Best Practice: Implementing a Full Disk Encryption on laptops

Question

We are thinking about using TruEncrypt full disk encryption to protect the data on our laptops (roughly 15-20 in the healthcare field - XP & Win7). And I was wonder about backups, and not per say the method or the use of a product like TruEncrypt.

Should all laptops be backup before the encryption? And then backup after the encryption? (Clonezilla/Acronis) I am worried about accessing the data if the laptop's hd starts to fail or hd corruption ... and will we be able to recover the data even with the encrypted hd dying. Is it possible to recover the data when hdd's fail or get corrupted?

Backups with be encrypted.. and Recovery disks will get backed up too.

Answer 1

I take it you are talking about the initial backup and imaging process? I would suggest backing up the data when the drives are unencrypted. It removes a layer of complexity. You would also want to encrypt each laptop separately, so they have a different salt/hash.

When doing subsequent backups, if necessary (i.e. for user documents, and such), do it from the OS, after it is unencrypted.

Answer 2

I'd say to back them up after encryption, to save time on having to reencrypt an entire laptop again after a failure (although this doesn't seem that it would be a frequent scenario). An argument could be made for backing them up before encryption to mitigate the risk of a lost key/password, but it depends on how you're doing things. There would be no harm in backing them up before encryption, considering that your backups are encrypted regardless.

If you're going to do regular, periodic image backups of each laptop, then backing up with encryption is your only option. It doesn't seem very practical to unencrypt, back up, then reencrypt.

Encryption is done in blocks, so a bad sector will only corrupt a single encrypted block, leaving the rest of your data intact. Check the Truecrypt documentation to find out what their block size is; a bad sector would render an entire XXkb block of data unreadable, versus 512b for an unencrypted sector, but it's not like a single bit corruption on an encrypted hard drive will render the entire thing unreadable.