> From: [email protected] [mailto:[email protected]] On Behalf > Of Brian Mathis > > Acronis and other disk imaging tools should have no problem with FDE. > The FDE drivers work at a layer below the OS and filesystem, and
Sorry, that's not correct. First of all, I tested it here today, with TrueImage and TrueCrypt. After encrypting the whole disk with truecrypt, poor little trueimage won't even run ... So I checked acronis support, and they acknowledge all over the place that it doesn't work. They say your options are: (a) Decrypt the drive, perform a backup, and re-encrypt the drive, or (b) perform a byte-for-byte image of the drive, in which case, the entire drive including empty space will be backed up, and you can't do incrementals. This seems to be the general case. General WDE / FDE solutions are not compatible with general complete system backups. There are some exceptions ... There is a Casper backup product which is made explicitly to work with PGP, for example. What I'm looking for are those cases ... Which WDE/FDE solutions are compatible with which complete-system incremental backup solutions. > I have made images many times using the built-in Complete PC Backup, > and restored them with no problem. The only issue is that the image > you make is not encrypted, so that media is vulnerable, as well as > when you restore the image you need to re-encrypt the disk. That is valuable information. I assume you're talking about Backup & Restore center, in Windows 7 Pro/Ultimate, right? What are you using for encryption? ... Since you said the encryption is taking place below the OS level, I wanted to expand upon my reply on that: The encryption is somehow happening both *before* the OS starts, and also *inside* the OS. But the encryption does not stay below the OS while the OS is running. This is evidenced by several facts: (a) when I benchmark my system with encryption on it, I see the "System" process consuming a large amount of CPU. This would not happen, for example, if my OS were a guest in a virtualization setup where the host was handling encryption outside of my OS. So I conclude, my OS is performing the encryption, probably in a driver. (b) If the encryption were happening underneath the OS, then the OS would be free to do whatever it likes ... repartition, reformat, or install any OS you wish. This would imply you can install any OS you wish, and there is no encryption software that I can find, which is compatible with all OSes. I suspect that the truecrypt bootloader is able to decrypt enough to launch the NT kernel, and then the NT kernel is loading a special driver to handle the encrypted disk instead of the generic / standard sata disk driver. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
