If you’re encrypting your drives, you’re already well ahead of the curve when it comes to backing up your files. But there are reasons to be wary of them, too, and they apply especially if you’re not used to the idea just yet.
Encrypted backups are only safe if you can recover them, and you’d be surprised how many things can go wrong and completely lock you out, rendering the backup unusable … and that’s not even the only danger.
Your backup is only as safe as its key
Seems obvious, and yet, being locked out is still common.
Credit: Patrick Campanale / How-To Geek
Let’s get one thing out of the way: The problem with encrypted drives is not at all complicated.
Encrypted backups can, and do, fail because of technical issues. For instance, an SSD can fail even at 100% health, and HDDs aren’t immortal either. Any extra 2FA tools are as susceptible to failure as any other piece of tech. Still, that’s not the most common thing that goes wrong here.
The most common way that encrypted drives fail to do their job is very simple: people just get locked out. But it’s never as straightforward as forgetting your four-digit PIN code; after all, there are multiple layers to encryption, and just one point of failure is enough to get you locked out.
Encryption is helpful, and even necessary, if you’re worried about unauthorized access to your files. But it adds an extra layer of risk: now it’s not just the storage media that can fail (and it can), but it’s also your encryption method too.
Certain recovery methods are easy to remember, and thus, easy to crack. But some, like a BitLocker recovery key, are extensive. BitLocker may prompt you for a recovery key after certain changes, and that’s a 48-digit number; no one’s going to remember that.
Some of the most secure systems just cannot help you if you lose access, point-blank. This varies depending on whether you’re encrypting an entire drive or just certain archives.
Depending on your tool of choice, encryption may turn out to be an insurmountable obstacle. That can be good news, but it can also end in data loss.
The most common ways people get locked out
We’re all 100% immune to them until it happens to us, of course.
Credit: Patrick Campanale / How-To Geek
Leaving your SSD in a drawer and forgetting about it can kill it, but many encrypted backups don’t “die.” They just become unreachable, usually after a totally normal life event like a new phone, a reinstalled operating system, or a hardware change or failure.
I’ve gotten locked out of a thing or two over the years, and the most common reason I see this happen to other people is simply losing the thing that unlocks it. You might not forget your main password, but you might lose the encryption password to an archive or container, and there’s no reset option. Or there’s a keyfile, and it only exists on a drive you’ve lost access to. You wrote down the secret recovery phrase somewhere, and can’t remember where it was.
For full-disk encryption, the risks are much greater. Windows may be prompted for the recovery key during startup after a hardware change, and if you don’t have that 48-digit number, you’re out of luck. Microsoft claims it can’t recreate or retrieve it. FireVault is much the same: if you don’t have the recovery method, you might be stuck.
Another way things can go south is if you store your recovery method on the very thing you can’t unlock. It happens. Maybe you use a password manager and lose access to it, or your authenticator app is acting up, etc. Another common reason is changing phones and getting locked out of the authenticator app.
Why 2FA can be a problem (even though it’s great)
The important part is to always be mindful of it.
Credit: Patrick Campanale / How-To Geek
Two-factor authentication (2FA) is a must for any service you care about. These days, with passwords getting leaked all over the place, 2FA is one way to rest easy knowing that no one else can get into your account.
The problems start if you’re the one who can’t get into the account. If the recovery key for your encrypted backup lives in a cloud drive, email inbox, or password manager, then 2FA is now part of your backup’s unlock path. Lose access to that account, whatever it might be, and your backup’s toast, too.
I have to admit I have a little moment of panic each time I get a new phone and need to log back into all my apps, authenticator apps included. That little “what if” shows me just how many important files and apps I’ve entrusted to this one authentication method, and it makes me want to take a step back and reassess.
How to protect yourself from getting locked out
Encrypted drives are great if you back up the right way.
Credit: Patrick Campanale / How-To Geek
You’ve probably heard of the 3-2-1 backup rule, where you need to have three total copies of your data, on two different storage devices, and an extra copy off-site. Well, it’s time to start treating disk encryption in a similar way, provided you’re worried about what could possibly happen to those files.
Treat the key to your encryption like a second backup target. Your encrypted backup should be stored in one place, and the info needed to unlock it should be stored somewhere else, in at least two forms. And yes, writing things down can still be a legitimate way to deal with this, but don’t entrust a piece of paper with the only way to recover your most important files.
The whole “keeping it separate” thing can be as simple as saving your encryption password and recovery key in your password manager (if you can trust it, that is), and a second copy offline.
If your unlock path goes through an account, don’t rely on a single 2FA method. Keep a second factor that doesn’t depend on the exact same device, and store backup codes and recovery keys safely so that you can always get them if you’ll need them.
Lastly, make sure to test your entire backup path. Pick a backup and try to unlock it through a device or code of your choice, then try another method. The point is that encrypted drives and backups are only as good as your whole recovery path is, so once you’ve confirmed that it all works, you’ll have nothing more to worry about.
