0

From VeraCrypt's documentation (here, section "System Partitions"), it sounds like one should be able to:

1) Boot a PE (or secondary OS),

2-3) Create & mount a new, empty encrypted volume (destination for cloning),

4) Mount an encrypted system volume (source for cloning),

5) Clone the mounted, encrypted system volume to the mounted, encrypted destination volume.

However, none of the clone/imaging software I've thus far tried has been able to see the mounted volume (Macrium Reflect, Norton Ghost, and Acronis True Image). I can mount the volumes and they're seen by the PE (i.e. I can navigate around the source filesystem) - but the cloning software does not see them as an available partition/source for cloning.

My question: Am I somehow misunderstanding the documentation? How can I clone an encrypted system volume in this way, as the VeraCrypt documentation seems to indicate?

Note that I'm not attempting to do the following:

  • Clone the raw host partition (which would require cloning the entire partition, including all empty space, as the data is encrypted & the cloning software cannot see the filesystem)
  • Clone while the encrypted OS is running (i.e. shadow copy). I need to be able to do this from a separate, external bootable media (aka doesn't require installing the cloning software on the OS to be cloned)
  • Decrypt, clone the unencrypted data, then re-encrypt the source volume (for obvious reasons).
Improve this question

3 Answers 3

Reset to default
1

You may be over-thinking this. You have the source volume, mounted. You have the destination volume, mounted. Both volumes are encrypted VeraCrypt volumes. (And you do not want to duplicate the entire partition.)

So do a straight file system copy from the source to the destination.

This may not be what you intend to do but this is what the VeraCrypt Wiki page you linked is referring to. In contrast, the tools you mentioned are expecting block devices and I'm suspecting you are using Windows?

Windows will not even see VeraCrypt volumes as block devices, full stop. Linux is a bit different.

But if this is not a suitable answer please elaborate a little on what you intend to accomplish and if a file system level copy can do it or not.

Improve this answer
5
  • >>(And you do not want to duplicate the entire partition.): I do indeed want to duplicate the entire partition - that's exactly the premise of the question :P As specified, it's an encrypted system partition - you can't simply duplicate a system partition by drag-and-drop its files (i.e. boot sector, etc). As for the OS, it's Windows (the other clone software mentioned - Reflect/Ghost - are Windows-only).
    – J23
    Commented Apr 8, 2017 at 23:59
  • I was referring to this: "Clone the raw host partition (which would require cloning the entire partition, including all empty space, as the data is encrypted & the cloning software cannot see the filesystem)" but I understand. I still think the solution is based on identifying what you are trying to accomplish. For instance, it looks like Parted Magic added veracrypt a year ago, reads NTFS, etc. If you can spring for its $9 cost. it is Linux based, not Windows based. You get dd and clonezilla. It's really a pretty fantastic tool.
    – Kit
    Commented Apr 9, 2017 at 0:45
  • I definitely don't mind paying for a tool, as long as it actually works :) Where did you see Parted Magic works with Veracrypt? Re: Identifying what I'm trying to accomplish: "Clone [a] mounted, encrypted system volume to [a] mounted, encrypted destination volume." Simply the ability to clone an encrypted volume to another encrypted volume, similarly to how it's possible to clone an unencrypted one.
    – J23
    Commented Apr 10, 2017 at 1:01
  • Listed here in their news page partedmagic.com/news "Updated programs: btrfs-progs-v4.4.1, libfm-1.2.4, pcmanfm-1.2.4, xf86-video-amdgpu-1.0.1, google-chrome-48.0.2564.109, linux-4.4.2, mozilla-firefox-44.0.2, wimlib-1.9.0, veracrypt-1.17, clonezilla-3.19.17, drbl-2.18.12, ddrescue-gui_1.5, coreutils-8.25, gparted-0.25.0, xf86-video-intel-git_20160108" Unfortunately that is a newer version than I have on hand so I can not test it for you but I can speak to the quality of Parted Magic in general. Maybe someone else can lend us a hand?
    – Kit
    Commented Apr 10, 2017 at 16:26
  • That's a bit ambiguous to me - doesn't say anything about being able to clone from veracrypt-encrypted volumes. It seems to say that "this version of parted magic includes an updated version of veracrypt," which is odd...
    – J23
    Commented Apr 12, 2017 at 1:03
0

I am also having this exact issue. My issue began when, for some reason, my hard drive encrypted with VeraCrypt would boot-loop after typing in the password at the bootloader. I can successfully mount the disk when attached externally in windows, so I figured I can clone the mounted disk over to another disk and have a decrypted version to try and boot from.

I'm going to try a different approach and use the Vera Crypt rescue DVD instead, it has an option to repair the Vera Crypt Bootloader, as well as decrypt the disk fully.

Hope this helps, I'll let you know if I'm able to decrypt the disk with the rescue CD.

Improve this answer
0

Let's take my case. full disk encryption, with Windows installed.

  1. Boot Windows, then use a backup tool able to do snapshot on your own installation (live dump - shadow copy on Windows). As it is copying decrypted datas, the backup will be unencrypted on your destination location, but you can use backup tool own's encryption.
  2. Boot locally another OS (linux, windows PE, etc..), install Veracrypt drivers, mount encrypted partition/disk, then backup it. Although i was not able to use Clonezilla for this, this is working with dd (or rsync but you are not keeping permissions, etc...). Once again, the backup will be unencrypted, so take care.
  3. Boot another OS, backup whole disk in sector copy. It you restore to a same size partition, this is working. You could use Veracrypt boot usb key to "repair" the installation master key if issue.

For me sector copy is a waste of space. On the other side, you must ensure the re-encryption is same grade as Veracrypt encryption, to be sure there is a continuity in security. This is also "less" secure because datas are unecrypted during the whole process, which could be an issue, given they are flowing into memory / cache before being written (when used, Veracrypt is only decrypting the block you are accessing on the fly).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .