Backing up Bitlocker Encrypted Drive Equals Not Encrypted

Discussion in 'Windows Vista Security' started by markbyrn, Mar 4, 2007.

  1. markbyrn

    markbyrn Guest

    When attempting to use the backup utility on the Bitlocker protected
    drive, the following informative notification is received:

    "You have chosen to backup disk C: which is encrypted. The backup
    location will not be encrypted. Make sure the backup is kept in a
    physically secure location."

    One doesn't need to be a security guru to realize the inherent
    weakness in making non-encrypted backups of your encrypted data. So
    the options are to either user use a third party program like
    DriveCrypt (or TrueCrypt when they have a Vista ready release) to
    secure the backup drive or not backup at all. If you choose the
    former option, you don't need Bitlocker and the latter option is
    untenable. Of all the Ultimate Extra's, I was hoping Bitlocker would
    save the day. Oh well.
     
    markbyrn, Mar 4, 2007
    #1
    1. Advertisements

  2. The weakness you refer is eliminated by "kept in a physically secure
    location."
    There is no weakness if the data is properly secured.
    The security required depends on the sensitivity of the data.
    Many use a safe deposit box or other off site secure location.
    For less sensitive, some use something as simple as a locked filing
    cabinet.
     
    Jupiter Jones [MVP], Mar 4, 2007
    #2
    1. Advertisements

  3. markbyrn

    Robert Moir Guest

    So it's a good thing the backup program warned you about it and told you to
    store your backups in a physically secure location, right?
    Actually it isn't that simple at all. To backup with encryption, either the
    backup program stores the encryption keys/details with the backup which
    would take us back to the backup being insecure unless it's stored in a
    physically secure location, or you rely on setting a password to secure the
    backups which means you're at the mercy of the user a) setting a good
    password to begin with and b) not forgetting it. Past experience suggests
    that people will manage to fall down on both those conditions, picking a
    weak and easy to crack password, forget it, then whinge like hell about it
    prompting someone to write a "password recovery" tool which can then easily
    be subverted for malicious purposes.

    Or you can fail to worry about any of that, in which case you don't have a
    proper backup suitable for DR purposes because it doesn't worry about
    backing up anything required to re-create the encrypted state of the data,
    just the data in encrypted format. Hence it relies on the computer it was
    backed up from being in perfect working order when a restore is needed.
    Great for people who delete files by mistake and want to restore them but
    lousy for someone whose computer did a halt and catch fire and who needs to
    restore their data to a new machine.

    Life is full of compromises. How to deal with backing up encrypted data is
    just another set of compromises to be worked out.
     
    Robert Moir, Mar 4, 2007
    #3
  4. How about EFS for the backup media?
     
    Jeffery Jones, Mar 18, 2007
    #4
  5. markbyrn

    Guest Guest


    Also, if the backup target drive is a USB external hard drive, you can use
    manage-bde.wsf to enable BitLocker on the external hard drive.

    Then you simply have the issue of how to keep your keys backed up.

    Alun.
    ~~~~
     
    Guest, Mar 19, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.