Using VeraCrypt/TrueCrypt with TeraByte’s Imaging Programs

Introduction

Using disk encryption can present many challenges when it comes to imaging and restoring drives. Creating the incorrect type of backup or restoring an image using the wrong options can easily result in being unable to access any data on the drive. With disk encryption becoming increasingly popular, it's more important than ever to be able to reliably create and restore image backups of an encrypted system.

VeraCrypt is a free open-source on-the-fly disk encryption software program. With support for the multiple versions of Windows (including XP, Windows 7, and Windows 10), it allows users an easy method of protecting their sensitive systems and data. Note: VeraCrypt is based on TrueCrypt 7.1a, which ended development in 2014. While this article mainly refers to VeraCrypt, it is also applicable to TrueCrypt as they are functionally similar.

VeraCrypt supports three different types of encrypted volumes:

File Container
Non-system Partition/Drive
System Partition or Entire System Drive

Each type and how it affects using the TeraByte's imaging programs is detailed below. By utilizing this information, you will be able to avoid potential problems and determine the best backup configuration for your VeraCrypt encrypted system. It is recommended to read through the entire article as some information may be relevant to more than one type.

Basic knowledge of how to use VeraCrypt is assumed. If you are new to VeraCrypt, you may find it helpful to read the VeraCrypt documentation before proceeding (a link is provided at the end of the article).

Versions used in Testing

The following program versions were used in the testing for this article:

VeraCrypt 1.18, 1.19
TrueCrypt 7.0a & 7.1a

Note: Using the current versions of the TeraByte imaging programs is recommended.

Installing VeraCrypt and Image for Windows

There is no particular installation order required for Image for Windows and VeraCrypt. Either can be installed first. Note that it is not necessary to install Image for Windows if you will only be using Image for DOS, Image for Linux, or Image for Windows from WinPE (e.g. TBWinRE/TBWinPE). Even in this case, though, having Image for Windows installed provides greater flexibility when working with images.

Image for Windows can be safely installed even if VeraCrypt System Partition encryption or Entire System Drive encryption has already been enabled.

Using Image for Linux (GUI) with VeraCrypt

Image for Linux (GUI) includes the Linux version of VeraCrypt. This allows mounting of encrypted partitions and being able to back up and restore those partitions in the decrypted state while the volume remains encrypted. The backups can be of used sectors and can be compressed normally (unlike raw images created from the partitions in their encrypted state). Once VeraCrypt is used to mount the encrypted partition (or container), backing up and restoring the partition is very similar to the same procedures on an unencrypted partition, though there are limitations. The basic steps for each are outlined below. Using the current version of Image for Linux (GUI) is recommended to provide the best support for mounted VeraCrypt volumes.

Please note that "IFL" refers to Image for Linux (GUI) in the following instructions.

Using VeraCrypt to Mount a Partition

Close IFL if it's running. IFL may not detect the VeraCrypt partition if it's running when the partition is mounted.
Open VeraCrypt.
Select an empty slot to use as the mount point.
Click Select Device... and select the encrypted device (e.g. /dev/sda1).
Click Mount.
Enter the password. For a partition using system encryption the password will be the same one you use when booting.
Click Options to expand the window and display additional options.
For a partition using system encryption, check the Mount partition using system encryption (preboot authentication) option.
Check the Do not mount option. This prevents the VeraCrypt partition from being mounted by the Linux file system.
Click Ok. The partition should mount and show up in the selected slot.

Backing up the VeraCrypt Mounted Partition

Mount the encrypted partition using the instructions above.
Start IFL and go through the backup steps. The VeraCrypt mounted partition will show up as a Linux drive (e.g. /dev/mapper/veracrypt1).
Select the VeraCrypt mounted drive as the source for the backup.
Select your desired backup options and run the backup.

Be aware of the following when backing up:

The backup image can be used normally with TBIView and TBIMount.
The partition's data will be backed up in the decrypted state. You may wish to apply encryption to the image or save it to an encrypted partition (e.g. mount another VeraCrypt partition and save the image to it).
You can back up a VeraCrypt file container by mounting it instead of a partition. When mounting, click Select File... instead of Select Device.... Note that the partition holding the file container must be mounted to the Linux file system before you can browse it.
VeraCrypt does not support mounting logical partitions (those in an extended partition container) that use system encryption (only primary partitions are supported).

Restoring the VeraCrypt Mounted Partition

Mount the encrypted partition using the instructions above.
Start IFL and go through the restore steps. The VeraCrypt mounted partition will show up as a Linux drive (e.g. /dev/mapper/veracrypt1).
Select the VeraCrypt mounted drive as the destination for the image restore.
Select your desired restore options.
On the Summary screen verify that the /dev/mapper/veracrypt# mount point is being used as the destination for the restore.
Run the restore.

Be aware of the following when restoring:

The restore destination should normally be the same VeraCrypt mounted partition as when the backup was created (unless the image is being restored normally to an unencrypted partition).
The partition should not be resized or scaled when restored. While it is possible to resize the partition smaller, this only reduces the file system size - the encrypted partition will not be reduced in size and no free space will be gained. Additionally, VeraCrypt does not support resizing encrypted partitions.
It is not necessary to restore the first track, though restoring it should not cause any issues.
The IFL Restore - Automatic option can be used. However, be sure to verify the correct VeraCrypt mount point is used as the destination. If you have doubts perform a manual restore. Forgetting to first mount the partition using VeraCrypt will result in IFL targeting the drive containing the encrypted partition (restoring in this state would corrupt the drive).

Overview

The following is a quick overview of using Image for Windows, Image for Linux, and Image for DOS on a VeraCrypt system.

VeraCrypt File Container

A virtual encrypted disk within a standard file.
Can be backed up in its encrypted state by imaging the partition containing the file. If file container is mounted in VeraCrypt at time of backup, it is recommended to unmount it first or keep disk activity to a minimum during the backup.
Will be restored when image is restored. Can also be extracted from image using TBIView or TBIMount.
Content of file container can be backed up and restored normally (decrypted state) using Image for Linux (GUI) by first mounting the container with VeraCrypt.

VeraCrypt Non-system Drive Encryption

The entire drive (every sector) is encrypted. Drive is seen as RAW and uninitialized.
When backing up in the encrypted state you must use the Backup Unused Sectors option.
A restore of an encrypted state backup is done normally. Can be to the original drive or a another drive large enough to hold it. Can be restored from Windows or from the boot media.
Encrypted drive can be backed up and restored normally (decrypted state) using Image for Linux (GUI) by first mounting the drive with VeraCrypt.

VeraCrypt Non-system Partition Encryption

A standard non-system partition on an internal or external drive. These partitions are seen as RAW/unformatted.
Standard partition labels cannot be viewed and displayed system type (format) may be incorrect.
Using Image for Windows, Image for DOS, or Image for Linux (CUI), partition can only be backed up in the encrypted state. It is not possible to image the mounted VeraCrypt volume associated with the partition.
When backing up from Windows, it is recommended to either unmount the VeraCrypt partition or keep disk activity to a minimum during the backup.
Partition image created from the encrypted state can be restored normally to its original location or an alternate location and remain valid. Partition should not be resized during the restore.
Images created from the encrypted state cannot be accessed using TBIView and TBIMount.
Encrypted partition can be backed up and restored normally (decrypted state) using Image for Linux (GUI) by first mounting the partition with VeraCrypt.

VeraCrypt System Partition and Entire System Drive Encryption

The Windows system partition or the Windows drive is encrypted. Requires pre-boot authentication password before Windows boots.
Backing up from the boot media can be done normally.
- Partitions are seen as RAW/unformatted. Using Image for Linux (GUI), partitions can be mounted by VeraCrypt and backed up in the decrypted state.
- Partition labels cannot be viewed.
- Logical partitions cannot be backed up separately (must back up entire Extended Partition Container).
- Images cannot be accessed using TBIView and TBIMount (except those created in the decrypted state using Image for Linux (GUI)).
Backing up from Windows using Image for Windows requires PHYLock and can be done in either the encrypted or decrypted state.
- Encrypted State (PHYLock 1st method)
  - The PHYLock driver must be listed before the VeraCrypt driver in the UpperFilters list of the DiskDrive class. Requires manually editing the registry.
  - Partitions are seen as RAW/unformatted.
  - Logical partitions cannot be backed up separately (must back up entire Extended Partition Container).
  - Disk activity must be kept to a minimum during the backup. Even then, PHYLock may fail to cache all changes, causing the backup to fail.
  - Any undetected errors in the backup may render the restored partition(s) unable to be mounted by VeraCrypt. Marginal systems are likely to create corrupted images.
  - Images cannot be accessed using TBIView and TBIMount.
  - It is recommended to back up system encrypted partitions/drives using the boot media.
- Decrypted State (default, PHYLock 2nd method)
  - The PHYLock driver must be listed after the VeraCrypt driver in the UpperFilters list of the DiskDrive class. No registry changes required as this is the default.
  - Partitions are seen normally and are backed up normally.
  - Images can be accessed normally using TBIView and TBIMount.
  - Encryption can be applied using the Image for Windows Encrypt Data option (256-bit AES) if encryption is required in the image.
Images created in the encrypted state (from the boot media or in Windows using the PHYLock 1st method) must be restored from the boot media.
- Partitions must be restored to the same sectors. They cannot be restored to an alternate location on the drive.
- It may be necessary to restore Track 0 to ensure the VeraCrypt MBR, Boot Loader, and Volume Header are valid. This requires using the Restore First Track option and specifying the value 0 (zero). Important: Restoring Track 0 will also return the VeraCrypt pre-boot authentication password to the value it had at the time the image was created.
Images created in the decrypted state (e.g. PHYLock 2nd method) can be restored like a normal image.
- Partitions can be moved and/or resized as part of the restore (restore must be done to an unencrypted drive).
- To enable normal booting of the drive, it is necessary to using the Write Standard MBR Code option and may be necessary to select the Update Boot Partition option and/or the Update BOOT.INI option.
- Drive can be encrypted once again using VeraCrypt (if desired) after verifying it boots correctly.

While this overview gives you a basic understanding of what's required to successfully back up and restore a VeraCrypt system, the remainder of this article provides more in-depth information and examples to enable you to fully understand the differences between the VeraCrypt encryption types and how they affect imaging.

VeraCrypt File Container

What is it?

A VeraCrypt file container is a virtual encrypted disk within a file. The size of the file (virtual disk) is determined at the time of creation. Mounting the file container with VeraCrypt assigns a drive letter to the virtual disk and allows the user to access it normally from Windows. The file container file itself is more or less a normal file and may be copied from one drive to another, renamed, deleted, etc.

Example

A file container 2GB in size is created, named My Encrypted Data.VC, and saved to the D:\VeraCrypt Files folder. The size of the file is the entire size of the container (2GB). My Encrypted Data.VC is then mounted using VeraCrypt and assigned the G: drive letter. At this point, any files stored in the file container can be accessed normally by browsing to the G: drive.

Backing up and Restoring

The TeraByte imaging programs are partition-based, not file-based (backing up and restoring files separately from a partition is not supported). Because VeraCrypt file containers are normal files, they are included in an image backup the same as any other file. In the above example, using Image for Windows to back up the D: partition would also back up the My Encrypted Data.VC file, as it exists on that partition.

Due to the nature of the seemingly random data contained in the encrypted file container, compression of these types of files is nil. Backing up a partition containing only file container files will result in an image size equal to combined sizes of the file container files.

In Windows, while it is possible to create a backup image of a partition that contains a mounted VeraCrypt file container, it is recommended to unmount the file first. Otherwise, keep disk activity on the mounted container to a minimum while the backup takes place. Additionally, Image for Windows will not see the mounted VeraCrypt file container as a valid source for creating a backup image. In the above example, imaging the G: drive is not possible.

When using Image for Linux (GUI) it's possible to mount the file container using VeraCrypt. The mounted partition can then be backed up and restored in its decrypted state.

Restoring the partition image will restore the file container file along with any other files that existed on the partition at the time the backup was created. The files can also be extracted from the backup image by using TBIMount or TBIView and copying out the desired files.

VeraCrypt Non-system Drive Encryption

What is it?

Non-system Drive encryption will encrypt every sector on a drive, including the MBR (Sector 0). This causes the drive to be seen as uninitialized. This type of encryption cannot be enabled on the system drive (the booting drive with Windows). In addition, the drive cannot be used for an operating system or be booted after being encrypted, unless encryption is removed. For example, using Disk Management to initialize the drive will reconfigure it for standard use.

Due to the limitations of this type of encryption and the increased risk of data corruption, it's generally recommended to create a standard partition on the drive and then encrypt the partition using non-system partition encryption (see next section).

Backing up and Restoring

Non-system encrypted drives are seen by the imaging programs as completely RAW — no MBR, no partitions, no disk signature. Making any changes to this type of drive, even just initializing it with Disk Management, will corrupt it. Some corruption, such as disk initialization may be repairable using VeraCrypt to restore the backup Volume Header. Other corruption may cause all access to the encrypted data to be lost.

With the exception of Image for Linux (GUI), the only way to create a backup image is to select the drive and use the Backup Unused Sectors option. The image will be the same size as the drive (encrypted data does not compress). If the Backup Unused Sectors option is not selected, no backup image will be created. When using Image for Linux (GUI) it's possible to mount the drive using VeraCrypt. The mounted drive can then be backed up and restored in its decrypted state.

Restoring a non-system encrypted drive image is a simple matter of selecting the image file, selecting the drive in the image, and selecting the physical destination drive. The restore can be done in Windows using Image for Windows or from a boot disc (TBWinRE/TBWinPE, Image for Linux, or Image for DOS). This type of image can be restored to another drive as long as the drive is large enough to hold it. Note that the VeraCrypt volume will still be the original size when mounted. For example, restoring a 20GB image to an 80GB drive will not increase the size of the VeraCrypt volume (it will still be 20GB).

VeraCrypt Non-system Partition Encryption

What is it?

A non-system partition is any standard partition on which Windows is not installed and that is not a booting partition. The partition can be located on an internal or external drive (USB drive, flash drive, etc.).

In Windows, a non-system partition encrypted with VeraCrypt is usually not assigned a drive letter (the standard Windows assignment would be useless and possibly dangerous as the partition is seen as RAW/unformatted). Instead, the drive letter is provided by VeraCrypt when the partition is mounted. The partition can then be used normally in Windows with VeraCrypt decrypting and encrypting the data as necessary.

Example

Hard Disk 0 (HD0) contains three partitions:

System Reserved, 100MB, NTFS (boot partition)
Windows 7, 75GB, NTFS (assigned C:)
Data partition, 20GB, NTFS (assigned D:)

Using VeraCrypt, the data partition is encrypted. Since the partition was previously assigned a drive letter by Windows, this drive letter is removed using Windows Disk Management. This will prevent the drive from showing up in Explorer as well as greatly decreasing the chance of it being accidentally formatted (which would destroy the encrypted data).

The data partition is mounted with VeraCrypt and assigned the G: drive letter.

Backing up

Non-system encrypted partitions are seen by the imaging programs as RAW/unformatted. Every sector of the partition has been encrypted leaving only the file system type and size available. This means even the standard label of the partition cannot be read or displayed. However, when using TeraByte's BootIt NG or BootIt BM, EMBR labels will be seen on non-system drives if an EMBR exists.

In addition, the file system type (format) reported may not be correct. Using the example above, the data partition before encryption was formatted NTFS and then encrypted and formatted NTFS. NTFS is the reported file system on the partition. On the other hand, if the partition had originally been formatted FAT32 and then encrypted and formatted NTFS, FAT32 would be the reported file system. In other words, any changes made to the encrypted file system are not seen at the base partition level.

With the exception of Image for Linux (GUI), non-system encrypted partitions can never be backed up in a decrypted state using the TeraByte imaging programs (this is true whether the backup is created in Windows or from a boot disc). When using Image for Linux (GUI) it's possible to mount the partition using VeraCrypt. The mounted partition can then be backed up in its decrypted state. In Windows, it is not possible to back up a mounted VeraCrypt non-system encrypted partition since Image for Windows does not detect it as a valid source.

The size of the image backup will be the same size as the partition as compression is nil. Using the above example, a backup of the 20GB data partition will result in a 20GB TBI image file. Depending on the speed of the system, the backup may proceed more quickly if compression is disabled.

When backing up in Windows using Image for Windows, it is recommended to either unmount the VeraCrypt partition or keep disk activity to a minimum during the backup to prevent PHYLock from failing. PHYLock has to buffer all changes to the underlying encrypted partition. Excess changes may cause PHYLock to fail. If this happens, the partition is not corrupted or damaged, but the backup image is and will be deleted by default. Additionally, instructing Image for Windows to use VSS instead of PHYLock will not work as VSS will fail and Image for Windows will revert to using PHYLock.

A byte-for-byte validation (Validate Byte-for-Byte option) will almost always fail when backing up an encrypted partition from Windows. This failure is for the same reason as when backing up unused sectors (Backup Unused Sectors option) — the backup may include the cache of changes, which may change by the time the backup is complete and the validation is run. If the cached changes haven't changed by the time Image for Windows gets to the point of validating them, the byte-for-byte validation will pass. PHYLock will use disk space or RAM for the cache (options for which can be changed in Image for Windows settings). The disk cache does not have to be on the same partition that is being backed up, but it must be on the same physical drive. This means that a backup of an encrypted partition won't cache to the encrypted partition (because it's seen as RAW), but will instead cache to another location on the drive or to RAM if it can't access the drive. Disk changes are written immediately to the drive and the old data is cached — the cache cannot be cached or it would cause a never ending loop. In this case, a failed byte-for-byte validation does not necessarily mean the backup image itself is corrupt (however, it would still be deleted by Image for Windows unless the option to keep failed backups is enabled). If you require absolute byte-for-byte validation, the encrypted partition must be unmounted at the time of the backup and PHYLock cannot be used (back up from Image for Linux, Image for DOS, or Image for Windows from TBWinRE/TBWinPE).

Restoring

Restoring a non-system encrypted partition image is very similar to restoring a normal partition image. The partition can be restored back to its original location or to a different location and remain valid for use with VeraCrypt.

When using Image for Linux (GUI) you can mount the partition using VeraCrypt. A previous backup created from this state (decrypted) can be restored to the mounted partition.

If the partition is restored in Windows a drive letter is usually automatically assigned. Note that the drive letter references the encrypted partition directly. It is recommended to remove the drive letter assignment using Windows Disk Management to avoid potential data loss on the encrypted partition.

It is not possible to resize the encrypted partition when restoring (the file system in use cannot be determined and is unable to be modified). Any attempts would corrupt the data on the encrypted partition.

Restoring a non-system encrypted partition image from outside Windows to a drive using Entire System Drive encryption (see next section) will succeed, but the drive may be corrupted in the process causing data loss. This type of restore is extremely risky and not recommended.

VeraCrypt System Partition and Entire System Drive Encryption

What is it?

There are two types of system encryption used by VeraCrypt. One encrypts only the Windows partition, the other encrypts the entire system drive (the drive with the Windows partition). Both require the user to enter the VeraCrypt pre-boot authentication password before Windows boots.

Special care must be taken when backing up and restoring images of these types of systems. If done incorrectly, the entire system partition or drive can become completely inaccessible and unusable.

Installing

Encrypting the system partition or the entire system drive requires VeraCrypt to make additional changes to the system. VeraCrypt must...

Write the VeraCrypt MBR — Replaces the existing MBR code on the booting drive (Sector 0).
Write the VeraCrypt Boot Loader & Volume Header — Written to Track 0 of the booting drive (replacing existing contents).
Install the veracrypt Windows driver — This driver is required to allow VeraCrypt to provide on-the-fly encryption and decryption of the system partition or system drive. It is installed to the UpperFilters list of the DiskDrive class (GUID 4D36E967-E325-11CE-BFC1-08002BE10318). The driver is inserted at the beginning of the list, before any existing entries.

The list of UpperFilters drivers can be found at the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}

A standard Windows installation may only have PartMgr listed. In this case, after system encryption is enabled, UpperFilters will be: veracrypt PartMgr

The order of the UpperFilters list is especially important when PHYLock is installed because it affects whether or not PHYLock sees encrypted or decrypted data.
(Note: If using TrueCrypt, the driver in UpperFilters is named truecrypt.)
Create the VeraCrypt Rescue Disk — This Rescue Disk is part of the process of enabling system encryption and must be created and validated before encryption takes place. The Disk contains a backup of the original MBR, Track 0, the VeraCrypt Boot Loader, and key data. It also provides the option to permanently decrypt the partition/drive or boot the drive directly.

Image for Windows can be installed either before or after VeraCrypt system encryption is enabled. By default, the PHYLock driver (used by Image for Windows to image live partitions) is installed to the UpperFilters of the DiskDrive class just before PartMgr. This means that the placement of PHYLock in the list of drivers does not change depending on the existence of the veracrypt driver. For example, on a typical system, UpperFilters would be: veracrypt phylock PartMgr

With PHYLock listed before veracrypt, Image for Windows will back up encrypted data because the data has not yet been decrypted by the VeraCrypt driver. This has a profound effect on how Image for Windows functions. This type of system will be referred to as PHYLock 1st. Note that when configured this way, Image for Windows in Windows sees the drive the same as it would outside Windows (e.g. from TBWinPE/RE) — the same as Image for Linux or Image for DOS.

With PHYLock listed after veracrypt, Image for Windows will back up decrypted data because the VeraCrypt driver has decrypted it before PHYLock sees it. In most aspects, a backup of this type is the same as a normal backup where encryption is not involved. This type of system will be referred to as PHYLock 2nd.

Comparison of the PHYLock 1st and PHYLock 2nd Methods

	PHYLock 1st	PHYLock 2nd
File System	The file system cannot be seen so all sectors must be included in the backup	Used sectors can be backed up because the file system can be seen
File Exclusion	Not possible	Paging & hibernation files can be excluded
Compression	None	Functions normally
PHYLock	PHYLock may fail to cache all changes to the drive	Functions normally
Image Size	The size of the partition/drive being backed up	Equivalent to those taken if VeraCrypt was not used
Time Required	Greatly increased	Normal

Volume labels of the system encrypted partitions can be seen normally by Image for Windows , regardless of whether PHYLock 1st or PHYLock 2nd is being used.

Example — Base System

Windows 7 is installed on a 500GB drive, partitioned as follows:

System Reserved, 100MB, NTFS (boot partition)
Windows 7, 75GB, NTFS (25GB used)
Data partition, 100GB, NTFS (10GB used)
Remaining 290GB unallocated

Example A — System Encryption

System encryption is applied to the Base System. This results in the Windows 7 partition being encrypted. The System Reserved partition, Data partition, and unallocated space are not encrypted. The MBR (Sector 0) is not encrypted.

Example B — Entire System Drive Encryption

Entire System Drive encryption is applied to the Base System. All partitions on the drive and the unallocated space are encrypted. The MBR (Sector 0) is not encrypted.

As the type specifies, all partitions on the drive are included in the system encryption. This includes any new partitions created in the unallocated space (note that these must only be created in the running Windows system).

Backing up from outside Windows

Backing up with Image for Windows in TBWinRE/TBWinPE, Image for Linux, or Image for DOS when system encryption is enabled is similar to normal non-encrypted partition/drive backups, but there are a few important differences.

The MBR (Sector 0) is not encrypted. This is necessary for the computer to boot from the drive. The partition table (located in Sector 0) is also available. This allows the imaging programs to see the partitions on the drive. Note that only the partition structure can be seen for encrypted partitions — the volume label, used space, etc. cannot be seen. Unencrypted partitions (like Data in Example A) are seen normally and can be backed up normally.

The imaging programs will not be able to read or display the volume labels for system encrypted partitions. In Example A, the Windows 7 partition label would not be seen, while the System Reserved and Data partition labels would be. Since Example B has Entire System Drive encryption, none of the partition labels can be seen outside Windows.

The following table illustrates how Image for Windows in TBWinRE/TBWinPE, Image for Linux, or Image for DOS would see the partitions used in Example A and Example B.

Partition	Example A	Example B
System Reserved	Normal Volume label visible NTFS 100MB	RAW (unformatted) No volume label NTFS 100MB
Windows 7	RAW (unformatted) No volume label NTFS 75GB	RAW (unformatted) No volume label NTFS 75GB
Data	Normal Volume label visible NTFS 100GB (10GB used)	RAW (unformatted) No volume label NTFS 100GB
290 GB unallocated space*	Unallocated	Unallocated

*Unallocated space will be seen correctly in both cases since all partition sizes are known.

Logical partitions on a drive using Entire System Drive encryption will not be seen. Instead, only the Extended Partition Container is visible. This means that individual logical partitions cannot be backed up separately. Note that for versions of Windows earlier than Vista, VeraCrypt does not support Entire System Drive encryption on drives containing logical partitions.

A backup image of the Example A drive would include normal images of the System Reserved and Data partitions (used sectors only) and all sectors of the Windows 7 partition. The unallocated space would not be included. The resulting backup image size would be approximately 80GB (assuming 50% compression on the 10GB used space on the Data partition).

A backup image of the Example B drive would include all the sectors of all three partitions. The unallocated space would not be included. Since the encrypted data does not compress, the resulting backup image size would be approximately 175GB.

Using Image for Linux (GUI) it's possible to mount a partition with system encryption using VeraCrypt. The partition can then be backed up in the decrypted state (similar to backing up an unencrypted partition). The backup will include only used sectors (by default) and compression will function normally. Please refer to the section near the beginning of the article for details.

Backing up from Windows

The following applies to both the PHYLock 1st and PHYLock 2nd methods:

PHYLock is required. VSS can also be used, but may not succeed in all cases. If VSS fails Image for Windows will revert to using PHYLock.
Partition labels of system-encrypted partitions can be seen normally in Image for Windows.

Backing up from Windows — PHYLock 1st

The PHYLock 1st method of backing up from Windows allows the system-encrypted partitions to be backed up in their encrypted state (similarly to backing up outside Windows). Since this is not the default method, using it requires manually changing the order of the veracrypt and phylock drivers in the UpperFilters of the DiskDrive class.

Proceed as follows to modify the UpperFilters value:

Start the Registry Editor (regedit.exe).
Browse to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
Right-click on the UpperFilters value and select Modify... from the context menu.
The drivers will be listed one per line. Edit the list and place phylock before veracrypt. This can be done using cut & paste or by typing.
Important: Do not change the order of any other drivers in the list. Do not remove any drivers from the list. Making any incorrect or invalid changes will very likely cause Windows to fail during boot-up with a BSOD.
Click Ok to save the changes. Make sure the list is shown correctly in the display.
Close the Registry Editor.
Restart Windows.

A before and after example of a typical system is shown below:

Registry Value	Before	After
UpperFilters	veracrypt phylock PartMgr	phylock veracrypt PartMgr

The option of creating an image in the encrypted state directly from Windows can be appealing for a number of reasons, including being easily scheduled and that restoring doesn't require re-encrypting the drive. However, it is important to understand the potential problems and increased risk involved.

To help prevent PHYLock from failing during the backup, it is recommended to keep disk activity to a minimum. PHYLock has to buffer all changes to the underlying encrypted partition. Excess changes may cause PHYLock to fail. If this happens, the partition is not corrupted or damaged, but the backup image is and will be deleted by default. Additionally, if instructing Image for Windows to use VSS instead of PHYLock and VSS fails, Image for Windows will revert to using PHYLock.

A byte-for-byte validation (Validate Byte-for-Byte option) will almost always fail when backing up an encrypted partition from Windows. This failure is for the same reason as when backing up unused sectors (Backup Unused Sectors option) — the backup may include the cache of changes, which may change by the time the backup is complete and the validation is run. If the cached changes haven't changed by the time Image for Windows gets to the point of validating them, the byte-for-byte validation will pass. PHYLock will use disk space or RAM for the cache (options for which can be changed in Image for Windows settings). The disk cache does not have to be on the same partition that is being backed up, but it must be on the same physical drive. This means that a backup of an encrypted partition will not cache to the encrypted partition (because it's seen as RAW), but will instead cache to another location on the drive or to RAM if it cannot access the drive. Disk changes are written immediately to the drive and the old data is cached — the cache cannot be cached or it would cause a never ending loop. In this case, a failed byte-for-byte validation does not necessarily mean the backup image itself is corrupt (however, it would still be deleted by Image for Windows unless the option to keep failed backups is enabled). If you require absolute byte-for-byte validation, the encrypted partition must be unmounted at the time of the backup and PHYLock cannot be used (back up from Image for Linux, Image for DOS, or Image for Windows from TBWinRE/TBWinPE).

Any errors in the backup that are not caught by Image for Windows may render the entire backup corrupt. When restored, VeraCrypt may not be able to mount the partition or may not be able to properly decrypt the data if mounting succeeds. The computer system needs to be able to process the backup from start to finish with 100% accuracy to ensure the validity of this type of backup. Marginal systems are very likely to create corrupted images.

It is recommended to create additional backups, either from outside Windows or using the PHYLock 2nd method, and not to rely solely on the PHYLock 1st backups to provide access to your data in the event of a system failure. It is also recommended to create an image of the entire drive instead of the individual partitions, if possible.

Backing up from Windows — PHYLock 2nd

The PHYLock 2nd method of backing up system encrypted partitions from Windows allows Image for Windows to see the partitions normally, in the decrypted state. This is the default method. As when backing up standard unencrypted partitions, Image for Windows is able to apply compression, back up only the used sectors, and exclude the paging and hibernation files. This results in image files the same size as if no encryption were used. In addition, backup images can be viewed using TBIView or mounted using TBIMount, allowing files to be extracted normally.

If encryption is required in the backup image, the Encrypt Data option can be selected to encrypt the image with 256-bit AES encryption (note that you must also specify a password). This option provides an easy way to keep the data being imaged secure while still providing easy access and smaller image sizes. Alternatively, you can save the backup to another mounted VeraCrypt partition.

Restoring Images taken in the Encrypted State

Images created in the encrypted state (either from outside Windows or by using the PHYLock 1st method) cannot be successfully restored while in Windows. These types of restores must be done using Image for Linux, Image for DOS, or Image from Windows in TBWinRE/TBWinPE. Doing the restore in Windows will succeed, but the partition will be corrupted and not mountable with VeraCrypt.

System encrypted partitions cannot be restored to an alternate location. This means they must be restored to the same sectors. The reason for this is that the Volume Header is stored in Track 0 and not in the partition as it is when non-system encryption is used. When the partition is moved, VeraCrypt will still look in the original location and decryption will fail.

Imaging individual partitions from a drive encrypted with Entire System Drive encryption tend to have a higher risk of failure when restored. It is recommended to create periodic images of the entire drive in addition to the partition images if this method is used.

To restore the VeraCrypt MBR and Track 0 data it is necessary to change the default setting of the Restore First Track option. The AUTO value will not properly restore Track 0, which contains the MBR code, the VeraCrypt Boot Loader, and the Volume Header. Specify the value 0 (zero) to restore these items. Specify the value 1 (one) to restore just the MBR. It is recommended to restore Track 0 when a system encrypted drive image or system encrypted partition image is restored to ensure the drive will boot properly. Skipping this step may require the use of the VeraCrypt Repair Disk to enable booting of the drive or performing the restore again with the correct options.

Important: Restoring Track 0 will also return the VeraCrypt pre-boot authentication password to the value it had at the time the image was created.

Restoring Images taken using PHYLock 2nd

An image created using the PHYLock 2nd method contains the decrypted data. Restoring this image will restore the decrypted data (i.e. data is no longer encrypted). For example, if the drive in Example B is backed up in Windows and then restored using Image for Linux, the partitions will contain normal non-encrypted data. VeraCrypt system encryption would need to be activated again to encrypt the drive.

When restoring the system drive to the decrypted state, it is necessary to select the Write Standard MBR Code option and may be necessary to select the Update Boot Partition option and/or the Update BOOT.INI option. If this is not done, the system may require a boot repair before it will boot successfully into Windows.

Do not mix restoring images of system encrypted partitions taken in the encrypted state with those taken in the decrypted state. All partitions need to be either encrypted or decrypted for the system to function correctly.

General Restore Information

Restoring an image of a non-system encrypted partition or a standard image to a drive with system encryption enabled may require restoring to unallocated space. This is due to the lock on the existing partition not being released (Error: Unable to write to device). The existing partition can be deleted prior to the restore using Disk Management, if necessary. A Normal restore must be used (an Automatic restore attempt will fail instantly). Please note that this type of restore applies to a drive with only the system partition encrypted (as in Example A).

When Entire System Drive encryption is used (as in Example B), it is possible to restore a standard partition image or an image of a non-system encrypted partition to the system drive using Image for Windows in Windows. Note that in the case of an encrypted partition, the data will be doubly encrypted — once on the system drive and once in the partition (which must be mounted by VeraCrypt to be accessible).

Please refer to the section near the beginning of this article if using Image for Linux (GUI) to restore to a partition mounted by VeraCrypt.

Mounting and Viewing (TBIMount / TBIView)

Images of standard partitions that include VeraCrypt file container files can be mounted (TBIMount) or viewed (TBIView) normally. The file containers can be extracted just like any normal file and mounted with VeraCrypt.

Images of encrypted partitions (both non-system and system) cannot be opened with TBIView. They can be mounted with TBIMount, but cannot be browsed as there is no detectable file system. Windows will assign a drive letter, but errors if it's accessed (The volume does not contain a recognized file system...). It is not possible to mount the image with TBIMount and then mount the TBIMount drive using VeraCrypt as VeraCrypt only allows mounting of physical partitions.

Images of a VeraCrypt mounted partition created using Image for Linux (GUI) can be mounted (TBIMount) or viewed (TBIView) normally since the backup image contains the decrypted data.

Important Notes

It's not recommended to make any partitioning changes on a drive with VeraCrypt system encryption enabled on it. This means partitions should not be resized or moved. Doing so will very likely corrupt the drive. The only exception is resizing partitions on a drive with Entire System Drive encryption while the encrypted operating system is running.
When only system encryption is used (not Entire System Drive encryption), other VeraCrypt encrypted partitions on the same drive behave identically as those on other non-system encrypted drives (e.g. Image for Windows will only back them up in the encrypted state because it can only see the encrypted partition).
It is recommended to back up a drive with Entire System Drive encryption as a whole instead of individual partitions. This allows the restoration of the drive in its entirety and avoids the possibility of a partition moving and causing possible data loss or corruption.
When TRIM is used on a drive (e.g. SSD), unused sectors may be zeroed out. In this case, backing up the partition in its encrypted state may result in a smaller image than expected since the unused sectors will compress. For example, backing up a 64GB partition with 25GB of data may result in a backup image around 25GB instead of the expected 64GB.

Related Links

VeraCrypt website: https://veracrypt.codeplex.com/
VeraCrypt Documentation: https://veracrypt.codeplex.com/documentation
VeraCrypt recommended backup procedures:
https://veracrypt.codeplex.com/wikipage?title=How%20to%20Back%20Up%20Securely

What is it?

Example

Backing up and Restoring

What is it?

Backing up and Restoring

What is it?

Example

Backing up

Restoring

What is it?

Installing

Example — Base System

Example A — System Encryption

Example B — Entire System Drive Encryption

Backing up from outside Windows

Backing up from Windows

Backing up from Windows — PHYLock 1st

Backing up from Windows — PHYLock 2nd

Restoring Images taken in the Encrypted State

Restoring Images taken using PHYLock 2nd

General Restore Information

Was This Article Helpful?