0

I have searched, and have been unable to find an adequate answer to my question. My apologies as I'm sure this is a relatively elementary question for the users here.

I have encrypted my Windows 10 boot drive with BitLocker. I have also encrypted my USB backup drive with BitLocker (separate Recovery Keys). I am using Macrium Reflect to do Grandfather, father, son back-ups to this drive. This drive stays connected to my system most of the time.

Additionally, I would like to add a second back-up drive that I do NOT leave connected to my system, to protect against ransomware attacks. I will, presumably, be encrypting this drive as well.

I am concerned about my ability to recover from my backups in case something happens, considering every drive is encrypted with a different key. My biggest concern is the second back-up drive, which will likely be an image back-up. I will be encrypting an already encrypted image. Assuming this is the case, it begs the question if I even need to encrypt the second back up drive, as the data backing up to it will presumably be encrypted.

Considering this architecture, should I be able to recover fully in the event of an issue?

DRoyLenz
  • 1

1 Answers1

1

You can encrypt encrypted material as many times as you like and assuming proper implementation by your software vendor, should also be able to unwrap all of those layers of ciphertext without issue.

However, keep in mind that if you have ransomeware running on your system and it is encrypting the data it has access to, every time you connect your primary, secondary, tertiary -> ad nausem, drive to the system, it runs the risk of also being partially or completely encrypted by said ransomware.

A point of clarification, BitLocker does nothing for you to protect against ransomware. Drive encryption or whole-disk encryption protects your drive if it is physically stolen. Then an attacker would have to have your key to unlock the drive and read the contents. While your machine is turned on, the key is dynamically decrypting the drive on the fly so to your OS (Windows), it does not appear encrypted at all and can have individual files encrypted with no problem.

Your best bet, in my opinion, to protect against ransomeware is to rotate your backup cycles with different hardware. Lets say you perform backup once every two months. Use 3 different same sized hard drives (don't necessarily need to be encrypted) that you rotate their use. Each containing roughly the same amount of data. If you lose your computer's drive to ransomware, you have 3 drives over a 6 month period that is less likely for the ransomeware to be patient enough to get all of them.

thepip3r
  • 633
  • 3
  • 8
  • 1
    Thank you, this is great info. In the interest of money, I will start with just the one backup drive, to be backed up once every month. I will likely be getting an additional drive or two over the coming months, and get them on a rotation as you recommended. – DRoyLenz Dec 17 '18 at 18:48