Windows Backup – Use with TrueCrypt Encrypted Destination

Background

The reason you can't select the TrueCrypt mounted volume as a backup destination for the built-in "Windows Backup and Restore Center" on Windows Vista and Windows 7 is because your user account mounted the TrueCrypt volume but the Backup Service runs as the SYSTEM account. 2

Contraints

• In order for this solution to work, you must be able to backup to a network location. This is not supposed by all editions of Windows Vista and Windows 7. The following editions DO support backup to a network location:
  • Windows Vista Home Premium
  • Windows Vista Business
  • Windows Vista Ultimate
  • Windows Vista Enterprise
  • Windows 7 Professional
  • Windows 7 Ultimate
• Not all editions of Windows Vista or Windows 7 support Full System Backup (aka "Complete PC Backup"). The following editions DO support Complete PC Backup:
  • Windows Vista Business
  • Windows Vista Ultimate
  • Windows Vista Enterprise
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Ultimate
• I've only verified this solution on Windows Vista Business 64-bit SP2 with TrueCrypt 6.3a.

Gotchas

• If you also use TrueCrypt to encrypt your backup source, there is a limitation on TrueCrypt (at the time of writing, Version <= 6.3a) on support for the Volume Shadow Copy service:

  The Windows Volume Shadow Copy Service is currently supported only for partitions within the key scope of system encryption (for example, a system partition encrypted by TrueCrypt or a non-system partition located on a system drive encrypted by TrueCrypt). Note: For other types of volumes, the Volume Shadow Copy Service is not supported because the documentation for the necessary API is available from Microsoft only under a non-disclosure agreement (which is impossible to comply with because TrueCrypt is open source).

  Since the File Backup (aka "Back Up Files") option uses the Volume Shadow copy Service (VSS) to perform its backup, this means you will not be able to backup sources that are encrypted outside of the scope of the system encryption key (e.g. an external hard drive that has been encrypted or the contents of a file based TrueCrypt volume).

• The folder share will not survive being unmounted and mounted to a different drive letter. (It may not even survive unmounting and remounting to the Same drive letter, but I haven't confirmed this yet). If you don't want to have to manually create this share each time, you may need to script out it's creation as a log-on script or something.

• "Windows 7 allows performing a full system image backup to a network location however subsequent incremental system image backups cannot be performed to a network" 8

Solution

NOTE: The following instructions are for Windows Vista Business 64-bit SP2 but the steps should be the same on any supported Vista editions and very similar for any supported Windows 7 editions. See above for supported editions.

To perform a File Backup (aka "Back Up Files"):

1. Mount the TrueCrypt encrypted file system which will serve as the destination for the backup
2. Create a folder on the mounted volume where you want to store the backups (e.g. "Backups")
3. Right-click on the folder created above and select "Share"
4. Type in SYSTEM
5. Click "Add"
6. In the "Permission Level" drop down next to the SYSTEM user, select "Co-Owner"
7. Click "Share" (Your user should already be listed as the owner since you created the share, but if not, add it as the owner)
8. Accept the UAC pop-up if you receive it.
9. Click the Windows Start Menu
10. In the Search box type: Backup Status and Configuration
11. Press "Enter"
12. In the top right, Click "Back Up Files"
13. Click "Change Backup Settings"
14. Click "Continue" if you receive a UAC prompt
15. Click "On a network"
16. In the text box type: \\COMPUTERNAME\ShareName\ (e.g. \\JOHNS-COMPUTER\Backup\)
17. Click "Next"
18. Provide your user's username and password when you receive the credentials prompt
19. Click "OK"
20. Select the file types you want to backup
21. Click "Next"
22. Provide your scheduling information
23. Check the box that says "Create a new, full backup now in addition to saving settings"
24. Click "Save Settings and Start Backup"

NOTE: The Complete PC Backup on Vista doesn't give you the option to backup to a network location in the GUI, but you can do so from the command line using WBADMIN.EXE on supported editions.

To perform a Full System Backup (aka "Complete PC Backup"):

1. Mount the TrueCrypt encrypted file system which will serve as the destination for the backup
2. Create a folder on the mounted volume where you want to store the backups (e.g. "Backups")
3. Right-click on the folder created above and select "Share"
4. Click "Share" (Your user should already be listed as the owner since you created the share, but if not, add it as the owner)
5. Accept the UAC pop-up if you receive it.
6. Click the Windows Start Menu
7. In the Search box type: cmd.exe
8. Press "Enter"
9. In the CMD prompt, type: WBADMIN START BACKUP -backupTarget:\\COMPUTERNAME\ShareName -include:C: -user:<youruser> -vssFull (e.g. WBADMIN START BACKUP -backupTarget:\\JOHNS-COMPUTER\Backup -include:C: -user:jdoe -vssFull )
10. Press "Enter"
11. When prompted "Do you want to start the backup operation?" type: Y
12. Press Enter

References

• TrueCrypt - How to Backup Securely
• Can't backup to external drive
• Backup to Network
• Windows 7: Compare Windows 7 Home Premium, Professional, and Ultimate
• Windows Vista: Compare editions
• TrueCrypt - Known Issues & Limitations