On Sun, Aug 22, 2010 at 1:12 PM, Edward Ned Harvey <lop...@nedharvey.com> wrote: >> From: tech-boun...@lopsa.org [mailto:tech-boun...@lopsa.org] On Behalf >> Of Brian Mathis >> >> Acronis and other disk imaging tools should have no problem with FDE. >> The FDE drivers work at a layer below the OS and filesystem, and > > Sorry, that's not correct. First of all, I tested it here today, with > TrueImage and TrueCrypt. After encrypting the whole disk with truecrypt, > poor little trueimage won't even run ... So I checked acronis support, and > they acknowledge all over the place that it doesn't work. > > They say your options are: (a) Decrypt the drive, perform a backup, and > re-encrypt the drive, or (b) perform a byte-for-byte image of the drive, in > which case, the entire drive including empty space will be backed up, and > you can't do incrementals. > > This seems to be the general case. General WDE / FDE solutions are not > compatible with general complete system backups. There are some exceptions > ... There is a Casper backup product which is made explicitly to work with > PGP, for example. > > What I'm looking for are those cases ... Which WDE/FDE solutions are > compatible with which complete-system incremental backup solutions.
OK, maybe there's a qualification here... the tools I've successfully used operate inside the OS after its booted. If you're trying to image from a separate boot disk or something, that's not going to work. >> I have made images many times using the built-in Complete PC Backup, >> and restored them with no problem. The only issue is that the image >> you make is not encrypted, so that media is vulnerable, as well as >> when you restore the image you need to re-encrypt the disk. > > That is valuable information. I assume you're talking about Backup & > Restore center, in Windows 7 Pro/Ultimate, right? What are you using for > encryption? Yes, I've been using the built-in Windows tools since they are free* and so far I have not had any problems. I'm not doing complex image management, just backups and restores of systems in the case of hardware failure, etc... I have used both CompuSec Free and Truecrypt with the same results, though it's been a while since using Compusec. > ... > Since you said the encryption is taking place below the OS level, I wanted > to expand upon my reply on that: > > The encryption is somehow happening both *before* the OS starts, and also > *inside* the OS. But the encryption does not stay below the OS while the OS > is running. This is evidenced by several facts: (a) when I benchmark my > system with encryption on it, I see the "System" process consuming a large > amount of CPU. This would not happen, for example, if my OS were a guest in > a virtualization setup where the host was handling encryption outside of my > OS. So I conclude, my OS is performing the encryption, probably in a > driver. (b) If the encryption were happening underneath the OS, then the OS > would be free to do whatever it likes ... repartition, reformat, or install > any OS you wish. This would imply you can install any OS you wish, and > there is no encryption software that I can find, which is compatible with > all OSes. > > I suspect that the truecrypt bootloader is able to decrypt enough to launch > the NT kernel, and then the NT kernel is loading a special driver to handle > the encrypted disk instead of the generic / standard sata disk driver. I said below the file system and VSS, not OS. Anything running on a system needs to be inside the OS somewhere. The Truecrypt is indeed running as a device driver inside the kernel, which is why you see CPU usage inside the "System" process (kernel). I think your description of the boot process is pretty accurate. _______________________________________________ Tech mailing list Tech@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
