Backing up Bitlocker Encrypted Drive Equals Not Encrypted

When attempting to use the backup utility on the Bitlocker protected
drive, the following informative notification is received:

"You have chosen to backup disk C: which is encrypted. The backup
location will not be encrypted. Make sure the backup is kept in a
physically secure location."

One doesn't need to be a security guru to realize the inherent
weakness in making non-encrypted backups of your encrypted data. So
the options are to either user use a third party program like
DriveCrypt (or TrueCrypt when they have a Vista ready release) to
secure the backup drive or not backup at all. If you choose the
former option, you don't need Bitlocker and the latter option is
untenable. Of all the Ultimate Extra's, I was hoping Bitlocker would
save the day. Oh well.

The weakness you refer is eliminated by "kept in a physically secure
location."
There is no weakness if the data is properly secured.
The security required depends on the sensitivity of the data.
Many use a safe deposit box or other off site secure location.
For less sensitive, some use something as simple as a locked filing
cabinet.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org


"markbyrn" <markbyrn@gmail.com> wrote in message
news:1172977195.168096.65390@t69g2000cwt.googlegroups.com...
> When attempting to use the backup utility on the Bitlocker protected
> drive, the following informative notification is received:
>
> "You have chosen to backup disk C: which is encrypted. The backup
> location will not be encrypted. Make sure the backup is kept in a
> physically secure location."
>
> One doesn't need to be a security guru to realize the inherent
> weakness in making non-encrypted backups of your encrypted data. So
> the options are to either user use a third party program like
> DriveCrypt (or TrueCrypt when they have a Vista ready release) to
> secure the backup drive or not backup at all. If you choose the
> former option, you don't need Bitlocker and the latter option is
> untenable. Of all the Ultimate Extra's, I was hoping Bitlocker
> would
> save the day. Oh well.

"markbyrn" <markbyrn@gmail.com> wrote in message
news:1172977195.168096.65390@t69g2000cwt.googlegroups.com...
> One doesn't need to be a security guru to realize the inherent
> weakness in making non-encrypted backups of your encrypted data.

So it's a good thing the backup program warned you about it and told you to
store your backups in a physically secure location, right?

> So
> the options are to either user use a third party program like
> DriveCrypt (or TrueCrypt when they have a Vista ready release) to
> secure the backup drive or not backup at all. If you choose the
> former option, you don't need Bitlocker and the latter option is
> untenable. Of all the Ultimate Extra's, I was hoping Bitlocker would
> save the day. Oh well.

Actually it isn't that simple at all. To backup with encryption, either the
backup program stores the encryption keys/details with the backup which
would take us back to the backup being insecure unless it's stored in a
physically secure location, or you rely on setting a password to secure the
backups which means you're at the mercy of the user a) setting a good
password to begin with and b) not forgetting it. Past experience suggests
that people will manage to fall down on both those conditions, picking a
weak and easy to crack password, forget it, then whinge like hell about it
prompting someone to write a "password recovery" tool which can then easily
be subverted for malicious purposes.

Or you can fail to worry about any of that, in which case you don't have a
proper backup suitable for DR purposes because it doesn't worry about
backing up anything required to re-create the encrypted state of the data,
just the data in encrypted format. Hence it relies on the computer it was
backed up from being in perfect working order when a restore is needed.
Great for people who delete files by mistake and want to restore them but
lousy for someone whose computer did a halt and catch fire and who needs to
restore their data to a new machine.

Life is full of compromises. How to deal with backing up encrypted data is
just another set of compromises to be worked out.

--
Robert Moir
http://www.rhymeswithgeek.com

On 3 Mar 2007 18:59:55 -0800, "markbyrn" <markbyrn@gmail.com> wrote:

>"You have chosen to backup disk C: which is encrypted. The backup
>location will not be encrypted. Make sure the backup is kept in a
>physically secure location."
>
>One doesn't need to be a security guru to realize the inherent
>weakness in making non-encrypted backups of your encrypted data. So
>the options are to either user use a third party program like
>DriveCrypt (or TrueCrypt when they have a Vista ready release) to
>secure the backup drive or not backup at all.

How about EFS for the backup media?

"Jeffery Jones" <keineverbung@newsgroups.nospam> wrote in message
news:gvpqv294d4c9a1s5hen0l17vb6f8ni1981@4ax.com...
> On 3 Mar 2007 18:59:55 -0800, "markbyrn" <markbyrn@gmail.com> wrote:
>
>>"You have chosen to backup disk C: which is encrypted. The backup
>>location will not be encrypted. Make sure the backup is kept in a
>>physically secure location."
>>
>>One doesn't need to be a security guru to realize the inherent
>>weakness in making non-encrypted backups of your encrypted data. So
>>the options are to either user use a third party program like
>>DriveCrypt (or TrueCrypt when they have a Vista ready release) to
>>secure the backup drive or not backup at all.
>
> How about EFS for the backup media?


Also, if the backup target drive is a USB external hard drive, you can use
manage-bde.wsf to enable BitLocker on the external hard drive.

Then you simply have the issue of how to keep your keys backed up.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.