VHD(X) versus 3rd party software - looking for views/recommendations

Up front: I am sorry when posting in the wrong forum. Could not a find a suitable one.

For more than 20 years I have been using 3rd party software that creates/uses an encrypted container. It is on a subscription basis, roughly Usd 85 every 2 years.
It is fairly user friendly: just r-click the toolbar button and select which container to open.

Recently I have also created a VHD on an external backup SSD drive. That went and works fine.
It took a while though: from start (empty partition) to finish (encryption completed) it took about 8,5 hours.

Now, I am very much hesitating as to whether or not I should extend the subscription, or switch to VHD(X).
Having multiple encrypted containers, a switch will be quite a workload, requiring my PC to run probably for days.

I vainly searched for articles comparing 3rd party encryption software with Windows 10 native VHD/VHDX.

Maybe there are pros and cons that I am not aware of...
(That is: besides the price. The price includes quick and good email support when necessary)

What can be said about the stability?
The 3rd party software that I am using (BestCrypt) is quite stable, no issues over the last year.

Note: the VHD(X)'s are meant for storage only: Office documents are being saved to a location within the encrypted containers. Outlook data files as well. Applications are installed outside the container. Applications are launched -after- mounting the container.
They will not exceed 2TB.

Appreciate any views.

Thanks.

tfwul, you may be aware of this already, but I just want to be sure...

A VHD or VHDX is simply a virtual disk stored within a single file. By itself, it is NOT encrypted. This means that if someone can get access to your VHD(x) file, they could easily mount it and get at the contents UNLESS you are taking extra steps to encrypt it.

That said, you have a number of options available.

Your computer info does not indicate if you are running Win 10 Pro, Home, Education, etc. If you are on Windows 10 Pro, you could use the built-in BitLocker encryption to encrypt your VHD(x) file(s). Effectively, this would be like having an encrypted disk drive.

If you do not have Windows 10 Pro and are looking for another 3rd party free solution, VeraCrypt is one such package (VeraCrypt - Free Open source disk encryption with strong security for the Paranoid).

A couple of additional notes about BitLocker specifically...

Since you are using an external SSD and creating a VHD(x) file on it, you could certainly continue the same strategy but make sure that you are encrypting the VHD(x). You could also simply encrypt the entire SSD and then you would not have a need to create seperate encrypted containers.

Finally, there is another option that I personally am not a huge fan of, and that is EFS (Encrypting File System). Again, this is built-into Windows. Rather than creating a seperate encrypted volume or container, this would encrypt individual files or folders. For example, you could create a folder that is encrypted and set it so that any files or folders placed inside of that folder will be automatically encrypted.

Let me know if you need any additional info. I can provide more detail or try to answer any additional questions that you may have.

Many thanks for your response. Yes, I am aware of the fact that a VHD is not encrypted. As hinted in my post, the one I recently created, it took a while up to encryption completed.




I am using Windows 10 x64 Pro and BestCrypt Container Encryption (Jetico). More or less similar to VeryCrypt: mounting a container and unlocking it with a password.

To be honest, I am totally unfamiliar with EFS. THANK for the tip.
I'll have to explore/investigate this as to whether it is something suitable for me.

Hi there
why in the world would you want to encrypt a backup set !!!!!!!!

If backing up remotely (even to another computer on the same LAN) simply use filezilla with the sftp protocol -- it encrypts transmission both ways . So secure fast transmission although the backup itself is not encrypted.

If the Sending computer is Windows - enable OPENSSH SERVER - it's in the add optional applications and on the receiving system. If it's Linux ensure the ssd system is running (openssh), If a Windows machine the openssh CLIENT runs automatically (its installed by default).

If backing up to external drive on the SAME machine why in the world do you need any sort of encryption -- just remove the disk at end of job and lock it up somewhere safe.

I really can't understand why people want to encrypt backup sets -- especially if you need to restore them using a totally different computer. Even if the stuff is on the cloud (say Ms AZURE) is extremely robustly protected and unless your data is of "Commercial Value" to competitors or has security implications (CIA operation details etc) to me the whole thing is just plain bonkers.

Ask yourself -- when was the last time anybody (i.e "Un invited Guests") got into Ms's AZURE cloud service and ran off with Data !!!!

That's my take on all this -- people go paranoid on some of this stuff -- on Home computers and LAN's or even basic small Office LAN's basic WD (Windows defender) is more than sufficient. In any case if you take things like Macrium images the data is compressed anyway (assuming taking image and not cloning disks).

Seems like (and in the Forum on Anti Virus Software) - people are still twiddling their thumbs over C20 problems -- in C21 scamming is much more of a problem than "security breaches" - although of course basic security and common sense should be always used.

For e-commerce, Military stuff and things like Banking I can see the point but not on bog standard office stuff !!!!

Seems to me there's a lot of overpaid I.T security admins out there desperately looking at ways to hang on to their jobs.

Cheers
jimbo

Jimbo, I encrypt my backups because my data includes passwords, bank account info, and other personal info. In my case, I would be stupid NOT to encrypt my backups! Note that I am talking about LOCAL backups, not backups to a cloud service.

@tfwul - I have a tip for you to speed up the encryption to the point where it should take mere seconds:

When you create a new VHD or VHDX file and you choose to BitLocker encrypt it, you are given a choice to perform a full encryption of the volume or just the used space. Choose the option to encrypt the used space only. Since this is a new virtual disk with no data on it yet, the encryption will complete in mere seconds.

The only time that you need to encrypt a whole disk is if that disk had previous data in it and you want to make sure that no one can recover the erased data. For a new disk or virtual disk, there is simply no point to performing a full encryption. This also holds true if you had previously encrypted data on that volume. Since it was already encrypted previously, if you ever re-encrypt that volume, there simply is no point in doing a full encryption because the previous data is already unrecoverable.

In other words, doing a full encryption under these circumstances buys you absolutely nothing except a waste of time .

Hi there

If it's LOCAL backups whose going to get to it / them -- and in any case Bank passwords etc shouldn't be stored on local devices in any case !! Bank passwords etc are usually held on the Banks servers and these are never in plaintext anyway.

I suggest you look at what you actually keep on local backups -- passwords aren't normally stored anywhere in plaintext (unencrypted) !!! - even wifi passwords.

As I suggested before if backups are LOCAL simply remove after the backup and lock the device away securely.

Cheers
jimbo

Bank passwords was simply an example. It could be anything. Maybe important Word documents with proprietary information, confidential business documents, copies of legal documents, source code for programs I have written that I wouldn't want someone to get hold of, whatever.

In my case I BitLocker protect my entire HD but make backups to another local machine. If I were to not encrypt that backup I'd be a fool.

@jimbo45
Thanks for your elaborate reply.
I do appreciate your views.

Actually I had drafted a long reply yesterday, arguing that using encryption for backups is/was the way I prefer it, even though you might have your "thoughts" about it.
I didn't send it though, as I was getting the feeling that I had to 'defend' the way I prefer to be working for many years. Also I had the feeling that the discussion would go into the direction that it would become slightly off-topic.

Similar as to what @hsehestedt said, the backup is in fact a backup of personal documents. Those personal documents are stored within an encrypted container and to me it wouldn't make much sense to subsequently store the backup on an unencrypted device.

Also, except for the one-off action of creating an encrypted volume, after that, I believe that technically there are hardly any differences between storing unencrypted vs within an encrypted volume.

In the reply that I intended to send yesterday I wrote that Microsoft's PC security solely depends on the login credentials. They do not have some sort of 2nd layer of protection for sensitive matters.

Probably they realized there was and is a demand for that, so they introduced OneDrive Personal Vault, but regretfully crippled it at the same time by adding an unlock time limitation of 20 minutes (online): Personal Vault automatically locks after that time. In spite of the many, many requests, they so far do not offer to extend this period.

My guess is that many of us have disabled the PC user login, hence everything is available.
Most users on this forum have some knowledge of PC use, but there are quite a few small shops offering services of repairing hardware and installing software.
The other day I was in a PC-shop and there was a lady turning in her PC saying that probably there was a virus or so, because some software didn't work.
She had to leave her PC behind. I don't know if she had her personal document protected ...

Anyway, I am very sorry, but I don't know anything about Azure, oppenssh Server / Client, things like that. No doubt good solutions, but really, I have no idea.

I prefer to keep it relatively simple using local storage and considering that the actual question was VHD vs 3rd party.

Hmm ... it still became a long reply after all


(got logged out, but this time I copied the text to clipboard. However, pasting it here, removes all line feeds...
Workaround: paste it into Word first, then use paste from Word here)

tfwul said:

@jimbo45
Thanks for your elaborate reply.
I do appreciate your views.

Actually I had drafted a long reply yesterday, arguing that using encryption for backups is/was the way I prefer it, even though you might have your "thoughts" about it.
I didn't send it though, as I was getting the feeling that I had to 'defend' the way I prefer to be working for many years. Also I had the feeling that the discussion would go into the direction that it would become slightly off-topic.

Similar as to what @hsehestedt said, the backup is in fact a backup of personal documents. Those personal documents are stored within an encrypted container and to me it wouldn't make much sense to subsequently store the backup on an unencrypted device.

Also, except for the one-off action of creating an encrypted volume, after that, I believe that technically there are hardly any differences between storing unencrypted vs within an encrypted volume.

In the reply that I intended to send yesterday I wrote that Microsoft's PC security solely depends on the login credentials. They do not have some sort of 2nd layer of protection for sensitive matters.

Probably they realized there was and is a demand for that, so they introduced OneDrive Personal Vault, but regretfully crippled it at the same time by adding an unlock time limitation of 20 minutes (online): Personal Vault automatically locks after that time. In spite of the many, many requests, they so far do not offer to extend this period.

My guess is that many of us have disabled the PC user login, hence everything is available.
Most users on this forum have some knowledge of PC use, but there are quite a few small shops offering services of repairing hardware and installing software.
The other day I was in a PC-shop and there was a lady turning in her PC saying that probably there was a virus or so, because some software didn't work.
She had to leave her PC behind. I don't know if she had her personal document protected ...

Anyway, I am very sorry, but I don't know anything about Azure, oppenssh Server / Client, things like that. No doubt good solutions, but really, I have no idea.

I prefer to keep it relatively simple using local storage and considering that the actual question was VHD vs 3rd party.

Hmm ... it still became a long reply after all


(got logged out, but this time I copied the text to clipboard. However, pasting it here, removes all line feeds...
Workaround: paste it into Word first, then use paste from Word here)

Hi there

Thanks for reply -- of course people do things differently -- but sometimes things people "used to do" a long time ago and are still doing aren't always necessary any more with newer applications, better security, OS improvements, faster hardware etc etc.

This brings up the question why on earth bother with VHD / VHDX at all. Backups - because you need them for recovery should be really simple and be able to be restored essentially from "bare metal" fast and reliably = packages such as Macrium Free are excellent to do this. IMO the extra complication of using VHD / VHDX for booting etc isn't worth the extra hassle to recover data -- although running and booting Virtual Machines is another ballgame completely where VHD(X) disks could be worth it.

A macrium system image of a typical Windows installation won't take long and should always be done regularly - so if in the case of say a virus infection a clean system can be restored usually in minutes compared with the uncertainty of Virus cleansing programs which can take hours to run and can't be ever 100% effective.

A Macrium image BTW can be mounted in Windows and browse just like a HDD -- many people on these Forums have used Macrium for years and give it a good thumbs up -- the Free version is more than sufficient for most tasks.

Choice is still of course ones own right --at least to 99.9% of users of this Forum -- don't know if we have any from N.Korea here yet !! -- all I was doing was to try and understand why if you are taking a backup to a LOCAL external device using a machine only you are logged on to (i.e a Windows machine - not a Windows server) and after the job has finished you can simply remove the device and secure it why you would need encryption.

If you keep Bank accounts, passwords in plain text, and other data of a personal nature on the PC (IMO a terribly bad idea) then perhaps - but then you should encrypt the PC rather than the backup !!! .

Personal data is always best stored OFF the machine - and certainly never have any passwords or financial details in plaintext stored locally on a machine. If your machine is stolen, lost etc etc then you've got big problems as these days any "Consumer grade" encryption can usually be broken if people are minded enough to try. Decryption A.I has advanced by light years these days -- brute force won't do it but modern A.I tactics can given enough resources break virtually anything -- certainly any type of consumer grade encryption software.

I'd bet for a small fee your local "Mossad station chief" could get one of their "employees" to unscramble any sort of disk as a quick "Homework" exercise !!!!!!.

The best security is to have sensitive information stored OFF the computer when its not being used and locked up safely. If the data doesn't exist on the machine or anything connected to it then it can't be hacked.

Cheers
jimbo

@jimbo45
Thanks again.

I am aware of Macrium Reflect and use that to create system images only, i.e. in fact I am using the free version only.
Am not using it for file backups: the reason is that all files are all packed into 1 single file that has to be mounted as virtual drive. Consequently Macrium Reflect needs to be installed. If it isn't installed, then one does not have access to the files. This could be a small drawback under specific circumstances.

In case of using an external VHD (encrypted) after mounting in Windows Explorer and entering the password, the files are available. No 3rd party software is required.

I am sure Macrium Reflect has many 'pros', but so far I prefer the 1-to-1 file backup.
Uptil recently I have been using SyncBackPro for that purpose.

Time flies and I see that I started using it way back in 2008.

However, over time I was steadily getting a bit annoyed about the very, very long time it is running doing comparing, or whatever it was doing, before it actually started copy-process.

I am not doing incremental backups or so, just a mirror.
Can almost hear you saying "Wow! That's bad..."
Yes, I know... there are enhanced (=complicated) backup strategies. That is fine for corporate use.
I just perform a mirror onto device A and one or two weeks later onto device B and so on. Should I discover a recent file to be missing then it is within the oldest backup. This happened once, last year.

Since a month or so I use Beyond Compare to mirror folders and it is doing this much, much faster than SyncBackPro.
It may show the differences per folder and per file when expanding folders.
One can then also decide to delete unnecessary files first, before performing a mirror.
It works really nice and, above all, for some reason it is much faster than SyncBackPro, being a dedicated backup tool.
As said, there are enhanced ways of making backups but this one is okay for me.

Anyway, thanks again for your views.

- - - Updated - - -

hsehestedt said:

@tfwul - I have a tip for you to speed up the encryption to the point where it should take mere seconds:
When you create a new VHD or VHDX file and you choose to BitLocker encrypt it, you are given a choice to perform a full encryption of the volume or just the used space. Choose the option to encrypt the used space only. Since this is a new virtual disk with no data on it yet, the encryption will complete in mere seconds.
The only time that you need to encrypt a whole disk is if that disk had previous data in it and you want to make sure that no one can recover the erased data. For a new disk or virtual disk, there is simply no point to performing a full encryption. This also holds true if you had previously encrypted data on that volume. Since it was already encrypted previously, if you ever re-encrypt that volume, there simply is no point in doing a full encryption because the previous data is already unrecoverable.
In other words, doing a full encryption under these circumstances buys you absolutely nothing except a waste of time .

Sorry for the delay.

THANK you very much!

That is really helpful.

There are two options indeed.

- New encryption mode (best for fixed drives on this device)- Compatible mode (best for drives that can be moved from this device)

I wasn't sure, to be honest, as it involved an external USB SSD drive and the first option is for 'fixed' drives
whereas the 2nd option involves drives that can be moved, hence for USB I assumed to use the 2nd option.