Mixing TrueCrypt whole disk encryption with Acronis True Image Home backups

Submitted by Roman on

I've been using TrueCrypt's whole disk encryption together with Acronis TrueImage Home partition images for quite a while now, and have recently performed a restore. I wasn't sure whether the restore was going to work, and it wasn't completely smooth, so read on if you're considering a similar set up.

Back-up set-up

For a very long time now, I've been separating my system and data partitions. The system volume (C:) contains the operating system, all programs that require installation, and settings. It tends to have 30-50 GB of files on it. The data volume contains everything else, and is huge. Where possible (namely, on desktops), they reside on different physical disks.

The original logic behind this split was to simplify clean reinstalls of the OS: by wiping “C:”, I end up deleting pretty much only the things that one has to delete to get a clean install, while all the things that don't need to be deleted (including "portable" programs) remain on the data volume, unaffected.

Acronis True Image Home

This set-up turned out to be perfect for whole-partition image backups, too. The image ends up being reasonably small, since the the hundreds of gigabytes of random stuff reside on a separate partition. The restores work well too, because all programs which work only when installed correctly get restored along with the OS.

So, on my desktop I run such whole partition snapshots weekly and store them on the data partition (which is a separate physical drive and thus protects against physical HDD failure), and the laptop is backed up to the desktop's data partition once a month or so. This approach has saved me tons of time: whenever an SDK or a set of dodgy drivers from a hobby hardware maker mess things up beyond all repair, I can always perform a perfect roll-back to an earlier state.

The software I use for these backups is Acronis True Image Home. While I have certainly had way more utility out of it than the money I paid for it, I can't really say I love it. It has a number of really annoying issues, so keep that in mind. But it has yet to fail me in performing its core function, and that is what matters the most when it comes to backups.

TrueCrypt

To protect my laptop in case it's stolen or I lose it, I use TrueCrypt whole disk encryption. In this mode, I must enter my passphrase before boot commences, and absolutely everything on the drive other than the bootloader is encrypted. This certainly feels very secure, and I trust that it actually is very secure. One might argue it's overkill given what I want to protect (logged-in browser sessions, mostly), but it's a bit like WEP (Wired Equivalent Privacy) in Wi-Fi: the only thing approaching equivalence to being physically behind a brick wall is government-level cryptography.

This poses a problem for backups: the data physically on the disk is incompressible and indistinguishable from random noise, and the backup program can't know which parts are really just free space that doesn't need backing up. I found humongous image files completely unacceptable, and so the procedure for safe backups described on TrueCrypt's website was out of the question. So were backups using Acronis off a bootable CD.

Fortunately, True Image 2012 supports backups from within the encrypted OS, even though the Acronis Knowledge Base seems to suggest otherwise. It works exactly the same as the images I usually take: True Image creates an image file containing all the files, unencrypted, as well as the MBR.

As a side-effect of encrypting the whole drive, my data partition was also encrypted. This was certainly desirable, but I expected this to cause at least some difficulties if I were ever to attempt to perform a whole image restore. So, for a long time I wasn't really sure whether these images were at all restorable, and if so, how hard this would be. And untested backups are one of those things... some say they are as good as no backups.

This weekend, I've finally had a go at performing a restore, and it mostly worked. Incidentally, to give you an idea for why I value this ability, the issue was that after installing a bunch of Atmel developer tools, including several unsigned drivers, I stopped being able to switch Wi-Fi networks easily: the laptop would connect to the first network, but it would never succeed reconnecting to another one. No amount of uninstalling and System Restore rollbacks helped, so it was time to risk it and attempt the whole image restore.

The Restore

I am going to describe what I did and what it led to. This isn't necessarily a good how-to guide, since I did not experiment with possibly better ways of doing things. Some steps may have been redundant, I wouldn't know. With this in mind...

The summary

  • Make sure you have a TrueCrypt recovery CD and a backup of absolutely everything of any importance from the drive to which you will be restoring (including secondary partitions).
  • Boot from the True Image recovery CD.
  • Perform a standard restore, selecting both the MBR and the partition.
  • Reboot. You will see TrueCrypt's prompt, but typing the passphrase won't work.
  • If you haven't disabled the ability to skip pre-boot authentication, skip it (by pressing Esc). If you have, boot using the TrueCrypt recovery CD, which should have the option to skip the authentication. Once skipped, Windows will start booting.
  • Run TrueCrypt, select "Permanently Decrypt System Partition/Drive". This will remove TrueCrypt's bootloader.
  • Reboot. The TrueCrypt bootloader prompt will now be gone.
  • Restore any secondary partitions by mounting them in TrueCrypt, moving all the data out, and recreating them from scratch.
  • Re-encrypt the whole drive.

It might be easier to decrypt the system volume first, before the True Image restore, but will probably take more time overall.

The longer story

First of all, do not attempt a restore from within the OS. I knew True Image would very likely write something to the MBR to boot outside the OS and do the work, and I suspected this might fail because of TrueCrypt's own bootloader. And fail it did. After restart, the system was unbootable, displaying the messages “MBR Error 1” and “MBR Error 3”.

So, I booted off a True Image 2012 recovery CD, and started a standard restore. I selected both the MBR and the partition, and this completed without a hitch. After the reboot, I was greeted by the TrueCrypt bootloader, which was now working once again. Entering my passphrase didn't work. For no particular reason, I booted off the TrueCrypt recovery CD, and that just happened to be exactly the right thing to do: it allowed me to skip pre-boot authentication by pressing Esc, which immediately started booting Windows; no passphrases required.

So, clearly, True Image had backed up the decrypted version of the partition, but the TrueCrypt's MBR. Perhaps a future version of TrueCrypt could make True Image see the original MBR when True Image reads it? I hope it might, one day.

Once back in Windows, I started by checking that the problem I was trying to fix was, in fact, fixed. It was, and so I proceeded. I now needed to somehow remove the TrueCrypt's bootloader and put the original one back, despite the fact that the system volume itself was already decrypted. Fortunately this didn't confuse TrueCrypt. Simply selecting "Permanently decrypt system partition/drive" was all that was needed. This step completed nearly instantly, and a reboot proved that I was now back to a pristine, decrypted version of Windows from two months ago!

Well... almost.

Secondary partition

My secondary partition was still there in the Disk Management snap-in, but it was shown as having the "RAW" filesystem. Its drive letter was there in Explorer, but when clicked, Explorer offered to re-format it.

Given the nature of the restore, I assumed it was pretty much gone, unrestorable – which was fine, since I had copied all files off it to another drive before the restore. To my surprise, when I asked TrueCrypt to mount it, just out of curiosity, it worked perfectly well, despite the fact that it was, quite literally, just half of a whole disk encrypted volume. TrueCrypt must have been designed to make this work; I can't see it being an accident.

To mount such a partition, use the "Select device..." button in TrueCrypt, and then in "Mount options" select the checkbox labelled "Mount partition using system encryption without pre-boot authentication". I do wonder why TrueCrypt doesn't simply attempt enabling this option when you enter the passphrase and it fails to decrypt the volume using the standard encryption mode. Probably an oversight.

The ability to mount this partition is, unfortunately, only a curiosity or a last resort: I could not find a way to decrypt it in-place, nor re-encrypt the first half of the disk to regain a fully-encrypted system. The documentation states that it's impossible to decrypt such a volume in-place.

I thought I could re-encrypt just the system drive and then add the second partition to the "favourite volumes", making it auto-mount on boot, but this didn't work either. After I booted the re-encrypted system, I could no longer mount the secondary volume as before. Instead, TrueCrypt gave me a truly cryptic (ha ha) error message:

In this mode, you cannot mount a partition located on a drive whose portion is within the key scope of active system encryption.

Before you can mount this partition in this mode, you need to either boot an operating system installed on a different drive (encrypted or unencrypted) or boot an unencrypted operating system.

This must be a technical limitation within TrueCrypt code, since I don't see anything that could possibly fundamentally preclude this.

Bottom line: you will have to delete and re-create any secondary partitions which remain encrypted as a result of whole-disk encryption, and if you hadn't backed up all the files before you started the restore (which I feel is a very bad idea), you'll have to get the files out of it before you re-encrypt the system partition.

Re-encrypting

By now we're back to a fully working and decrypted system, so re-encrypting is, firstly, optional, and secondly, no different to how one would do it normally.

Would I do it again?

Yes. This experience confirms that it's possible to combine TrueCrypt and True Image, and perform a full partition restore. This post is long, but with the steps known, the restore itself is not that much harder than a restore of an unencrypted system. To me, the benefits outweigh the trouble, and restores are rather rare anyway.

Tags: