14

I am planning to encrypt backup data using VeraCrypt. How safe are the generated containers? My worries is not so much the encryption, but potential data loss due to degrading harddisk media (bit rot) over time.

Currently I have an external USB Harddisk, and store each set of backup data twice, in separate folders, A and B. I do a bitwise comparison between A and B from time to time to proove the data integrity.

I plan to encrypt those backup data folders A and B into separate containers. Here are my questions:

  • Will the created containers still be bitwise comparable?
  • How robust will the containers be against data loss, e.g. when a (different) sector in each container fails, will the rest of the data still be extractable?
  • Can I purposedly have some extra redundancy in the container? (I know that this may degrade the encryption somewhat, but as said this is not may main concern).

Note: I like to have separate containers against having the whole drive encrypted to be able to handle the backup data sets individually.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • 1
    How long are you expecting to store the data for in the same media? – Lie Ryan Jun 25 '16 at 05:22
  • @LieRyan I am planning for 10 to 15 years on the same media, while doing the comparison about every 6 months or so. Upon replacing the media, the containers will be moved to new media. – Marcel Jun 25 '16 at 20:18
  • 3
    I want to really stress the point I think Lie Ryan is making here. **10-15 years on a single HDD is a really, really long time.** Chances are pretty good that at some point during those years, the drive will fail to spin up. – user Jun 26 '16 at 16:34

1 Answers1

16

Will the created containers still be bitwise comparable?

No. Veracrypt stores different containers with different encryption keys, even if you use the same password. So the containers won't be bitwise identical. You'll need to open the container and compare the files rather than compare the container.

How robust will the containers be against data loss, e.g. when a (different) sector in each container fails, will the rest of the data still be extractable?

Veracrypt stores two copies of the volume metadata, one at the front, and one at the end of the volume. Additionally, you can backup the volume header to make it possible to restore the volume if both embedded metadata is corrupted.

Veracrypt encrypts in XTS mode, which means that data corruption in one block only affects that block.

However, you should consider that modern hard disk are very good at detecting and self correcting for errors. They do this by encoding the data in such a way that there are redundant information to allow the hard disk to recompute corrupted bits, the general technique is called error correcting code.

In addition, if you use a modern filesystem in your host system, like btrfs or zfs, modern filesystem adds additional checksums to automatically detect errors and they can also be configured on RAID configuration so they can automatically make redundant copy when storing files so they can automatically repair errors to protect against media degradation. Due to their design, it's nearly impossible that you'll get silent corrupted data due to media degradation with modern filesystem.

The only practical failure scenario for modern filesystem is bugs in the filesystem implementation and user errors. You have a much better likelihood of accidentally rm -f container.tc-ing your data. And for a catastrophic physical disk failure where the entire hard disk just stopped working, in which a backup on the same device would not be able to help you. To protect against these, you would want to make a backup copy of your data on multiple devices and migrate to a new storage media probably once every 5-7 years.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93