Solved

Is Backup Exec System Recovery incompatible with PGP Whole Disk Encryption?

Posted on 2008-06-19
4
1,263 Views
Last Modified: 2013-12-01
After encrypting my laptop's hard drive with PGP Whole Disk Encryption 9.8.2 Backup Exec System Recovery 7.0.3 fails to complete a full image of the hard drive. Has anyone else experienced this and is there a solution other than decrypt, backup, encrypt?

0
Comment
Question by:pnkljohnson2
  • 2
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 125 total points
ID: 21943145
I suspect this is going to be at least partially incompatible. As I understand it, how BESR works is to look at the files visible under windows, and attempt to create a image file which, when restored (and the hal replaced as appropriate) will run on dissimilar hardware.

However, on full disk OTFE systems, the image on the hard drive is *not* the files windows "sees" (there is a indirection layer activated in a custom boot driver which decrypts the data before windows "sees" it. So any attempt to copy the bootstrap will find it is a custom one and that the windows startup file (boot.ini) is not visible on the disk.

I think really the only path forward here is to contact the vendors of both products and ask which products of the other type are compatible with their product ( i.e. ask symantec which full disk encryption products their backup solution is compatible with, and if the image is encrypted/secure afterwards; then ask pgp corp what backup solutions are compatable with their full disk crypto product)

There is a certain irony here as pgp was formerly *owned by* symantec.....
0
 
LVL 1

Author Comment

by:pnkljohnson2
ID: 21945441
PGP support responded by suggesting that whole disk encryption and hot image programs might produce unpredictable results.  The take-away is that these programs should not be used together.  I'll probably move to a cold image product.  Thank you for your insight.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21945708
Be aware that cold image products tend to have severe drawbacks - in many cases, you will find it hard or impossible to restore the image to different hardware than the source (as you can't mount the image to update the hardware abstraction layer and other device specific drivers), can't do item-specific restores (i.e you can restore the whole drive, but not one file) and so forth.

the other issue is that an encrypted volume is incompressible and has to be backed up as a single item - so if you have 300mb of files on a 200gb drive, you are looking at a 200gb backup that will *take* 200gb (not the "you can fit 200 on a 100gb tape after compression" that most backup devices offer, you will need two 100gb tapes)

usually a cleaner solution is to hold a baseline unencrypted copy of your hard drive (without any sensitive data on it of course) using a solution such as the one symantec offer, then do hot backups of recently changed files excluding the system directories. This is easier if you keep them together (like in your my documents or on your desktop) or alternatively, partition the drive so that data files go onto a second partition, which you can then back up and restore separately from your operating system partition.

you will want to ensure your file level backup includes some sort of crypto in that case though.
0
 
LVL 1

Author Comment

by:pnkljohnson2
ID: 21956573
Again, thank you for your insight.  It's very helpful.

Peter
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now