Password and encryption, TI and encrypted harddisks

Discussion in 'Acronis True Image Product Line' started by Yellow-Cab-Driver, Mar 18, 2005.

Thread Status:
Not open for further replies.
  1. Yellow-Cab-Driver

    Yellow-Cab-Driver Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    16
    Location:
    Berlin - Germany
    Hello to you alle here!
    I have two questions:

    1. Are the images encrypted when protected by password and if yes, using which algorithm/keylength?

    2. Does anybody know if it is possible to use TI to make backups of full encrypted harddisks, e.g. of a laptop with pre-boot-key-entry and on-the-fly encryption.

    Thanks alot, I appreciate very much your work here! :)
     
  2. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello Yellow-Cab-Driver,

    Thank you for your interest in Acronis True Image (http://www.acronis.com/homecomputing/products/trueimage/).

    1. We do not encrypt images when it is protected with password because we do not find it necessary. The password is needed only to be able to restore and explore the image.

    2. We do not recommend to use full encrypted hard disks with Acronis True Image because after restoration the disk may become unbootable.

    Thank you.
    --
    Ilya Toytman
     
  3. Yellow-Cab-Driver

    Yellow-Cab-Driver Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    16
    Location:
    Berlin - Germany
    Thanks for your quick answer!
    But one more question: when i got it right, TrueImage is capable of doing sector-by-sector images of harddrives (eg. of corrupted disks). Wouldn't this be also possible for doing images of encrypted disks. I am aware that this would only be possible if imaging is started when the system is offline (using the recovery-cd).
     
  4. Hi guys,

    the answer to that question would also be very interesting for me! Has anybody here experience with Utimaco's SafeGuard Easy in that regard?

    Best
    AI
     
  5. Yellow-Cab-Driver

    Yellow-Cab-Driver Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    16
    Location:
    Berlin - Germany
    Well, nobody answers. So nobody has any experiences?!
    I wonder if i could go on using TI for imaging my future PGP-Whole-Disk-encrypted laptop. Perhaps i should try and find out if it works, when there is a bit spare time to do so...
    Again: has anybody some experience?? :doubt:
     
  6. kite

    kite Guest

    i use ntfs (efs) encryption on certain directories of my laptop. it gives no problems with restoring.
     
  7. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello Yellow-Cab-Driver and AlsoInterested,

    We regret to inform you that you can create sector-by-sector image only in case your hard drive is corrupted or the file system is unknown for Acronis True Image. Current version of Acronis True Image doesn't allow you to use this mode in other cases.

    Thank you.
    --
    Ilya Toytman
     
    Last edited: Jun 12, 2005
  8. Yellow-Cab-Driver

    Yellow-Cab-Driver Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    16
    Location:
    Berlin - Germany
    I am very sorry, to hear about that. That would prevent me from going on using TI for my laptop backups when switching to a higher security through encrypted partitions... :doubt:
    Perhaps i should put something like this on the wish-list?!...
     
  9. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello Yellow-Cab-Driver,

    You are welcome to post in our wish-list everything you wish to have in our software. We will certainly consider all your wishes.

    Thank you.
    --
    Irina Shirokova
     
  10. Yellow-Cab-Driver

    Yellow-Cab-Driver Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    16
    Location:
    Berlin - Germany
    Thanks, i posted it in the wishlist! :)
     
  11. I assumed that a whole-disk encryption would automatically render a partition or whole disk "corrupted" in the view of Acronis True Image, hence creating a sector-by-sector image.

    Isn't that right?

    Best,
    AlsoInterested
     
  12. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello AlsoInterested,

    We cannot guarantee that the encrypted disk (or partition) will be recognized by Acronis True Image as corrupted. Furthermore, the main problem that may appear if you use encrypted disk with Acronis True Image is that after the restoration disk will not boot as I posted above.

    Thank you.
    --
    Ilya Toytman
     
  13. aoz

    aoz Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    223
    ENCRYPTION of hard drive, and backup

    Dear support,
    I do feel it is important to have SOME mechanism to do backups/images of ENCRYPTED drives (AND to somehow better-protect a password-protected image)
    With Identity theft, etc, this is becoming all-the-more important. CAN you forward this to the enhancements people, or how to further encourage them to work on this?

    I have a TAblet Pc.
    I use SecureDoc, from WinMagic.
    I am experimenting with backing up the image, and then restoring, and then doing WinMagic's Emergency Master Boot REcovery to see if that works.

    When you indicate that a RESTORE might not work as the drive might not reboot, is that BECAUSE THE ACTUAL RECOVERED PARTITION IS DIFFERENT, or because possibly the master boot record is affected?

    Any feedback is apprecaited.
    I have a spare machine with some removable hard drives and am willing to experiment with various scenario's for bckup/encrypt/restore.

    ALSO, if any individuals have some experience with this, please post here, and possibly make this an ongoing thread on encryption
     
  14. wdormann

    wdormann Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    480
    In other words, nobody should rely on the ATI password feature to protect sensitive material. :doubt:
     
  15. aoz

    aoz Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    223
    Actually, that is not totally correct.
    If you do the backups from WINDOWS, you could do a long (unlimited) length, theoritically, as you cuould create a long random password in a TEXT file, and cut/copy/paste it iinto the Password field

    WHAT IS THE LIMITATION OF THE PASSWORD field, anyway?

    Then, a hacker would have to overcome that password.

    YOUR (and MY) only problem would be at a subsequent RESTORE, to ave to type the password in.

    AND, they'd need the program to do it also (so, a random joe off the street would have little chance of hacking a lost disk)


    AND, with ENCRYPTION, you again use your password to access the file, and the appropriate program, so again, the longer your password, the better the encryption.

    What we COULD do is get one of the freeware encryption programs, and back up using True Image, and then encrypt the hard-drive backup file, and then burn to DVD

    That sounds like a lot, but to protect sensitive data, that sequence isn't too bad.

    Take a look at the BIG BOYS - citibank, colleges, etc - losing tapes, non-encrypted, etc, with YOUR and MY data on them !!
    THEY can't even get it right.

    If ACRONIS gets a handle on helping us back up (and RESTORE) encrypted hard drives, they'd be saints !
     
  16. wdormann

    wdormann Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    480
    Your password could be one character or a thousand characters... if the file is not encrypted, you don't have to brute-force the password, so the length or complexity of the pass is irrelevant.

    With a password-protected ATI image, it is possible to change a relatively small number of bytes and you will now end up with an image that is not password protected.

    I will not go into any further details here, as I do not believe it is relevant. But I will re-state again:

    Nobody should rely on the ATI password feature to protect sensitive material.
     
  17. aoz

    aoz Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    223
    I do agree with you.
    That's why I have a safe at my house to lock the backups up.

    I do think , as I ponder this, that currently an option is one of the standalone encryption programs, to use after teh backup.
    disadvantage, it involves even more time.

    Others out there, any feedback, ideas, etc?
    thanks
     
  18. wdormann

    wdormann Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    480
    That is correct. Using third-party encryption products is not very useful to most users due to the extra steps required for image creation / restoration.

    I just want to make sure that people aren't making the false assumption that enabling a password is somehow going to prevent somebody from accessing their files, should an image somehow fall into the wrong hands. (as the documentation somewhat alludes to)

    The Enterprise of TrueImage allows for scripting, so some sort of automation could probably take place, such as using strong crypto after image creation, such as GPG. Restoration would require an extra step of decrypting before restoring, but if security is required in your case, then it is a must.
     
  19. aoz

    aoz Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    223
    OK, some testing of backup/recovery from an encrypted drive, using TrueImage, SecureDoc, and some of my older utility disks.


    Started with Hard Drive Z (HD-Z) (c: d: e:)

    Copied c: to HD-Y (c: 10 gig, and has 20 gig unallocated)

    Encrypted HD-Y

    Made Emerg_01.nrb Emergency Disk, with EmergencyDisk1

    Booted with Recovery disk of TrueImage,
    and made IMAGE of HD-Y c: drive, as Encrypt-01

    (this worked OK, but SLOW, on the desktop unit, as it was able to see the external USB drive attached.
    BUT, PROBLEM if this is done on a notebook PC where the USB drive is NOT able to be seen)

    DESTROY HD-Y, delete partition, write blanks with DISKEDIT to sector zero, etc

    Boot, with RECOVERY CD of TrueImage
    RESTORE Encrypt-01, to HD-Y

    Boot with Emerg_01 Emergency Disk

    ATTEMPT to do MBREC (master boot recovery) of SecureDoc

    PROBLEM - CANNOT run this from CD

    RE-connectetd my OLD FLOPPY
    COPY teh folder of Emerg-01, from CD to Floppy

    RAN the MBREC program, and also answered "Y" to "restore prior Secure-zone data

    REBOOTED the HARD DRIVE

    HD-Y was successfully recovered


    ---------------------------------
    PROBLEMS with this scenario
    1. need utilities to clean off the HD-Y, before recovering, because if you recover
    to a previously-encrypted drive, the first sectors still have some drive ID info, and
    mess up the recovery
    (this would NOT be a problem if recovering to a NEW drive)
    2. CANNNOT run this from CD - This is ESSENTIAL, especially for Notebook/tablet PC's
    ----------------------------------------

    6/12/05 11:00 AM, I have posted this here, and emailed it to SecureDoc, and to Acronis,
    as I'm experimenting with other scenario's to see how to best recover a notebook, and
    any feedback is appreciated.
     
  20. aoz

    aoz Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    223
    Continuing in my testing.....

    QUESTION to ACRONIS -

    One item I forgot to add, above, was that when I did the image-creation of Encrypt-01, from the recovery CD,
    T.I. told me that there were errors on the partition and that it was going to do a SECTOR-by-SECTOR image creation.
    (I understand that the encryption causes false impression of the err0rs)

    Is there a way to FORCE T.I. to DO the sector-by-sector image, (from BOTH the WINDOWS AND the BOOT cd version) or will it always do that if the partition is encrypted?

    I feel this is important, if that is what it takes to get a reliable image for encryption, because I'm working on some other scenarios where that switch may be important.

    thanks
    Nick
     
  21. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello Nick,

    As I stated above Acronis True Image creates images in sector-by-sector mode only in case the file system is corrupted or unknown for Acronis True Image. There is no way to switch onthis mode for regular file systems, I am afraid.

    Thank you.
    --
    Ilya Toytman
     
  22. Yellow-Cab-Driver

    Yellow-Cab-Driver Registered Member

    Joined:
    Mar 17, 2005
    Posts:
    16
    Location:
    Berlin - Germany
    I saw, here was some testing going on. Is there any news to publish. I am very interested in the results!

    I can again invite everybody to put in the wishlist the wish for support of encrypted harddrives!

    I'd love if it'd work! :)
     
  23. DTR

    DTR Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    1
    Interesting thread this one as most disk encryption vendors and disk imaging vendors have come across these types of questions quite frequently over the years.

    Coming from an "imaging" background and now working in the encryption space, I am setting out to do some tests with various disk imaging products on the market so I would welcome Acronis to get in contact with me at their earliest opportunity.

    I have tested 1 disk imaging product sucessfully working with a disk encryption product where the disk is imaged sector by sector where the disk is fully encrypted. Benefit is being able to roll back the image if need be and ensure the data in the image is secure.

    :ninja:
     
  24. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello DTR,

    Thank you for yuor interest in Acronis Disk Backup Software.

    Thank you for your contact information you sent to us via PM. I will forward it to the appropriate people.

    Thank you.
    --
    Irina Shirokova
     
  25. aoz

    aoz Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    223
    DTR, info on what you have found would be appreciated.
    Problem seems to be that OLDER dos-based programs could do this, but new Windows-based bootups have a harder time, if encryption is present.
    Any feedback appreciateed
    Nick
     
Thread Status:
Not open for further replies.