Need clarification on IFW and Truecrypt

[Peabody]

I've studied the KB article (id=462) at considerable length, but there are two aspects that are just not clear, and I would appreciate help with them. I want to do whole-drive encryption on my laptop, which has one hard drive, partitioned as follows:

Win 7 small system partition - 100MB
C: - operating system and programs - 90GB
D: - data only - 590GB
Samsung recovery partition - 23GB

First issue:

If I do whole-drive encryption, can I make a normal image of the D partion using IFW from within Windows? In other words - saving only the used sectors, and the image would be explorable.

The KB article says in a couple places that an encrypted non-system partition can be imaged only in raw format, saving every sector. But I think that's only the case if that partition has been encrypted separately, and not as part of whole drive encryption. It seems if the whole drive is encrypted, then the D partition should appear to IFW as a normal unencrypted drive. It would not have to be mounted separately by Truecrypt, and should work properly with Phylock-2nd. The article kinda says that, but just refers to "partitions", so I just want to be sure about this, if someone can confirm it.

Second issue:

Assuming the above works ok, then I'll be imaging the C partition much more often than D, and in fact it is C that is most likely to need restoring - because of an infection or some other corruption or operator error. But I would only have an unencrypted image of C to restore. So far as I know, there's no way to get Truecrypt to encrypt the restored C image using the same salt, keys, etc. as it used originally on the drive. So, I would have to either restore the entire drive from the unecrypted images, then re-encrypt it, or, decrypt the entire drive, then restore C, then re-encrypt the entire drive. Either way, that may take days. Does anyone know a way around this problem?

Ideally, I would like to have Truecrypt and IFW on the same rescue CD, and have Truecrypt run first and "mount" the entire hard drive after I provide the pre-boot password, then use IFW to restore C. As IFW writes the unencrypted data to the disk, Truecrypt would encrypt it using the original keys and such, and then the other partitions would also continue to work. Has anyone done anything like that? Can a rescue CD like that be created?

Sorry to go on at length. I would appreciate any help.

[TeraByte Support(PP)]

First issue: Yes, you should be able to create the backup of the partition normally in Windows. The image should be explorable using TBIView/TBIMount since it's not encrypted. When selecting the partition(s) to back up, you can highlight a partition and click the Information button. If it reports "Used/Free/MiB to Restore" values then it properly sees the partition and can create a normal "used sectors" backup.

Second issue: You should be able to restore the D: partition in Windows. The C: partition would have to be restored outside of Windows. Either of the methods you mention will work, though, as you state, they will take a lot more time than a normal restore. Another option is to use IFL GUI, which includes TrueCrypt. You can mount the encrypted C: partition and then restore the "unencrypted" backup created using IFW. You'll have to mount the partition using the "Mount partition using system encryption without pre-boot authentication" option and use the mounted drive as the destination for the restore. The restore should proceed at a fairly normal speed (depending on the system). I have not done extensive tests using this method, but the tests I have done worked okay when just restoring the partition backup to the mounted partition and not applying any options to change things (no resize, no write MBR, no restore first track, etc.). It may also be possible to use the portable Windows version of TrueCrypt in an x86 build of TBWinPE and perform the same type of restore (haven't tested it yet).

Whichever method you use, I strongly suggest you run some backup/restore tests on the system and verify it works correctly. If something goes wrong, encrypted systems can easily become corrupted, rendering them unusable. At the very least, make sure to have current enough backups of all the encrypted partitions so you can restore them and then reapply the encryption.

[DrTeeth]

On Fri, 12 Oct 2012 23:44:52 PDT, just as I was about to take a herb,
TeraByte Support(PP) disturbed my reverie and wrote:

>Another option is to use IFL GUI, which includes TrueCrypt.

PMFJI.

Could you please clarify this? Not heard of it before.
--

Cheers

DrT
______________________________
We may not be able to prevent the stormy times in
our lives; but we can always choose whether or not
to dance in the puddles (Jewish proverb).

[Peabody]

Paul, I can't thank you enough for your reply. I have found this whole subject - imaging encrypted drives - to be an enormous can of worms, except for this site. Even the Truecrypt people seem to disagree on what works and what doesn't. And the other imaging program sites seem to have little to say about it.

The news on IFL GUI is going to be the key to this. That's exactly what I was looking for. So if I understand correctly, TC would be running underneath IFL during the restore, and would encrypt whatever IFL writes to the drive with the same salt, keys, etc., as were used originally, so all the partitions would behave correctly after that, and there would be no need to do anything to the unaffected partitions, like D. And this would work even though at the time of the restore it's Linux that's running from the CD, not Windows. Does that all sound right?

And while I have your attention, here's the rest of my plan - in case you see something that won't work:

1. While the images of the encrypted drives would normally be unencrypted, I'm going to set IFW to perform encryption and password protection on those images. So on a restore, IFL would decrypt the images internally, then TC would re-encrypt as the restored sectors are written to the disk.

2. The D partition will be almost exlusively videos, music files, and photographs that probably won't compress much. I had thought about just syncing to an external drive, but then the copies wouldn't be encrypted. So it seems it would be easier to just do the standard IFW imaging of D, but using differential backup because it will just slowly grow but otherwise won't change much, again with the images being password protected.

3. I would also like to remove the 100MB Win 7 boot partition, and here again Terabyte comes to the rescue, with KB article #409. If possible I also want to expand the C partition back to include what will then be unallocated space at the beginning of the drive. I'm not sure I can expand C to the front, but maybe that will work.

I hope that all makes sense.

I appreciate your warning about testing all of this, including the restore. I've been bitten in the past by backups that won't restore, so I know I have to test everything. At this point my new Win 7 laptop just has Windows on it, so now is the time to test all this. In the worst case, I can just go back to the as-delivered state without losing much. But I also have the full system images made by the Samsung software and by Windows system image backup.

Thank you very much for your help.

[TeraByte Support(PP)]

TrueCrypt would be running in Linux, just as IFL does. IFL can then access the TrueCrypt mounted drive (one partition, in this case, since it can't mount the entire drive).

1. Correct.

2. I would suggest using "Enhanced Speed - A" compression (or no compression) and enabling the "Speed up Changes Only Backup" option.

3. If removing the SRP do it before enabling disk encryption (you can't do it afterwards). You could then slide and resize the Windows partition with BIBM or you could back up and restore with resize.

[TeraByte Support(PP)]

DrTeeth wrote:
> On Fri, 12 Oct 2012 23:44:52 PDT, just as I was about to take a herb,
>
> Could you please clarify this? Not heard of it before.

IFL GUI includes the Linux version of TrueCrypt. This enables you to mount TrueCrypt encrypted partitions while booted into IFL GUI. Data on the encrypted partitions can then be accessed via the mount point on the file system.

[Peabody]

TeraByte Support(PP) wrote:
> DrTeeth wrote:
> > On Fri, 12 Oct 2012 23:44:52 PDT, just as I was about to take a herb,
> >
> > Could you please clarify this? Not heard of it before.
>
> IFL GUI includes the Linux version of TrueCrypt. This enables you to mount TrueCrypt
> encrypted partitions while booted into IFL GUI. Data on the encrypted partitions can
> then be accessed via the mount point on the file system.

And when I buy IFW, I automatically get IFL GUI with it at no extra cost? And I can burn the IFL CD from IFW?

[TeraByte Support(PP)]

Both IFL and IFD (both with CUI and GUI versions) are included with IFW. You can install them with IFW or just unzip the downloads and run MakeDisk to create the boot media.

[DrTeeth]

On Sat, 13 Oct 2012 16:30:41 PDT, just as I was about to take a herb,
TeraByte Support(PP) disturbed my reverie and wrote:

>IFL GUI includes the Linux version of TrueCrypt.
Brilliant! never knew that, must have missed the meeting .
--

Cheers

DrT
______________________________
We may not be able to prevent the stormy times in
our lives; but we can always choose whether or not
to dance in the puddles (Jewish proverb).

[DrTeeth]

On Sat, 13 Oct 2012 21:12:10 PDT, just as I was about to take a herb,
Peabody disturbed my reverie and wrote:

> And when I buy IFW, I automatically get IFL GUI with it at no extra cost?

Yep, and IFL CUI and IFD GUI and IFD CUI!

> And I can burn the IFL CD from IFW?

No. When installing IfW, you can create the IfD and IfL ISOs as part
of the install (I always do it). Then it is a simple matter of burning
the ISO (not copying it) to a USB stick or regular CD/DVD.
--

Cheers

DrT
______________________________
We may not be able to prevent the stormy times in
our lives; but we can always choose whether or not
to dance in the puddles (Jewish proverb).