[Feature request] Encrypt logs for encrypted file & folder backups.


Author
Message
Beardy
Beardy
Proficient Member
Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)
Group: Forum Members
Posts: 313, Visits: 1.4K
Occasionally I have to back up data from encrypted file-containers or drives (Bitlocker/VeraCrypt), currently I have to create new containers & sync data between them when mounted using copy/paste or command-line tools.  Having multiple containers with much free space in them is wasteful of storage, especially as it doesn't provide for stepping back the state of the data without keeping many containers the way one can with incremental backups.

I would use encrypted file & folder backups for this purpose instead, except the logs are stored in the clear & potentially reveal file-names & other meta-data which is potentially confidential. Someone who gained access to my system could potentially access this information without having the credentials to decrypt the actual data.
Edited 29 December 2020 10:43 AM by Beardy
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 65K
The logs are stored on the C partition. Would it not be feasible and potentially even desirable to encrypt the C partition using VeraCrypt or BitLocket? Reflect has extensive support for capturing and restoring images of partitions that use BitLocker.
Beardy
Beardy
Proficient Member
Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)
Group: Forum Members
Posts: 313, Visits: 1.4K
Indeed, & that secures the data at rest, which usually meets minimum regulatory requirements for most use cases, & even v5 worked well with VeraCrypt full drive encryption.  However, if the machine is typically powered on 24/7 with the drive thus unlocked I have doubts Windows security matches AES encryption with a well chosen passphrase, no matter how tight group policy (if available) may have password strength & rotation set.  Even if  potential malware infiltrated the network, it can't even potentially phone home with the content of encrypted files.

This is more in the nature of "nice to have security enhancement" rather than anything mission critical.

Doubtless were I to put forth the effort, I could script something using a tool such as AES-Crypt, or possibly even 7zip running post-backup, or even secure delete the relevant logs, which would only solve it for me, not for anyone else who desired such a thing.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)Macrium Evangelist (15K reputation)
Group: Forum Members
Posts: 10K, Visits: 65K
If the concern is exfiltration of file name data by malware that is running on a system whose encrypted volumes are unlocked, then surely the greater concern would be that malware accessing the files themselves -- both names AND contents -- while the encrypted container is mounted?  And that of course is completely setting aside the real problem in this scenario, which is that malware is running on your system.  I grant that the Reflect logs are always sitting there on the C drive available to be read, while you may only have your encrypted container mounted and unlocked during specific times, but the assertion that the real data is only available to malware SOME of the time seems a rather weak defense.  And if the concern is exposure of confidential information through being able to see file names in the clear, then there are all sorts of other places that would be points of concern, such as the Recently Opened Files lists in applications.

But of course this is the Wish List section, and wishes made here have been granted before, so you never know!

Edited 29 December 2020 7:42 PM by jphughan
Beardy
Beardy
Proficient Member
Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)Proficient Member (382 reputation)
Group: Forum Members
Posts: 313, Visits: 1.4K

The window of opportunity is different between while stuff is being actively worked on or accessed for backup and or sitting on C all the time, either for malware, or just curious people with admin rights on a given PC.   I'd have said nothing & done my own thing, only it occurred to me others may want such a feature if they keep potentially sensitive things on external media which they take opportunistic backups of too.

Left to design a workflow for really sensitive data myself, at minimum it'd reside on external encrypted drives, be mounted only inside a Virtual machine & that VM's state reverted at shutdown after each access, with backups made using the VM's OS.  This is more about a minor mitigation which is convenient enough for people to actually use rather than serious security, which people find too burdensome & won't tolerate.  Any potential leak that's fixed just makes the whole system less leaky. Recent docs & jump lists are easy to turn off gpedit  > Administative templates > start menu & taskbar enable "Do not keep history of recently opened documents", users hate it.


GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search