/ Backups

Considerations for Encrypted Backup

Veracrypt Doesn't Change Date Modified for Containers

If you create a Veracrypt volume as a file (not full disk encryption), Veracrypt will never change the date modified, even if you write a lot of data to the volume. This poses a problem for most default configurations of backup programs; they usually only check just file size and/or date modified to determine if a file has changed.

To force backups of the container, you have two options

  1. Change the date modified attribute of the container
  2. Force the backup program to compare files via checksum as opposed to date modified and/or file size.

You can find programs that will let you change the date modified. Some of these solutions can be easily automated. Some cannot. To have regular backups, they should be automated. If you can write a script to automatically trigger these programs to run, then this will work fine.

Forcing the backup program to compare files via checksum will let you not mess around with the date modified, but it will cause the backup program to run more slowly. By using the checksum method, the backup program has to read the content of all the files before backing them up, as opposed to just reading the file sizes and or date modifieds.

Preserving Old Versions of Veracrypt Containers Probably Weakens the Encryption

One of the tenets that I espoused in my previous post was backups should not only have the most recent backup but old versions of files, in case you corrupt a file and don't realize it before the next backup run (which then corrupts the backups as well). I am by no means a cryptographer, but keeping the old versions of Veracrypt volumes is most likely a security risk. In the best case scenario, it does not make it any easier for an attacker to determine the encryption password if they have old versions of Veracrypt volumes. However, I am fairly certain that it does make it easier.

The attacker would need a good understanding of the underlying cryptography to be able to use this extra information to break the encryption.

Changes to Veracrypt Containers Might Result in Large Backups

Veracrypt containers may result in write amplification for backup programs in their default configuration.
Assume that you create a 1GB Veracrypt volume. You write 10 MB of data to it. You then run a backup program. It has to copy the entire 1 GB file because as far as it knows, there's 1 GB of data in the file.

Later you write another 5MB of data to the volume. You either change the date modified of the volume manually, or run the backup program in checksum mode so it actually compares the checksum of the container file on the source and backup destination. In either case, it detects that the container file has changed. Depending on the backup program, it might upload the entire file again, as opposed to just the changed blocks.

If you have a slow Internet upload speed and your backup destination is over the Internet, this can be really annoying: your backups will take a long time even though only small amounts of data have actually changed.

To prevent this, look into the settings of the backup program to see if it can copy just the changed portions of files.

Considerations for Encrypted Backup
Share this

Subscribe to Seonwoo's Musings