target HDD must be unencrypted for this to work. I.e. If I have a TrueCrypt container mounted can that be the target? ETA from here to end of point 1: I now see from studying your post that I should be able to write the Acronis image directly to the mounted TrueCrypt volume since the encryption should be invisible to Acronis. To do a restore I would have to do a BART PE build with the Acronis plugin and then mount the backup volume and the c:\system partition with TrueCrypt from within BART PE, following through on the restore using Acronis from within BART PE. It also seems to me that if I don't want to do the Acronis plugin BART PE build, I should be able to work around the plugin by mounting the encrypted USB HDD using TrueCrypt from within BART PE, writing the encrypted Acronis backup to an unencrypted external HDD partition using the BART PE file manager, then re-booting using the TrueCrypt rescue disk to restore the MBR, and then re-booting again using the usual Acronis rescue disk to do a normal restore from the unencrypted backup image on external HDD. Messy but acceptable if it's a valid procedure that won't have to be used very often. Is this going to work? Of course, it would be important that the other partitions would not get damaged.

    2. Can you Acronis-image just the system partition sector by sector?

      I had the impression that Acronis (or similar) can only copy sector by sector the whole HDD that contains the c:system partition of interest because it has no way of discerning the information on the MBR which is encrypted. Is there any way to do a sector by sector of just the c:\system partition? How would such a sector-by-sector image be restored?

    As for TrueCrypt: When I went to the TrueCrypt Forum what I understood the rules to be is that non-registered cannot access the non-public forums, but there are now two categories of registration. For a full registration which allows you to post, you have to provide a non-free ISP-based email address. However, there is a second category of registration where you provide a valid but free or similar email address, or else a phony email address. In those cases you can read the non-public forums but not post. The reason given is for them to combat spam. I find it quite disturbing that to become a forum member you have to provide a non-free, ISP-based email address. The result is that all members of TrueCrypt's forums are quite traceable physically. This seems preposterous as a method to combat spam.
     
    Last edited: Jul 30, 2010
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Note: I've done a lot of this stuff, but I haven't done everything, so a few of my answers are just educated guesses.

    #1: If you're going to store the image in a TrueCrypt container then I recommend creating another BartPE that includes the Acronis True Image plugin. It's just one extra step. You merely copy the plugin files into the appropriate folder before building the BartPE.

    Your alternate approach (using BartPE to copy the image file to an unencrypted location before restoring it) would probably work, but I would be concerned about copying such a large file, especially in that manner. You would definitely want to have Acronis True Image "validate" the image before restoring it. Also note that if you're restoring to a different disk, or if the MBR on the existing disk was damaged, you will probably need to select the "MBR and Track 0" box in the Acronis restore interface, as I don't think the TrueCrypt rescue disk will provide the same functionality.

    #2: During system encryption TrueCrypt does not encrypt Track 0, which includes the MBR and the partition table (as well as the TrueCrypt bootloader and the header). As a result Acronis True Image will be able to view and work with the existing partition structure. And as I understand it, the newer versions of Acronis can make a sector-by-sector image of whatever partition you specify. You would restore it in the usual fashion, but select "sector-by-sector restoration".

    There are numerous variations of the above based on whether you are restoring to the same drive, a different drive, a different partition layout, etc., so you'll have to work all that out. However, whichever approach you choose, there's simply no substitute for full-scale testing to make sure everything works as expected. Also, I can't guarantee that what works on the systems I am familiar with will work on your system. Bottom line: You've got to try it.
     
  5. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Thanks Dantz. I agree with your caveats. The only issue that is confusing me is this. Who is doing exactly what to the MBR and track 0? And where exactly is the MBR? Isn't it on track 0? When you do a vanilla Acronis backup on an unencrypted system partition you have the option to restore the MBR. So far so good. When TrueCrypt encrypts the system disk, what does it do to the MBR and track 0 so as to get handed control from BIOS for its pre-boot authentication routine, or in other words, for its bootloader? What facilities does the TrueCrypt rescue disk have vis a vis the MBR and Track 0? Can it put the MBR and track 0 into the condition they were before TrueCrypt encrypted the system partition? If I could get a clearer understanding of these issues, I would be able to understand the backup and restore with more clarity.

    Thanks very much, indeed.
     
  6. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Track 0 consists of the first 63 sectors of the disk. The MBR and the partition table are located in the first sector (sector 0). TrueCrypt's system encryption replaces most of Track 0 with its own custom bootloader, although I believe the partition table is unaltered. The original Track 0 is copied to the rescue disk and can be restored from it if necessary.
     
  7. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Thanks Dantz. I can see that there are indeed two basic approaches:

    1. copy the encrypted partition sector by sector from outside windows, treating the system partition simply as a partition. When you restore, you restore the partition from outside windows sector by sector and if need be you restore the TrueCrypt bootloader with the TrueCrypt rescue disk. Your restored system is encrypted just like before.

    2. Backup the encrypted partition, say with Acronis, from within Windows to an external hard disk. This image is intrinsically unencrypted but if your target is a mounted encrypted disk or partition, then it becomes in fact encrypted.

    For a restore with this second method, you first have to restore the original Windows MBR (track 0) using the Acronis restore MBR function. This is because the Acronis image is intrinsically unencryped with this method and after the restore the system will be unencrypted and so you will have to boot using the Windows bootloader, not the TrueCrypt bootloader. I saw that the TrueCrypt rescue disk will restore the original Windows bootloader but asks if you have decrypted the system partition. If you say 'no' it won't let you proceed. I didn't dare say 'yes' but if you do say yes, does it restore the Windows track 0 (including the original MBR) or does it refuse to let you proceed because you indeed have not decrypted the systems partition? In any event, whatever way you do it, once you restore the MBR (track 0) then you have to load the Acronis rescue disk and restore the system partition from the UNENCRYPTED system partition image. If you originally had Acronis write the image to an encrypted partition, you're going to have to unencrypt the image, perhaps by copying it to an unencrypted disk or partition, perhaps using BART PE to load TrueCrypt to mount the partition and copy it to an unencrypted partition. Of course if you have BART PE with the Acronis plugin and you can also load TrueCrypt, then you can restore from the encrypted disk or partition where you have placed the Acronis image once you mount it with TrueCrypt. Of course with this method including any of its variants your system partition is going to be unencrypted once you've finished the restore.

    Is this a correct understanding?

    The only confusion I have is this. When Acronis says, do you want to restore the MBR?, does it mean all of track 0? Similarly, when TrueCrypt asks if you want to restore the original Windows bootloader, does it mean all of track 0? In other words are each of these restore functions equivalent and are they what is necessary to revert to the original Windows unencrypted configuration so that you can boot the system once you've restored the system partition in unencrypted format.

    Thanks very much.
     
  8. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    No, you're a little off. You can just restore the C partition and leave the TC bootloader on the disk if you like. During bootup you can merely press Escape to bypass the TC bootloader and boot into the unencrypted system. But ideally you will want to restore the original Windows bootloader from the TC rescue disk. You can't get it from the Acronis image because that will just give you the TrueCrypt bootloader again. Acronis copies Track 0 whenever you make a partition or disk image, and that's what was there when you made the image.
    It will pretty much restore whatever was present on Track 0 when you created the image, whether it's the TrueCrypt bootloader or the original Windows bootloader. However, when restoring to a different disk it probably won't restore the original disk signature, nor do you need to be concerned with that.
    Yes, as far as I am aware (and as stated in the TrueCrypt documentation), the contents of the original Track 0 will be restored. However, I'm not sure whether or not it will overwrite TrueCrypt's key data in sector 62, nor do you need to be concerned with that, as it will work either way.

    There are also some other minor details that I left out because they weren't relevant to the purpose of the discussion. And keep in mind that I'm not the world's greatest expert in this stuff and I don't guarantee that everything I said is 100% correct, nor is everything guaranteed to work perfectly on your system. You really need to try all this out! The safest way would be to obtain a spare disk for testing purposes, clone your drive to the disk, remove your original disk and do all your testing on the clone.
     
  9. george75

    george75 Registered Member

    Joined:
    Aug 11, 2005
    Posts:
    65
    Thanks for clarifying, Dantz.

    Yes, you're quite correct that this should be fully tested before being relied on. However, you're also fully correct that you should be doing this on a spare disk--which is precisely why I haven't dared to do it. Not only are you exposed if you test on your one and only disk, but the whole business could be very time-consuming.

    Thanks again.
     
  10. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    noob about truecrypt,,hoe do you open a hideen partition with truecrypt when your system is unbootable?
     
  11. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    There is no such thing as a hidden partition. I'll assume you mean a hidden volume within an encrypted partition.

    There are two main options: 1) Boot to a LiveCD that has TrueCrypt on it, or 2) Remove the disk and slave it to another computer that has TrueCrypt on it.
     
Loading...
Thread Status:
Not open for further replies.