How is data encrypted by backup software


I encrypt my hard disk with BitLocker. My backup program tells me it can only perform a “sector by sector” backup, whatever that is. So, when I back up, is the backup encrypted or not? If not, how should I back up securely?

As with so many things, the answer is: it depends.

Different backup programs work in different ways, particularly when it comes to encrypted disks.

And even then, what actually happens may not reflect what probably should happen.

Whole-disk encryption

As the name implies, whole disk encryption (of the type performed by Bitlocker and other software) encrypts everything on your hard disk. More correctly, it encrypts everything in a partition.

Traditionally, when we think about encryption, we’re worried about our files. There are many different approaches to encrypting individual files or groups of files. Whole-disk encryption bypasses all this by ignoring files completely, and encrypting everything at the next level down, where the data is actually written to disk.

What’s important to realize is that whole-disk encryption encrypts more than files; it encrypts information about the files, including the file system information that allows the operating system to locate where files are on the disk.

Since the operating system needs that information in order to work, disks encrypted this way are “mounted” – using the encryption password or key – which allows the unencrypted contents of the disk to be accessed normally. Without the encryption password or key, you can’t access the drive’s contents, period. If that’s your system drive, you can’t even boot Windows until the correct password or key is supplied.

This leads to an interesting dilemma when it comes to backing up.

Backing up an encrypted disk

There are two ways to “see” a hard disk:

  • Mounted: a password or key has been supplied, and the contents of the disk are accessible.
  • Not mounted: the contents of the disk are just a collection of sectors, each containing encrypted data. Without the decryption key, they appear to be random data.

That leads to two ways, conceptually, to back it up:

  • Content-aware: this means the backup program can see all files on the disk, and can back up using that information. This is how most backup programs (including image backups) work: they locate and back up only the actual files that are currently stored on a hard disk.
  • Sector-by-sector: when a backup program is unable to understand the contents of a disk, it has no way to locate individual files or folders, and no way to understand what’s on the disk. The only thing it can back up is each physical sector on that disk, because it might contain data.

If your system drive is encrypted, there are two general scenarios for backing up:

  • Inside Windows: If you install a backup program in Windows, and run that program from within Windows, it works because you’ve mounted the system drive and supplied the password. The system drive is completely accessible, not only to Windows itself, but all the programs you run in Windows, presumably including your backup program. It should be able to perform a content-aware backup just as if the system drive were not encrypted.
  • Outside Windows: If you instead boot from a backup program’s recovery disk in order to perform a backup (an option in many backup programs), then you’ll not have mounted your Windows system disk, and its contents will not be accessible to the backup program. The only option the backup program has is to back up sector-by-sector.

Unfortunately, things aren’t quite so simple.

Backup program confusion

Note my use of the words “presumably” and “should” when describing how a backup program works in Windows. For reasons unknown, not all work that way. Some fail to backup an encrypted drive or partition, even though the partition is mounted and accessible in Windows itself.

In fact, I’ve had reports of failures I can’t reproduce. For example, backing up a BitLocker-encrypted system drive in Windows 10 using EaseUS Todo works for my laptop without any change to the normal process of backing up. Others have reported that it fails, and explicitly points to BitLocker when doing so.

Some backup programs state you must decrypt the drive (remove BitLocker, for example) in order to back it up, at which point you can re-encrypt it. Not only does that take significantly more time, it can’t be automated, and, quite honestly, doesn’t make much sense to me.

As we’ll see in a moment, I think it’s important that you be able to back up from within Windows.

Is the backup encrypted?

A sector-by-sector backup is, by definition, encrypted using whatever whole-disk encryption technology is being used. I say “by definition” because the very reason a backup program might resort to a sector-by-sector backup is because it can’t understand the encrypted data.

Backups taken from within Windows while the disk is mounted and accessible are typically not encrypted. The fact that the disk is mounted and accessible means that the backup program neither knows nor cares that encryption was used at all. It simply does what it does, which is to backup what it sees: the unencrypted original contents of the hard disk.

If it’s important to you that such a backup be encrypted, you need to take additional steps. That means either of two things:

  1. Choose a password or encryption option within the backup program itself, assuming it has one.
  2. Encrypt the resulting backup file(s) yourself, using some kind of encryption tool; for example, you might create a password-protected zip file containing the backup after it’s completed, or place the backup in a VeraCrypt-encrypted volume.

My recommendation

Whole disk encryption is a fine thing, and I use BitLocker on my Windows laptop, as well as Apple’s equivalent on my Macs.

I recommend that you:

  • Back up using a program that allows “content-aware” backups. In other words, if you install it and run it within Windows with your encrypted disk mounted and accessible, and it complains, that’s not the program I’d use. It should just work.
  • Remember that this backup will, itself, not be encrypted.
  • Save the backup securely somehow. That could mean encrypting it, as described above. It could also mean that you’ve structured your backups to be secure some other way – perhaps backing up your laptop over a network at home to a device you trust is sufficiently secure for your needs. (This is what I do.)

But above all, do back up.

: Yes, this does represent a change in my position from days past. The caveat to using whole disk encryption and BitLocker safely is to a) back up, as we’re discussing here, and b) safely and securely save the encryption key created when the disk is originally encrypted.

Posted: January 6, 2017 in: Backing Up & Backup Programs

New Here?

Let me suggest my collection of best and most important articles to get you started.

Of course I strongly recommend you search the site -- there's a ton of information just waiting for you.

Finally, if you just can't find what you're looking for, ask me!

Confident Computing

Confident Computing is the weekly newsletter from Ask Leo!. Each week I give you tools, tips, tricks, answers, and solutions to help you navigate today’s complex world of technology and do so in a way that protects your privacy, your time, and your money, and even help you better connect with the people around you.

Subscribe for FREE today and claim your copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. Culled from the articles published on Ask Leo! this FREE downloadable PDF will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.