Reflect image password protection and encryption...

Licensed Macrium Reflect v.7.1.2885 on Windows 10 Professional, 64-bits...

The system has three drives for different purposes, such as system, business and personal data. Yes, a dual purpose small business PC...

The current schedule creates a full image of all of the drives on the daily basis. The time it takes to backup the drives varies from 3 - 13 minutes, reflecting the size of the data stored on the drive, that ranges from 52GBs for the system and 158GBs for the personal drive. The business data drive is ~68GBs an the image creation time is:



What would be the backup performance hit for enabling the password/encryption feature? Also, how would it impact the time it take to restore the image?

TIA...

RolandJS said:

My first wild guess is maybe such would add 20% to the backup times. Make sure your USB and DVD boots for restore purposes fully "understands and uses" the password/encryption that the backup procedure used; meaning the boot should be able to restore without enduser going through hoops other than entering the needed password.

I leave the schedule in place as is, the chances are that they will not overlap. And if they do, oh well...

The system in question does have a USB Macrium Rescue Media and also enabled the Recovery Boot Menu option on this system. I'll test it tomorrow, just to see if the password works...

The schedule ran just fine last night, there has been no overlap with the image backups. Performance wise, it's a mixed bag.

The first scheduled image backup is for the data drive (Samsung EVO PCIe x4 NVMe, 68GBs):



The read I/O performance dropped, while the write increased which does not make much sense. Maybe the data is compressed prior to encryption, like most encryption software does. In either case, it's about 30% increase in backup time.

The next scheduled backup is for the system drive (Samsung EVO PCIe x4 NVMe, 52GBs) and it's interesting:



That's only a five second increase in image backup and minor changes in read/write I/O performance.

The last scheduled image backup is for the personal drive (Samsung EVO Sata III, 158GBs) and it gets more interesting:



There's no change in the I/O performance and yet, the encrypted image backup finished faster than the no encryption. That makes even less sense...

Mounting any of the last night's images does ask for password:



Seemingly, unlimited number of passwords can be entered, I tried more than a dozen different password, and the password is case sensitive. Once the correct password entered, the image is mounted. Presumably, the same window would pup up within the Reflect recovery environment, but it has not been tested.

Hi folks.

This is one area I can never understand.

Why on earth would anybody want to encrypt backup and password protect it -- at least for HOME users.

If your computer fails and you have to restore you want to be up and running with the least possible aggro and in the fastest time possible.

If you backup to cloud or corporate servers then perhaps --but at home !!!!! --- also what happens if you restore to a different computer or use a different machine to restore to your failing one - where you might need decryption keys / passwords - and even then the wretched thing might not work properly.

Simply keep backup offline / external USB etc. That way you wont get any issues like lost encryption keys/ lost passwords etc on restore. That way is also 100% Hacker proof --if it's not online they can't get at it unless they physically break into your home. !!!!

remember here most people are HOME type users -- you don't need to implement CIA type security surely on bog standard home laptops etc.

Save yourself a lot of trouble and aggro -- if you are paranoid about your backup images store offline. !!!!

Cheers
jimbo

With all due respect jimbo....

While most people here are home users, there are people who have home offices/businesses as indicated in my first post. Some of the data managed by these offices require backup data protection, either by regulations or by the owner. And yes, these people do have USB flash drive backup as well, you've guessed it, encrypted.

In my view the Reflect image backup, with password based encryption, is also useful against malware especially with the image guard enabled. Yes, the system and other drives can be destroyed by malware, but restoring it from the backup image takes about the same time as backing up the image. It's a much faster recovery than trying to clean up the system, or any other drives. This is especially useful, if, or rather when nowadays some version of crypto-locker hits.

jimbo45 said:

Why on earth would anybody want to encrypt backup and password protect it -- at least for HOME users.

I encrypt my phone and all my PCs. I also encrypt my backups.

Why? In case I lose them. Perhaps I leave them in a taxi or someone breaks into my house. Encryption means they can't get to see my address, email, bank details and the cunningly named document called "Passwords.docx" I have on my desktop.

Identity theft is a real issue and encryption should be the first step everyone takes unless they have absolutely nothing of value on their device.

For macrium I use a bitlocker encrypted volume (rather than encrypt the image itself) and have never tested the performance overhead. According to Microsoft it should be a "single digit percentage" but idk. Perhaps next time I'll get self encrypting drives but even if it took 2x as long I'd still encrypt.

@ lx07...

I have the same file name...

Your protection type falls in the data at rest protection category. This protection is certainly necessary, for cases as you've listed.

On the other hand, it does not provide protection for the data in flight. The "data in flight" does not only means over the network. It also means data in a system that is running, or more accurately, someone had logged in to the system.

The operating system, by definition, provides open access to applications and devices, if and when the person logs in and the appropriate access level granted for the account used for this purpose. As such, should malware get on the system and runs by the logged on person's access level, it could expose/encrypt the data within the system boundaries, basically all accessible drives, including the unlocked external drive(s).

This is one of the reasons why, I opted for password protect/encrypt the image backup. In addition, the MIG (Macrium Image Guard, not a military jet) prevents deleting, moving and modifying the image backups on the designated local drive. Reflect is a pretty good package and I for one like that they are protecting the image backups. Even if the cryptolockers have not started encrypting image backups. Maybe they did, I don't know...

And no, this is not protecting the data against everyone, but it will against most people. And nowadays, that's all one can do on low budget...

;1302160 said:

I encrypt my phone and all my PCs. I also encrypt my backups.

Why? In case I lose them. Perhaps I leave them in a taxi or someone breaks into my house. Encryption means they can't get to see my address, email, bank details and the cunningly named document called "Passwords.docx" I have on my desktop.

Identity theft is a real issue and encryption should be the first step everyone takes unless they have absolutely nothing of value on their device.

For macrium I use a bitlocker encrypted volume (rather than encrypt the image itself) and have never tested the performance overhead. According to Microsoft it should be a "single digit percentage" but idk. Perhaps next time I'll get self encrypting drives but even if it took 2x as long I'd still encrypt.

Hi there
@lx07

Bonjour Monsieur !!!

My point was NOT about Mobiles etc - but simple backups on HOME Computers / small home office type stuff.

I mentioned specifically that for HOME computers --not corporates / Cloud backups etc encryption (of the backup - not the computer !!) was a waste of time and an unnecessary complication.

- I'm not saying either that if you have a laptop you shouldn't encrypt stuff - especially if travelling or if you think laptop could get stolen / lost -- but there's NO REASON to encrypt the backup as well-- especially if you keep it off line.

If the computer is already encrypted the backup simply copies the encrypted data -- why encrypt an already encrypted computer !!!. maybe you work for Mossad / deuxieme bureau etc !!!! who knows (and it's not my business to ask anyway). !!!!


a toute a l'heure !!! sorry can't easily get French accents on my keyboard (Isl.)

Cheers
jimbo