IFL Settings for backing up Truecrypt System Partition

User discussion and information resource forum for Image products.
crawfish
Posts: 47
Joined: Mon Jun 24, 2013 9:49 pm

IFL Settings for backing up Truecrypt System Partition

Post by crawfish »

I've read the KB article on Truecrypt, but I'm still not clear on the options I need to use to back up and restore my Truecrypt system partition. My boot drive is configured as:

Boot Drive (SSD)
System partition
Unallocated space (for overprovisioning)

I have encrypted the System Partition only; I'm not using whole drive encryption. My understanding is that I should be able to back up just the system partition, but I'm unclear as to what I need to set the geometry and other settings to in order to ensure that Track 0 and the partition get backed up and restored exactly to their original locations. There are lots of options having to do with MBRs, alignment, and whatnot, and I don't know what to do with them. Can anyone help with this?
TeraByte Support(PP)
Posts: 1644
Joined: Fri Aug 12, 2011 12:51 am

Re: IFL Settings for backing up Truecrypt System Partition

Post by TeraByte Support(PP) »

You don't need to do anything with the geometry settings. Default backup options are generally fine when backing up the encrypted partition (compression can be disabled). When you restore the partition you may also need to use the "Restore First Track" option and specify "0" (zero) to make sure the MBR and Track 0 get restored.

Note that when using IFL GUI it's possible to mount the encrypted Windows partition using TrueCrypt. You can then do a more normal backup of used sectors, use compression, etc. This type of backup can be restored back into its encrypted state by mounting the partition with TrueCrypt and then restoring to the mount point.
crawfish
Posts: 47
Joined: Mon Jun 24, 2013 9:49 pm

Re: IFL Settings for backing up Truecrypt System Partition

Post by crawfish »

TeraByte Support(PP) wrote:
> You don't need to do anything with the geometry settings. Default backup
> options are generally fine when backing up the encrypted partition
> (compression can be disabled). When you restore the partition you may also
> need to use the "Restore First Track" option and specify
> "0" (zero) to make sure the MBR and Track 0 get restored.

Great.

> Note that when using IFL GUI it's possible to mount the encrypted Windows
> partition using TrueCrypt. You can then do a more normal backup of used
> sectors, use compression, etc. This type of backup can be restored back
> into its encrypted state by mounting the partition with TrueCrypt and then
> restoring to the mount point.

Now that would be highly desirable.

Would the Track 0 consideration still apply in that case? If so, I guess the unencrypted Track 0 would be restored without Truecrypt processing it, while Truecrypt would encrypt everything else as it's restored?

And what if the drive were zeroed out or in general Truecrypt was removed? Would using the Truecrypt Rescue Disk be sufficient for getting the drive into shape for the restore?
TeraByte Support(PP)
Posts: 1644
Joined: Fri Aug 12, 2011 12:51 am

Re: IFL Settings for backing up Truecrypt System Partition

Post by TeraByte Support(PP) »

You don't need to worry about Track 0 when restoring to a TrueCrypt mounted drive (there isn't a first track, in this case).

If the drive were zeroed out or otherwise corrupted, you'd probably be better off just restoring the unencrypted image and then encrypting it again than trying to "fix it" for a normal restore.

The basic back up steps would be:
* Boot into IFL GUI.
* Close IFL.
* Open TrueCrypt.
* Select a slot and select a device (e.g. /dev/sda1).
* Click Mount.
* Enter the password (same as the one you use when booting).
* Check the "Mount partition using system encryption (preboot authentication)" option.
* Check the "Do not mount" option (this prevents the TrueCrypt partition from being mounted by the Linux file system).
* Click Ok.
* Start IFL and go through the backup steps. The partition will show up as a Linux drive. For example: /dev/mapper/truecrypt1.
* Select the drive.
* Select your backup options and run it.

To restore, you follow the same mounting steps and select the "truecrypt#" drive as the destination (make sure to verify on the Summary screen that the /dev/mapper/truecrypt# mount is being used).
crawfish
Posts: 47
Joined: Mon Jun 24, 2013 9:49 pm

Re: IFL Settings for backing up Truecrypt System Partition

Post by crawfish »

TeraByte Support(PP) wrote:
> You don't need to worry about Track 0 when restoring to a TrueCrypt mounted
> drive (there isn't a first track, in this case).

Even simpler. Great!

> If the drive were zeroed out or otherwise corrupted, you'd probably be
> better off just restoring the unencrypted image and then encrypting it
> again than trying to "fix it" for a normal restore.

I get that, but I'm using an SSD, and I'm concerned that wear-leveling could leak data into my overprovisioning area before everything is encrypted again. When I install the OS, I don't load any of my files or even create a password for my user accounts before encrypting.

> The basic back up steps would be:
> * Boot into IFL GUI.
> * Close IFL.
> * Open TrueCrypt.
> * Select a slot and select a device (e.g. /dev/sda1).
> * Click Mount.
> * Enter the password (same as the one you use when booting).
> * Check the "Mount partition using system encryption (preboot
> authentication)" option.
> * Check the "Do not mount" option (this prevents the TrueCrypt
> partition from being mounted by the Linux file system).
> * Click Ok.
> * Start IFL and go through the backup steps. The partition will show up as
> a Linux drive. For example: /dev/mapper/truecrypt1.
> * Select the drive.
> * Select your backup options and run it.
>
> To restore, you follow the same mounting steps and select the
> "truecrypt#" drive as the destination (make sure to verify on the
> Summary screen that the /dev/mapper/truecrypt# mount is being used).

Thanks for the instructions. I have a spare system I'm going to try it out on. Actually, I did try making a backup earlier today, and the only thing I did different was allowing Truecrypt to mount the partition for Linux. It went OK, but I I won't do that next time. What about when a Truecrypt partition is the destination for the backup? Should I check "Do not mount" for it, too? I'm pretty sure "mnt" was in the paths for both source (partition) and destination (.tbi file).
TeraByte Support(PP)
Posts: 1644
Joined: Fri Aug 12, 2011 12:51 am

Re: IFL Settings for backing up Truecrypt System Partition

Post by TeraByte Support(PP) »

crawfish wrote:
> I get that, but I'm using an SSD, and I'm concerned that wear-leveling could leak
> data into my overprovisioning area before everything is encrypted again. When I
> install the OS, I don't load any of my files or even create a password for my user
> accounts before encrypting.

I was just pointing out that you're also working with the limitations of TrueCrypt. It can be very difficult or impossible to repair a system that's been wiped or corrupted.

> What about when a Truecrypt partition is the destination for the
> backup? Should I check "Do not mount" for it, too? I'm pretty sure
> "mnt" was in the paths for both source (partition) and destination (.tbi
> file).

You will have to mount partitions you need to access as "save to/read from" paths. Note that regular TrueCrypt partitions won't be mounted using the "...System Encryption..." option.
crawfish
Posts: 47
Joined: Mon Jun 24, 2013 9:49 pm

Re: IFL Settings for backing up Truecrypt System Partition

Post by crawfish »

Thanks. I think I have enough to go on now. I tried to get this working a couple of years ago with a WinPE setup and failed, and I've been doing without system images ever since, just backing up my actual data with a file-based backup program. It's really great to see official support for Truecrypt users.
crawfish
Posts: 47
Joined: Mon Jun 24, 2013 9:49 pm

Re: IFL Settings for backing up Truecrypt System Partition

Post by crawfish »

I've been able to back up and restore a Truecrypt system partition in the encrypted state. One thing I had to change was to specify the 2048 sector alignment option when I restored to the SSD (which I had wiped first), else I got "No bootable partition" after I restored, rebooted, and entered the Truecrypt password. I figured that out by examining the disk in WinHex and noticing that the partition was located in the wrong place. So, this sort of brings me back to my original question, which was:

I'm unclear as to what I need to set the geometry and other settings to in order to ensure that Track 0 and the partition get backed up and restored exactly to their original locations. There are lots of options having to do with MBRs, alignment, and whatnot, and I don't know what to do with them.

I realize there are many subtleties to this and hence a lot of options, but is there is a simple way to get IFL to do what I want? I mean, while 2048 sector alignment is the right thing for this specific case, it's a dedicated option and wouldn't work in general. Ideally, I wouldn't have to look at any options at all for what I need to do here, which conceptually is very simple.
TeraByte Support(PP)
Posts: 1644
Joined: Fri Aug 12, 2011 12:51 am

Re: IFL Settings for backing up Truecrypt System Partition

Post by TeraByte Support(PP) »

Did you try restoring without wiping the drive? I think the existing alignment would have been retained.

Can you provide some more details on your exact procedure? You couldn't have just wiped the drive and then restored to it because there wouldn't have been anything to mount with TrueCrypt.

As far as geometry, I think you're getting that confused with alignment. You shouldn't need to make any geometry setting changes on current systems. Alignment should be 2048 for SSD and just about everything else that's current.

As already stated, there is no Track 0 when you use IFL to restore to a mounted TrueCrypt partition. The partition is mounted as a drive, but it's only the partition. If you must restore Track 0 of the physical drive you must use a backup created directly (not one from a mounted TrueCrypt partition). This type of backup would be of the encrypted data.

Wiping the drive is making things more difficult, though it's good you did find that you could still restore successfully. When you are working with partitions on an encrypted drive it's important that they do not move -- they must remain at their original locations to function. While the concept may seem simple it's not a simple procedure and there are many things that can go wrong. Keep in mind that when you use IFL to create a backup of a mounted TrueCrypt partition that the image can be restored normally and encrypted again, if necessary.
crawfish
Posts: 47
Joined: Mon Jun 24, 2013 9:49 pm

Re: IFL Settings for backing up Truecrypt System Partition

Post by crawfish »

TeraByte Support(PP) wrote:
> Did you try restoring without wiping the drive? I think the existing
> alignment would have been retained.

I want to be able to restore without needing the drive to be preconfigured for the restore.

> Can you provide some more details on your exact procedure? You couldn't
> have just wiped the drive and then restored to it because there wouldn't
> have been anything to mount with TrueCrypt.

Like I said, I backed up and restored the partition in the encrypted state, i.e. the raw data, so Truecrypt wasn't involved.

> As far as geometry, I think you're getting that confused with alignment.
> You shouldn't need to make any geometry setting changes on current systems.
> Alignment should be 2048 for SSD and just about everything else that's
> current.

But I had to change the alignment option myself. And what if the partition were on a 4096 boundary for some crazy reason? Why isn't there a simple way to tell IFL to restore to the same place it backed up from?

> As already stated, there is no Track 0 when you use IFL to restore to a
> mounted TrueCrypt partition.

Again, I didn't restore to a mounted Truecrypt partition.

>When you are working with
> partitions on an encrypted drive it's important that they do not move --
> they must remain at their original locations to function. While the concept
> may seem simple it's not a simple procedure and there are many things that
> can go wrong.

That's what I discovered. I had to change the alignment option to fix it.

>Keep in mind that when you use IFL to create a backup of a
> mounted TrueCrypt partition that the image can be restored normally and
> encrypted again, if necessary.

I'm not sure what is meant by "encrypted again". I would never restore to the unencrypted state, boot into Windows, and let Truecrypt re-encrypt the partition due to data leakage concerns. I would need to be able to start with a wiped drive and then restore it with IFL's Truecrypt encrypting everything on the fly, so only encrypted data makes it to the target drive. And the end result would need to be bootable. Even if I could create the partition on the wiped drive, format it with IFL's Truecrypt, mount it with IFL's Truecrypt, restore to it, and run the Truecrypt rescue disk, I'm not sure the result would be the same as having the Windows Truecrypt encrypt the system partition itself. Is this expected to work?

As I have plenty of storage and don't mind waiting an extra hour, it seemed a lot simpler just to back up and restore the encrypted partition. Even so, I still had to experiment to get it working, because the alignment wasn't set up correctly.
Post Reply