Friday 14 August 2009

Secure Encrypted Data Backup on a Budget Tutorial

FOREWORD: It's a bit tricky doing proper document formating and decent screenshots within this blog format, so I have also created separate PDF document for this post/tutorial, which can be downloaded/viewed here - http://itsecurityexpert.co.uk/downloads/ITSE_Secure_Encrypted_Data_Backup_on_a_Budget.pdf

One of the most neglected areas of home computing and indeed with many small businesses, is data backup, and properly securing data backup.

What personal value do you place on the data files stored on your PC right now?
How would your business cope if all the business data held on that single PC was lost?

Backing up puts all your data, including sensitive files, in one easier to access single place, how do you ensure it is protected from prying eyes.

These days most people have built up quite sizeable collections of digital camera pictures and videos spanning many years on their PCs, which they regard as irreplaceable. And then there is those word processing documents and spreadsheets which some people just can't do without, yet these files contain personal and even finically sensitive information which needs to be protected when backed up to outside the PC.

In this tutorial/post, I am going to explain how to cheaply and securely backup sensitive data held on a PC.

Pre-Tutorial Requirements

1.Equipment
First buy a USB hard disk drive with a storage capacity large enough to cater for your needs. You can pick up a 500 GB USB hard drive from eBuyer for around £60 to £70, which should be more than enough to cater for most home PC users and small business data backup requirements. If you have just a small amount of data to securely backup and a tighter budget, you can use a USB thumb drive instead, which can cost anything from £5 to £40 depending on their storage capacity, heck you might even have a spare one lying around which was given to you for free at that trade show.

2. Download TrueCrypt http://www.truecrypt.org/downloads.php
TrueCrypt is a completely free application, but I urge you to do the right thing and donate, even if it's a just a little bit to guys behind creating and supporting this great application. For further information about TrueCrypt see my post http://blog.itsecurityexpert.co.uk/2009/02/truecrypt-best-open-source-security-app.html

3. Backup Planning
On the USB backup drive, we will create a Secure Encrypted Area to backup sensitive files, which will automatically become available when the drive is plugged into the PC. In addition we will keep an unsecured area on the same USB drive, to store non-sensitive files.

So first you must decide on how much of the USB drive’s storage capacity you will need to backup personal and sensitive data files. You need to think about whether you just want to securely backup just your word processing and spreadsheet documents, which tend not to take up a lot storage space, or securely store your entire directory of your digital camera pictures and videos, which tend to require large amounts of storage.

The larger the secured area, the longer it takes to setup. There isn’t a great performance hit in accessing the information from the secured (encrypted) area once data is stored.

What should be kept non-secured on the backup drive? Well consider anything you are happy to place on the internet, such as downloaded freeware applications, which tend to be large in size and therefore should be ear-marked to be stored in the unprotected area on the USB drive.

Tutorial
In this tutorial, I will assume the contents of “My Documents”, and a very large collection of personal digital camera images and videos need to be securely backed up. After assessing these storage requirements, I am going with a 400Gb secure area (partition) on my 500Gb USB drive, leaving around 100Gb of space for unsecured data storage.

If you have not done so, so install TrueCrypt, just follow the installation wizard. Note I have used TrueCrypt version 6.1a on a Microsoft Windows system for this tutorial

Creating the Secure Storage area on the USB Drive

2.1 Launch TrueCrypt

2.2 From the “Volumes” drop down menu, select “Create New Volume…”



2.3 Select “Create an encrypted file container” (as per default) and click next



2.4 Select “Create a Standard Volume” (as per default) and click next



2.5 Click “Select File…” in the Window that opens select your USB drive.



2.6 Next right click and select “Create New Folder” on the USB drive, and then name the folder “SecureArea”

2.7 Next select the "SecureArea" folder, and within this folder you will be requested to "create a filename", call it “secured” (or pretty much any name you might prefer)

2.8 Next is the Encryption and Hashing algorithms options

I find the most efficient encryption algorithm to choose is “Two Fish”, in terms of security you cannot go wrong with any of the algorithms offered by TrueCrypt, so you may as well take my advice and select Two Fish



2.9 Again you can't really go wrong with the hashing algorithms offered, I don't want to get too technical within this tutorial which is aimed at non-security folk, so go with the default. (I'm happy to talk about encryption and hashing in detail in a separate post if anyone wants me to)

2.10 Next select the size, for me I will be going with a Secure Area of 400Gb.

It's important ensure you leave at least a couple of megabytes of free space for the unsecured area of the USB drive, as this is needed for the automated mounting of the secured area when the USB drive is plugged into the PC.



2.11 Next enter a pass phrase (password - ensure this something you can remember!

If the pass phrase is less than 20 characters in length, TrueCrypt will warn you. My recommendation is to go for a pass phrase with a mixture of uppercase, lowercase, numbers and special characters (e.g. @,#,!) and be at least 12 characters in length. If you are paranoid about government cracking your personal data with their super-computers, go with 20+ characters!!!



2.12 Unless you have individual files above 4Gb in size which need to be securely stored, which is generally rare for home users, select the default of “No” and click next.



2.13 Volume Format, move the mouse around the screen, accept the defaults and click “Format”



2.14 Depending predominately on the secured area storage size, it can take anything from a few minutes to several hours for TrueCrypt to finish creating the Secured Area.



3. Automatically making available (mounting) the secure area (encrypted volume).

Once the Secure Area has been created, it is time make the secured area of the USB drive automatically become available upon pluging the USB storage device into the PC.

3.1 Within TrueCrypt, from the "Tools" pull down menu select “Traveler Disk Setup”

3.2.1 Navigate and select your USB drive (root)

3.2.2 Uncheck “Include TrueCrypt Volume Creation Wizard”

3.2.3 Click the Auto-mount TrueCrypt Volume

3.2.4 Navigate and select the TrueCrypt encrypted file. In this tutorial it is "\SecureArea\secured.tc"

3.2.5 Check “Open Explorer window for mounted volume”

3.2.6 Finally Hit “Create” - it should only take a few seconds to complete.


3.8 Once complete remove the USB drive, count to 5 and reconnect to USB drive. Your PC should automatically mount the unsecured area as a volume (drive letter) and mount a second volume as a secured (encrypted) volume (drive letter). TrueCrypt will ask for the correct phase phrase to be typed in correctly prior to the secured area becoming available.

If the automatic mounting of the USB drive volumes are not working, it indicates the PC has USB/CD autorun disabled, which is actually a good setting to have security wise, just google “enable CD autorun windows” for help.

And there you have it, a USB drive which upon plugging into the PC will connect with a Secure Encrypted Area (Volume) and a Non-Secure Area (Volume).



4. Finally backup your information to the appropriate storage areas of your USB drive.

You can do this manually by dragging and dropping files in Windows, or using an automated backup tool. Comodo Backup is one of my preferred backup tools. http://backup.comodo.com/

Once your backup has finished, I recommend storing the hard disk offsite. So give it to a relative or a friend or even a neighbour to store, it's not as though your neighbour will be able to access your personal information as it will be encrypted to industrial standards!

It is important to repeat your PC backup process at regular intervals These intervals will be dependant on your requirement and your personal attitude to risk of personal data loss. If it is a typical small business, I suggest on a weekly basis, for highly active home users I suggest backing up on a monthly basis, and for typical home users probably on a six monthly basis or after you store a significant amount of data in an single instance, such as dumping holiday snaps from your digital camera to your PC.

If you regard these recommend backup rates as not being enough, you are probably storing too much information onto a single PC. If this is the case I would recommend investing in a Network Area Storage (NAS) device. A NAS device starts from £80 upwards and offers much more data resilience and automated daily backup/mirroring options, this is a particularly important solution to adopt if you are operating a business which is reliant on computer systems and data. I have heard of small businesses going to the wall following a simple PC theft.