Southern Bread

Encryption on laptops is a hot topic these days, and I’m no more immune from it than any other sysadmin. Any time you have people carrying around laptops, it’s important that they are secured against possible theft or loss. The data carried on portable computers these days can get you into lots of trouble if you aren’t very careful to keep it secured against prying eyes. Encryption solves that problem by scrambling the files in a certain part of the laptop hard drive and requiring some type of authentication in order to decrypt it. This stops “casual” theft of data by just popping the hard drive out of the notebook and sticking it in another machine as a second drive.

Encryption is a two-edged sword though, and it must be very carefully planned before being rolled out. The same scrambling of data that keeps thieves from getting at the data can also keep a sysadmin from getting at the data in a disaster situation. If you use the built-in Windows encryption for example, you are screwed if you can’t log into Windows. That means your hard drive doesn’t even have to fully crash for the data to become inaccessible. You will have to make sure you have a very robust backup plan in place for your laptop users. If you use a third-party tool such as the excellent TrueCrypt, you still need to backup your files, but it’s possible to restore the volume as long as the header is intact and you have the correct passwords and keyfiles.

Backups are the life-blood of a sysadmin. If backing up your system is not the most important thing you do on a daily basis then you have no business being a sysadmin. So with all of that said, here is a good batch file to get you started with backing up the encrypted folders or drives on your Windows laptops:

@echo off
setlocal

@set src=X:
@set dst=U:\encbackup
@set args=/XD "%src%\Recycled" "%src%\System Volume Information" /COPYALL /B /SEC /MIR 
@set opts=/R:5 /W:3 /LOG+:c:\synclog.txt /NFL /NDL /TEE /ETA

IF NOT EXIST %src% GOTO QUITNOSRC
IF NOT EXIST %dst% GOTO QUITNODST

robocopy %src% %dst% %args% %opts%
GOTO PAUSEQUIT

:QUITNOSRC
echo Couldn’t find "%src%".
echo Your encrypted volume is not mounted.
GOTO PAUSEQUIT

:QUITNODST
echo Couldn’t find "%dst%".
echo If you are NOT connected to the network then this is normal.
GOTO PAUSEQUIT

:PAUSEQUIT
pause
@cls
exit

This is a modified version of a well layed out robocopy script I found on the internet somewhere. The src variable holds the drive letter or folder of the encrypted volume that needs backing up. The dst variable is where the backed up files should be placed. In this case they would go in a folder called “encbackup” in the user’s network home folder. The args and opts variables set up some common exclusions and loggings and such. You can see all of the options for robocopy here. Each laptop user would run this file whenever they come back in the office and hook up to the network.