Windows Backup Doesn’t Play Nicely with TrueCrypt

I keep both my PC and laptop hard drives protected with full disk AES encryption using free software from the TrueCrypt Foundation. Not because I have anything to hide, or have done anything overwhelmingly illegal, or am planning a government coup; I protect my equipment because I’m a big nerd. Cryptography has always been an interest of mine, and a couple courses on the subject along with some reading have fuelled that interest to the point where I like to experiment with cryptography in my spare time.

As a responsible computer user, I also like to keep backups of my important files, namely my schoolwork, my code library, and my digital music collection. The easiest way that I have found to run timely, dependable backups on a Windows system is to use the built in backup tool (often only installed by default on the more expensive distributions of Windows). It uses a handy shadow-copy technique that allows it to backup a file even if it is currently in use, and supports some excellent compression and incremental backup techniques that reduce the space required for full system backups. Short of installing a RAID array in my personal machine, I feel that this is the easiest and most secure way of creating full machine backups in a timely and non-intrusive manner.

Unfortunately, as I have found in the last couple of days, Windows Backup doesn’t play nicely with a disk that has been encrypted by TrueCrypt. I recently purchased a portable 250GB harddrive to save my backups to. It came with some backup software already installed, but frankly, the included app was slow as sin and crashed twice before I even started backing my drive up. So i reformatted the drive and decided on Windows Backup instead.

The drive sits on my desk, plugged into my machine, silently protecting my data. Now, given my full-disk encryption security policy, it would be illogical to have unencrypted backups of my machine. That pretty much negates any security provided by the disk encryption scheme, so I’d like to have this drive encrypted. TrueCrypt works by encrypting the entire hard drive, including the file tree, which means that Windows (or any other operating system for that manner) cannot see any of its contents until it is ‘mounted’ by the TrueCrypt software. Once mounted, the drive appears as a virtual drive, and for all intents and purposes, works exactly like a standard physical disk. Except when using Windows Backup.

When setting up a backup, Windows asks you where it should put the backup, and allows you to scan for appropriate physical or network locations to save data to. This scan refuses to recognize the mounted external drive as a legitimate disk, even though the rest of Windows is ok with it. The scan also prevents you from saving a backup to the disk being backed up, which is a pain because it would provide an easily scripted work around to the problem. Windows help gives no further information, except by saying that Windows Backup does not support removable thumb drives, which is an outright lie, because I can choose my 8GB thumbstick with no problems, but it doesnt have the capacity that I require.

Now, as TrueCrypt acts as a software layer between Windows’ I/O functions and the physically encrypted drive, encrypting and decrypting all traffic that passes through it, I would imagine that their software simply hasn’t enabled some obscure API call that Windows relies on to determine if a drive is an appropriate backup location. So the issue is probably with TrueCrypt and not with Windows, but in my mind, Windows should allow users who know what they’re doing to put their backups wherever they please, because frankly, there’s no excuse for this tomfoolery.

Since I cannot seem to coerce Windows into allowing me to use my encrypted drive, the only option I have left that maintains my security policy is to use a Visual Basic app that my roommate wrote for fun. It performs backups of any folder on your machine to any other folder (networked or local), and supports a full suite of encryption and compression methods, based on a couple of open sourced libraries that he has incorporated. The problem with his work around is that it does not (to the best of my knowledge) take advantage of Windows’ shadow copy feature, and thus will not be able to back up files that are in use at the time of the backup.

For the time being, I will continue my experimentation, and should I get it to work, I will most certainly post a copy of his backup utility for all to use. If anybody with a similar setup has found a workaround to Windows’ incessant pickiness when choosing backup locations, or knows of a decent encrypted backup solution that I haven’t covered, I would appreciate the heads up.

Cheers,

Jon