How can you use Windows Backup with a TrueCrypt encrypted backup destination?

Background

There are numerous backup solutions out there for Windows and they come in many different forms. From a file copy and/or syncing tool like SyncBackSE to whole hard drive backup utilities based on Volume Shadow Copy like Acronis TrueImage or Norton Ghost to block level copy tools like dd. Each of these solutions offers different pros and cons versus the "Windows Backup and Restore Center" feature built-in to Windows Vista and Windows 7. I am not interested in discussing alternative backup solutions here however, as that has already been covered by numerous other questions.

Constraints

There are two "types" of backup supported by the "Windows Backup and Restore Center"(WBRC):

  • File backup (which Windows calls "Back Up Files")
  • Full System Backup (which Windows calls "Complete PC Backup)

I am interested in a solution which supports either and/or both types of backup with WBRC.

Questions

  • How can you use a TrueCrypt encrypted mount point as the destination for the built-in "Windows Backup and Restore Center" feature in Windows Vista and 7?

See Also

  • Volume Shadow Copy based backup that works with TrueCrypt

References

  • Backup and Restore Center
  • Windows Vista - Backup and Restore Center
  • Windows 7 - Backup and Restore Center
  • TrueCrypt - How to Back Up Securely

Background

The reason you can't select the TrueCrypt mounted volume as a backup destination for the built-in "Windows Backup and Restore Center" on Windows Vista and Windows 7 is because your user account mounted the TrueCrypt volume but the Backup Service runs as the SYSTEM account. 2

Contraints

  • In order for this solution to work, you must be able to backup to a network location. This is not supposed by all editions of Windows Vista and Windows 7. The following editions DO support backup to a network location:
    • Windows Vista Home Premium
    • Windows Vista Business
    • Windows Vista Ultimate
    • Windows Vista Enterprise
    • Windows 7 Professional
    • Windows 7 Ultimate
  • Not all editions of Windows Vista or Windows 7 support Full System Backup (aka "Complete PC Backup"). The following editions DO support Complete PC Backup:
    • Windows Vista Business
    • Windows Vista Ultimate
    • Windows Vista Enterprise
    • Windows 7 Home Premium
    • Windows 7 Professional
    • Windows 7 Ultimate
  • I've only verified this solution on Windows Vista Business 64-bit SP2 with TrueCrypt 6.3a.

Gotchas

  • If you also use TrueCrypt to encrypt your backup source, there is a limitation on TrueCrypt (at the time of writing, Version <= 6.3a) on support for the Volume Shadow Copy service:

    The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption (for example, a system partition encrypted by TrueCrypt or a non-system partition located on a system drive encrypted by TrueCrypt). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is available from Microsoft only under a non-disclosure agreement (which is impossible to comply with because TrueCrypt is open source).

    Since the File Backup (aka "Back Up Files") option uses the Volume Shadow copy Service (VSS) to perform its backup, this means you will not be able to backup sources that are encrypted outside of the scope of the system encryption key (e.g. an external hard drive that has been encrypted or the contents of a file based TrueCrypt volume).

  • The folder share will not survive being unmounted and mounted to a different drive letter. (It may not even survive unmounting and remounting to the Same drive letter, but I haven't confirmed this yet). If you don't want to have to manually create this share each time, you may need to script out it's creation as a log-on script or something.

  • "Windows 7 allows performing a full system image backup to a network location however subsequent incremental system image backups cannot be performed to a network" 8

Solution

NOTE: The following instructions are for Windows Vista Business 64-bit SP2 but the steps should be the same on any supported Vista editions and very similar for any supported Windows 7 editions. See above for supported editions.

To perform a File Backup (aka "Back Up Files"):

  1. Mount the TrueCrypt encrypted file system which will serve as the destination for the backup
  2. Create a folder on the mounted volume where you want to store the backups (e.g. "Backups")
  3. Right-click on the folder created above and select "Share"
  4. Type in SYSTEM
  5. Click "Add"
  6. In the "Permission Level" drop down next to the SYSTEM user, select "Co-Owner"
  7. Click "Share" (Your user should already be listed as the owner since you created the share, but if not, add it as the owner)
  8. Accept the UAC pop-up if you receive it.
  9. Click the Windows Start Menu
  10. In the Search box type: Backup Status and Configuration
  11. Press "Enter"
  12. In the top right, Click "Back Up Files"
  13. Click "Change Backup Settings"
  14. Click "Continue" if you receive a UAC prompt
  15. Click "On a network"
  16. In the text box type: \\COMPUTERNAME\ShareName\ (e.g. \\JOHNS-COMPUTER\Backup\)
  17. Click "Next"
  18. Provide your user's username and password when you receive the credentials prompt
  19. Click "OK"
  20. Select the file types you want to backup
  21. Click "Next"
  22. Provide your scheduling information
  23. Check the box that says "Create a new, full backup now in addition to saving settings"
  24. Click "Save Settings and Start Backup"

NOTE: The Complete PC Backup on Vista doesn't give you the option to backup to a network location in the GUI, but you can do so from the command line using WBADMIN.EXE on supported editions.

To perform a Full System Backup (aka "Complete PC Backup"):

  1. Mount the TrueCrypt encrypted file system which will serve as the destination for the backup
  2. Create a folder on the mounted volume where you want to store the backups (e.g. "Backups")
  3. Right-click on the folder created above and select "Share"
  4. Click "Share" (Your user should already be listed as the owner since you created the share, but if not, add it as the owner)
  5. Accept the UAC pop-up if you receive it.
  6. Click the Windows Start Menu
  7. In the Search box type: cmd.exe
  8. Press "Enter"
  9. In the CMD prompt, type: WBADMIN START BACKUP -backupTarget:\\COMPUTERNAME\ShareName -include:C: -user:<youruser> -vssFull (e.g. WBADMIN START BACKUP -backupTarget:\\JOHNS-COMPUTER\Backup -include:C: -user:jdoe -vssFull )
  10. Press "Enter"
  11. When prompted "Do you want to start the backup operation?" type: Y
  12. Press Enter

References

  • TrueCrypt - How to Backup Securely
  • Can't backup to external drive
  • Backup to Network
  • Windows 7: Compare Windows 7 Home Premium, Professional, and Ultimate
  • Windows Vista: Compare editions
  • TrueCrypt - Known Issues & Limitations

Create a Symlink directory on the real disk to the TrueCrypt volume. For instance, if A is real disk and K is TrueCrypt volume:

mklink a:\\[hostname] k:\\[hostname]

Then, tell Windows to backup on the real disk. The files will be created on the TrueCrypt volume.

Edit by ds (guest): [hostname] in the answer of Tom Wijsman refers to the computer's name. The Win backup tool stores the backup files into the location [target disk]:\[hostname]. Therefore you can redirect the files to another drive / location by creating a symlink.

Example:

  • your computer's name is "MyComp"
  • you have a drive D: where the backup tool allows you to put the files onto
  • but you want to put them an H:

then you can use the cmd line (run with admin rights!):

mkdir H:\MyComp
mklink /D D:\MyComp H:\MyComp

Note: you have to redo this procedure for the WindowsImageBackup folder and (probably) the MediaID file.

Then you select D: as the target drive in the backup tool. The files are correctly redirected to the H: drive (even when provided by TrueCrypt), tested on Win7 Home Basic. Restoring works as well.

Yet, there may be some drawbacks. E.g. free space check on target device, target partition file system etc. may be detected of D: and not H: by the backup tool. Use at your own risk.