I want FDE, Regular Backups, Involving Virtualbox Instances, Advice?

Discussion in 'privacy technology' started by marveljulius, Jul 11, 2015.

  1. marveljulius

    marveljulius Registered Member

    Joined:
    Jul 11, 2015
    Posts:
    2
    Hi

    This is my setup:
    I have Windows 7 Professional.
    I have no TPM.
    SSDs with over 1TB of Virtual Machine instances saved on them.
    I have at least 1TB spare on 2 HDDs which can be used for backup.
    I can make use of a secondary PC if necessary.
    I would buy Macrium Reflect.

    This is my requirement:
    Full Disk Encryption, with aim that if machine was physically stolen the proprietary data would remain secure. Machine is already chained down but our offices location is public and I have heard previously of data theft conducted in this way.
    Also, we can't afford a full time security guard!
    Fast Backups: Only back up the data that has changed, rather than entire Virtualbox instances that may have only changed in some tiny way.
    Automated Backup: I want something I can set up and then schedule a periodic review of to ensure it is working correctly.
    Encrypted Backups: I'd like the backups themselves to be encrypted. Either because they are stored on an encrypted drive, or because they themselves are encrypted.

    I have looked at TrueCrypt and VeraCrypt, since they are free and work without TPM, but data encrypted in this way cannot be backed up by Macrium Reflect.

    I have looked at Bitlocker, but it requires Windows 7 Ultimate and a motherboard with a TPM. I could buy these things if this is the best option.

    Any advice greatly appreciated!
     
  2. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    BitLocker can be used without TPM; use Group Policy to configure that option. Win10 pro includes BitLocker.

    You could look for a sector backup solution that does incremental/differencing.
     
  3. marveljulius

    marveljulius Registered Member

    Joined:
    Jul 11, 2015
    Posts:
    2
    Hi

    Thanks for this. I will look more into Bitlocker without TPM, I can see that it will allow the machine to boot without a passphrase being entered straight away.

    Is there perhaps a better place online for me to post this sort of question? Would you choose here?
     
  4. Rolo42

    Rolo42 Registered Member

    Joined:
    Jan 22, 2012
    Posts:
    569
    Location:
    USA
    Here is good...especially since official Paragon support is here; I like their products...especially the free ones :D and if memory serves, their Backup & Recovery product might just do the trick. Google-ing your issue revealed nothing? Surely you aren't the first with this problem...

    You configure which authentication options you want (password, password + USB key).

    Edit: Oh, heh, I just remembered reading earlier today that VirtualBox 5 has encryption.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    It's been a while since I've done this on Windows, but here's what worked for me.

    Use either TrueCrypt v7.1a or BitLocker to FDE encrypt both your system and backup drives. Bruce Schneier now favors BitLocker, FWIW. You can either use USB drives or a NAS box for backup. I prefer to use RAID10 whenever possible, so I typically backup to NAS boxes.

    Reconfigure VirtualBox so everything is on one dedicated partition aka drive. Let's say "V:\". By default, all VMs (and snapshots) are in "C:\\Users\[username]\VirtualBox VMs", and logs etc are in "C:\\Users\[username]\.VirtualBox".

    Use StorageCraft's ShadowProtect or equivalent to create an initial full backup aka base image of "V:\", and recurring incremental backups. With ShadowProtect, you can mount any incremental image, and it shows up as a read-only drive containing all files as they were at that incremental backup. I'm sure that other imaging apps can also do that. But I found ShadowProtect very easy to use, and very reliable.

    I don't recommend automatic backups. FDE encrypted drives are only secure when shutdown. An adversary with a portable UPS could easily patch the device's power cord, and steal the device while running. Also, encrypting malware aka ransomware (such as CryptoLocker) will typically encrypt files on all mounted drives, including network shares.
     
  6. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    For information, many desktop motherboards have a TPM header which allow TPM hardware to be plugged in and used by Bitlocker - and it's not expensive e.g. $20. That's much better than relying on a PIN (on its own) from a number of pov.

    I've used that on all my desktops for a while now, and it's given good reliable service. What's more, when the system drive is encrypted, you can also store the additional disk credentials transparently so you don't need to enter passwords when plugging the disk in.

    You know the importance of keeping good key recovery records.....!
     
  8. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,416
    mirimir is this a joke? Oh no! Bruce Sheiner what are you thinking :(
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Nope, no joke. Read his blog.
     
  10. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,416
    I am so depressed now :(
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    I still say TrueCrypt. Maybe it's not supported, but it did well in the code review.

    I've heard that the VeraCrypt team are not as knowledgeable as one would like.

    Maybe another TrueCrypt fork will shine.
     
    Last edited: Jul 13, 2015
  12. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,416
    Hmmm I've used VeraCrypt and it seemed pretty good security wise. I've found the main developer to be pretty smart in his forum replies. But I dunno now o_O
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Not only Bruce Schneier, also Micah Lee in the Intercept. And me of course! The way I look at it is the focus on Bitlocker is moot when you are already using Windows. And Bitlocker offers major advantages over any of the alternatives for the Windows-only platform, not only fully supported, but other factors including TPM. If your expectations of what you are protecting are consistent with using Windows anyway, then Bitlocker is a reasonable solution, and covers normal commercial threats. Its use doesn't preclude using TC or other facilities in any case.

    My personal desire isn't for a replacement/enhancement of TC, it's a better way of having fully encrypted individual files that cannot easily be accessed by user-space malware. An open TC archive or other FDE is completely open to these attacks.
     
  14. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,416
    Sorry I can not believe that the Mr. Bruce Sheiner advocates using Bitlocker :(

    My home machines are Debian & Qubes Linux. However 1 of my 4 work machines is Windows. I can't for the life for me ever think about running Bitlocker.

    At least with TrueCrypt and VeraCrypt you can review the code. Bitlocker you have blind trust in MS that they haven't made a mess of Bitlocker.
     
  15. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    It's not quite blind trust, and hopefully nothing gets unqualified trust (and open source is not a panacea either, many eyes still left Heartbleed there for years, for example).

    Bruce knows and worked with the original MS Bitlocker lead developer Niels Ferguson, and rates him. Corporates and governments do get lab access to Windows code, including Bitlocker (yes, I know that's not ideal).

    And, on the Richter scale of threats, isn't it much easier to exploit some Windows bloat, there's no end to that? Nor is Linux immune....

    My view is that you are much better off focussing on providing more entropy and different sources for the RNG. And partitioning with VMs/ Qubes as you are already doing.
     
Loading...