"markbyrn" <email@example.com> wrote in message
> One doesn't need to be a security guru to realize the inherent
> weakness in making non-encrypted backups of your encrypted data.
So it's a good thing the backup program warned you about it and told you to
store your backups in a physically secure location, right?
> the options are to either user use a third party program like
> DriveCrypt (or TrueCrypt when they have a Vista ready release) to
> secure the backup drive or not backup at all. If you choose the
> former option, you don't need Bitlocker and the latter option is
> untenable. Of all the Ultimate Extra's, I was hoping Bitlocker would
> save the day. Oh well.
Actually it isn't that simple at all. To backup with encryption, either the
backup program stores the encryption keys/details with the backup which
would take us back to the backup being insecure unless it's stored in a
physically secure location, or you rely on setting a password to secure the
backups which means you're at the mercy of the user a) setting a good
password to begin with and b) not forgetting it. Past experience suggests
that people will manage to fall down on both those conditions, picking a
weak and easy to crack password, forget it, then whinge like hell about it
prompting someone to write a "password recovery" tool which can then easily
be subverted for malicious purposes.
Or you can fail to worry about any of that, in which case you don't have a
proper backup suitable for DR purposes because it doesn't worry about
backing up anything required to re-create the encrypted state of the data,
just the data in encrypted format. Hence it relies on the computer it was
backed up from being in perfect working order when a restore is needed.
Great for people who delete files by mistake and want to restore them but
lousy for someone whose computer did a halt and catch fire and who needs to
restore their data to a new machine.
Life is full of compromises. How to deal with backing up encrypted data is
just another set of compromises to be worked out.