Is Backup Exec System Recovery incompatible with PGP Whole Disk Encryption?

After encrypting my laptop's hard drive with PGP Whole Disk Encryption 9.8.2 Backup Exec System Recovery 7.0.3 fails to complete a full image of the hard drive. Has anyone else experienced this and is there a solution other than decrypt, backup, encrypt?

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
I suspect this is going to be at least partially incompatible. As I understand it, how BESR works is to look at the files visible under windows, and attempt to create a image file which, when restored (and the hal replaced as appropriate) will run on dissimilar hardware.

However, on full disk OTFE systems, the image on the hard drive is *not* the files windows "sees" (there is a indirection layer activated in a custom boot driver which decrypts the data before windows "sees" it. So any attempt to copy the bootstrap will find it is a custom one and that the windows startup file (boot.ini) is not visible on the disk.

I think really the only path forward here is to contact the vendors of both products and ask which products of the other type are compatible with their product ( i.e. ask symantec which full disk encryption products their backup solution is compatible with, and if the image is encrypted/secure afterwards; then ask pgp corp what backup solutions are compatable with their full disk crypto product)

There is a certain irony here as pgp was formerly *owned by* symantec.....
pnkljohnson2Author Commented:
PGP support responded by suggesting that whole disk encryption and hot image programs might produce unpredictable results.  The take-away is that these programs should not be used together.  I'll probably move to a cold image product.  Thank you for your insight.
Dave HoweSoftware and Hardware EngineerCommented:
Be aware that cold image products tend to have severe drawbacks - in many cases, you will find it hard or impossible to restore the image to different hardware than the source (as you can't mount the image to update the hardware abstraction layer and other device specific drivers), can't do item-specific restores (i.e you can restore the whole drive, but not one file) and so forth.

the other issue is that an encrypted volume is incompressible and has to be backed up as a single item - so if you have 300mb of files on a 200gb drive, you are looking at a 200gb backup that will *take* 200gb (not the "you can fit 200 on a 100gb tape after compression" that most backup devices offer, you will need two 100gb tapes)

usually a cleaner solution is to hold a baseline unencrypted copy of your hard drive (without any sensitive data on it of course) using a solution such as the one symantec offer, then do hot backups of recently changed files excluding the system directories. This is easier if you keep them together (like in your my documents or on your desktop) or alternatively, partition the drive so that data files go onto a second partition, which you can then back up and restore separately from your operating system partition.

you will want to ensure your file level backup includes some sort of crypto in that case though.
pnkljohnson2Author Commented:
Again, thank you for your insight.  It's very helpful.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.