How I Backup and Restore a System Drive Fully Encrypted in True Crypt

I have seen a lot of questions about backing up and restoring system drives fully encrypted with True Crypt. So I wanted to post this to possibly help others and also to see if anyone else has done this or sees any holes in this approach.

Here's what I do and someone please tell me if this makes sense. It seems to work so I don't know what would be wrong with doing it this way.

My main drive is fully system encrypted with TrueCrypt so I have to do pre-boot authentication whenever I boot up.

I regularly back up the whole computer using True Image from within windows and let True Image encrypt the backup. So now the backup is decrypted as far as the True Crypt encryption, but the .tib itself is encrypted by True Image, so everything is secure.

When I restore to a hard drive, I just do the restore normally. At this point if I try to boot up the restored drive, it will ask for my True Crypt password, but this won't work because the partition is decrypted and no longer really in sync with this initial track that True Crypt put on. That initial True Crypt loader is sort of just a useless layer on top of a now decrypted drive.

So all I do then is I use the True Crypt rescue disk for the drive that this is an image of and hit F8 for repairs and simply restore the original system loader. This basically just removes that initial True Crypt track, so then it doesn't ask for the True Crypt pass on loading. Now when I boot up, it works.

Then I just re-encrypt the restored drive anew in True Crypt and I now have my exact same system disk fully encrypted. I can even use the same True Crypt password as before so that, for all intents and purposes, it's the exact same.

Anyone see any problem with this? I only tested it once and it worked. The only concern I have is I didn't use the restored drive for very long as it was just a test, so maybe I would have seen some problem arise after time. But it certainly seemed to be working perfectly well in the short time I used it after restoring.

 

I'm not an expert but your procedure seems logical.

How much time does it take to decrypt the disk/partition and then encrypt the disk and how many GB of data are on it? If the disk (used+free-space) isn't too large, would it be faster to do a sector-by-sector image of the entire disk/partition (which is supposed to work)?

 

You may be misunderstanding.

I don't have to actually decrypt the drive. Since I'm backing up from within Windows, True Crypt apparently is decrypting on the fly as True Image accesses files and the actual data in the .tib is no longer encrypted in True Crypt. However, since I set True Image to encrypt the backup, that .tib as a whole is encrypted now by True Image. See what I mean? At no point in the backup do I have to actually decrypt the drive (which takes hours if you have to do it).

When using the True Crypt rescue disk to re-add the original system loader, it asks if the drive is decrypted. Just say yes, it already is, since True Image decrypted all the data in the backup as it made it as far as True Crypt is concerned, and you've already decrypted True Image's encryption just by entering the password in the restore process.

I do, however, have to re-encrypt the restored drive in True Crypt once it's restored. This takes the normal amount of time it ever takes True Crypt to fully encrypt a system drive in place, which can be several hours. So this may not be a perfect system if you are doing restores constantly. But for me, I'd only have to do a restore in an emergency so it's no big deal to have to take a few hours to re-encrypt in True Crypt again at that point.

If your drive is really small, then it's possible a sector by sector backup and restore is quicker. The sector by sector didn't actually work for me, but I may not have done it correctly. In any case, using an 80GB drive, it took 13 hours just to make and validate the sector by sector backup. It took an hour or so to restore my usual backups - which take 4 hours or so total to make - and then True Crypt takes a few hours to re-encrypt.

It is possible that sector by sector is better for you depending on your process. But it's quite a pain to do 13 hours backups regularly.

 

Thanks. I hadn't realized that TI reading the archive would inherently do the decrypting. Looks like your solution to the whole issue is indeed a reasonable one.

 

Basically when you're working on a fully True Crypt encrypted drive, once you've done pre-boot authentication and are working from within Windows, everything is decrypted on the fly. I guess True Image is no exception in that files it uses are decrypted too. So yes the solution seems to work. Would be cool for others to try it and make sure it works for them too.

 

Have you tried making a backup image from the TI Rescue CD? That wouldn't decrypt the files since it's not running in Windows.

If you restore that backup, wouldn't the system just work normally without needing repair?

 

The problem with making it from the Rescue disc is that then you have to do a full sector by sector image, which is the size of your entire partition. This takes a very very long time and a lot of disc space every single time you image your drive. And on top of that, when I tried it, it still didn't even work. I may have just done something wrong and it's possible that I could get it to work if I figured it out. But it still seems like it's not worth it due to the much bigger resources needed, not just once, but every time you do your images, when all it saves is a one time re-encryption in True Crypt which takes a few hours one time upon restoring.

Perhaps for some people who do lots of restores the calculation differs. But for me, who only would ever need to restore on the rare occasions when my drive goes bad or something is really screwed up, it isn't worth the extra time and space.

 

Now, that's something I can understand.

Thanks for the info. I know imaging encrypted disks can be problematic. It seems as though you have found a reasonable procedure and explained it very well.