Backup and encryption automated

How to create a secure backup script in Windows.

When would you need an encrypted backup?

A good example is a laptop that you use at work, but take home with you frequently. If your work is usually stored on a corporate network drive, but you want the reassurance of a local copy, then it would be a very good idea to make an encrypted backup. That way, if you leave the laptop in a taxi or on a train, or it gets stolen, you don't have to worry about your backup files being accessed by unauthorised people.

Another example would be if you wanted to create a backup of your files onto a removable storage device such as a memory stick or a portable hard disk. Portable devices are relatively easy to lose, so having unencrypted data on them is a very, very bad idea.

This article will describe a way to create an encrypted backup in Windows XP, though the technique ought to work in other operating systems that support the software used.

Encryption software

TrueCrypt is the software we'll use to create an encrypted storage space. TrueCrypt is completely free, and open source, and you can download it from the TrueCrypt homepage. It's easy to install and use, and the documentation for it is very clear.

The Windows version of TrueCrypt has a very nice graphic user interface, so it's very easy to create a new encrypted volume. Make sure you read the TrueCrypt documentation, though, so that you understand what TrueCrypt can do, and its limits.

Mirroring software

To make our encrypted backup space contain the same files as our personal data space, we could just use the copy command. This would copy all of the files in our personal space into the encrypted storage space, every time we run the backup. This would take a long time, every time.

A better idea is to use a piece of software that will examine our personal data space and only copy files when it makes sense to do so.

The tool that I'll use in this article is called Unison, another piece of free, open source software that is easy to install. You can download it from Unison's homepage.

Because we're making a backup, we'll use the -force preference to tell Unison to create a "mirror" of our personal space, by copying new and changed files into our encrypted backup space, and deleting files from the encrypted space if they are no longer found in our personal space. Hopefully my illustration below will make things clearer:

illustration: Unison will copy news files to the backup space, delete old files from the backup space, copy changes into outdated files, and ignore files that haven't changed.

Using the -force preference with Unison will make sure that files are never overwritten or deleted from your personal data, only from your backup copy.

Putting the pieces together

Decide how big the encrypted backup space should be

First of all you need to create an encrypted storage space big enough to store all of your personal files. By personal files, I mean anything that you have created yourself, anything that you would not want to lose, whether they're text documents, spreadsheets, photos, videos, or any other file type. See my file backup checklist to help you avoid forgetting anything.

Ideally, you'll have all of your personal files in one folder. In Windows, this is usually your "My Documents" folder, and it's usually located at "C:\Documents and Settings\yourname\My Documents\", where yourname is replaced by the username with which you log into your Windows account. However, you might have your personal files at a different location, so make sure you know exactly where they are.

Once you've located your personal file folder, right-click on it and select Properties. You should see a page appear that tells you how many files the folder contains, and how many megabytes (MB) or gigabytes (GB) the folder contains. Make a note of the size, and then ask yourself whether you think this size will increase much over time. If you're constantly adding new videos or photos to your personal data space, the size will increase quite quickly.

Create an encrypted volume

If you've worked out how much space you'll need, you can then open TrueCrypt and create a new encrypted volume. Unless you know what you're doing, it's probably best to choose the "Create a file container" option, then "Standard TrueCrypt volume", and then click "Select File" and choose a suitable location on the device where you want to store the backup, such as your laptop hard disk or your memory stick. Give the file a name such as "". See the TrueCrypt website for a tutorial if this is the first time you've created an encrypted volume with TrueCrypt.

When TrueCrypt's volume creation wizard asks you how how big you want the new volume to be, think about how many megabytes your personal data space is likely to take up in the future, so that you have enough space in your encrypted backup space for some time to come. (Note: one gigabyte is 1024 megabytes.)

When it comes time to choose a password, make sure you choose a very strong password. Do not choose a short password, do not choose a password that only consists of words you'd find in the dictionary, and do not choose a simple number sequence. A set of letters, numbers and symbols, forming a sequence of at least twenty characters in length, is the recipe for a strong password. If you don't choose a strong password, then you're wasting your time with encryption.

Once your new encrypted volume has been created, use TrueCrypt to mount the volume and then open it. Inside your new, empty backup space, create a folder called SecureBackup and then dismount the encrypted volume.

Write a batch file script

Now that you've created an encrypted volume, it's time to create a batch file that automates the process of opening the encrypted volume, running Unison to update the files in it so that they match your personal data space, and then closing the encrypted volume.

In a text editor, such as Notepad, create a new file called SecureBackup.bat or some other name so long as it ends with ".bat" (batch file). Now, type the code below into the new text file, replacing the file paths below with the correct file paths for your setup.

In the code below, I've assumed that your personal data is all found in the folder "C:\Documents and Settings\yourname\My Documents", but change both occurrences of this path so that they match the actual path to your own personal data. I've used "C:\path-to-encrypted-volume\" as the path and name of the encrypted TrueCrypt file container, but change this so that it matches the path and name of your own encrypted file container. I've also used "C:\Program Files\TrueCrypt\truecrypt.exe" as the path to truecrypt.exe, and "C:\Unison-2.27.57-Gtk\Unison-2.27.57 Text.exe" as the path to the Unison text-interface software, but check on your own machine to find the actual paths.

Note: Where a line begins with the ↪ symbol, it means that I've had to break the line so that it fits on this web page, but you must not break the line when you're typing it into your batch file. Where you see the ↪ symbol, just type a space and carry on typing on the same line.

:: Open the TrueCrypt encrypted volume and mount it as drive X.
"C:\Program Files\TrueCrypt\truecrypt.exe" /q /v
↪   "C:\path-to-encrypted-volume\" /lx

:: Tell Unison to copy changes from our personal folder,
:: to the SecureBackup folder on our encrypted X: drive.
:: (NOTE: This must be on one line with no breaks, but
:: I've had to split it into four here so that it fits onto
:: the web page.)
"C:\Unison-2.27.57-Gtk\Unison-2.27.57 Text.exe"
↪   "C:\Documents and Settings\yourname\My Documents\"
↪   "X:\SecureBackup\"
↪   -force "C:\Documents and Settings\yourname\My Documents\"

:: Close the TrueCrypt volume.
"C:\Program Files\TrueCrypt\truecrypt.exe" /q /dx

Running an encrypted backup

Once you've created your batch file, and made sure that the file paths are exactly right for your machine, and that you've typed everything correctly, you can double-click on your new SecureBackup.bat file and it should then start to run.

First of all, the batch file tells TrueCrypt to open your encrypted file container, and a password prompt will appear for you to type in the password for your encrypted file container. Once you type in the correct password, the encrypted backup space is open and is mapped as drive X: in Windows. If you know that some other software or hardware on your PC already uses drive X:, then you can change the drive letter used by changing the /lx flag in the batch file so that it uses a different letter. For instance, /lt would mount the encrypted space as drive T: instead.

Once your encrypted backup space is ready for action, the next command tells Unison to scan the files in your personal data space and create an up-to-date mirror of them inside your encrypted backup space, inside X:\SecureBackup\ (change X: to whichever drive letter you have used). The SecureBackup directory is important, because if Unison can't find a directory with this name, it exits with an error. This is important because it makes sure that Unison doesn't accidentally create a mirror of your files to a totally different device that happens to be mounted as drive X: (or whichever drive letter you have used).

When Unison scans your files for the first time, it will take a while because it's building a map of your personal data space so that it can compare the changes next time it's called, and because it has to copy all of your files to the encrypted backup space. The next time you run a backup with this batch file, Unison should finish a lot quicker because it will only copy across new files and changes to files.

Once Unison has scanned your personal data space, it will show you the new files, directories and changed files that it intends to copy to your encrypted backup space, and will ask you to confirm that you're happy for it to do so. Type yes once you've checked that everything seems to be as expected, and then hit Enter. Unison will then proceed to copy across new items and changes.

When Unison has finished, it outputs a brief message about the number of files copied, and then the final command in the batch file is called. The final command simply tells TrueCrypt to dismount the encrypted backup space. The output window will then close itself.

Keeping the output window open

If you want to keep the command line window open even after the batch file has finished (so that you can check that there are no error messages, for instance), create a shortcut to the SecureBackup.bat batch file, and then in the Properties page for the shortcut, find the field that names the target of the shortcut as SecureBackup.bat and add "cmd /K " (notice there's a space after the K) at the start of it. This tells Windows to run the batch file in a command window that will remain open until you close it.

File synchronisation

If your files are normally kept safe on a network drive in the office, but you want to be able to take your laptop home and work on your files from a local copy on your laptop, a simple backup as described above won't do what you want. The -force argument given to Unison tells it to create a one-way mirror in the encrypted space, which is no good if you want to alter the files in that encrypted space and then have the changed files copied back onto your corporate network drives when you get back to the office.

However, if you remove the -force argument, Unison will instead act as a "file synchronizer". It will look for changes in both places, and will copy new or changed files from one place to another, in either direction. This would allow you to work on the files on your corporate network drives while at work, then run a synchroniser batch file that tells Unison to synchronise your files, so that it copies new and changed files to your encrypted store. Then, at home, you can work on your files in the encrypted store, and when you get back to work and run the synchroniser batch file, Unison will copy any new or changed files, in the other direction, from your encrypted store into your corporate network drive.

If you use Unison as a synchroniser instead of a simple backup tool, bear in mind that you must run your synchroniser script before you change from one file store to another. Otherwise, you might change a file on your corporate network drive, then change the same file in your encrypted store without realising it. Then when you do run Unison, it won't know which of the versions of the file is the one you want to keep, and you'll have to decide which one to overwrite.

A warning about encryption

A recent experiment showed that it's possible for data to be extracted from RAM even after a computer has been turned off for several minutes. This means that encryption keys could be extracted from a machine that was turned off suddenly while running encryption software, such as TrueCrypt. So you must always shut down a computer that has been accessing encrypted data, and make sure that no untrusted people have access to the computer for at least a few minutes after it has been shut down. For instance, never access your encrypted data store while in a public place, or on public transport.