Tagged: ,

Viewing 9 reply threads
  • Author
    Posts
    • #1563838
      Miguel Gonzalez
      Participant
      Member Points: 666
      Rank: 2

      Hi,

      I have a Windows 10 laptop with C drive encrypted using bitlocker.

      I need to perform regular backups onto an USB drive. I need two things:

      – granular file backups. I suspect using built-in windows backup tool since for online backups the data is accessible.

      – Disaster recovery backup. This part is the cumbersome part since I am finding that tools like Acronis need to disable bitlocker before performing a DR backup. This is far from ideal because that means to regenerate bilocker recovery passwords.

      Any experiences?

       

       

    • #1563839
      Michael Pietroforte
      Keymaster
      Member Points: 38,730
      Author of the year 2018
      Rank: 4

      Miguel, you have to distinguish between DR tools that work on the file level and block-based backup tools. File level tools usually need to run within a Windows session of the installed OS which means they run under the privileges of an authenticated user. They have access to the files as any other application. Block-level tools usually come with their own OS and therefore need to disable BitLocker first. I previously worked with Acronis but I found it too complicated for daily backups.

      In any case you have to make sure that you store the BitLicker recovery keys on an external device. You will need them in case of a DR. It also very important that you simulate the DR case. Most DRs fail because admins realize too late that their solution is not working. You can simulate DRs in a virtual environment.

      • #1563840
        Miguel Gonzalez
        Participant
        Member Points: 666
        Rank: 2

        Thanks for answering so quickly.

        I know all that. I was assuming that I could backup sector by sector as DR backup. Clonezilla claims it can do it.

        Of course I am working on testing DR and a procedure before going on production.

        I was just giving the whole picture and try to generate a debate and get some inputs.

        Regenerating bitlocker passwords for DR every month or quarter I find it a little bit time consuming and error prompt

        Thanks

        • #1563841
          Michael Pietroforte
          Keymaster
          Member Points: 38,730
          Author of the year 2018
          Rank: 4

          Of course, you can clone BitLocker-encrypted drives. But it is also clear that you first have to disable BitLocker. I mean BitLocker wouldn’t be of much use if could somehow circumvent BitLocker with backup tools.

    • #1563842
      Miguel Gonzalez
      Participant
      Member Points: 666
      Rank: 2

      I think I am not making myself understand.

      Of course I am not expecting file based backups to work offline with Bitlocker enabled. What I mean is that I want to be abre to backup a whole drive sector by sector and be able to restore the data on the same laptop in case of DR. I assume I would use same bitlocker password all the time.

      In case of drive breaks I want to be able to buy a new drive and restore the whole drive sector by sector.

      I tried live CD from Acronis and it didn’t work even unlocking (not disabling) bitlocker as mentioned on their docs.

      I am going to try clonezilla and I wanted to know experiences from people here.

      I hope now I make myself more clear of the assumptions I know and what I try to accomplish here.

    • #1563843
      Michael Pietroforte
      Keymaster
      Member Points: 38,730
      Author of the year 2018
      Rank: 4

      As explained above, if you boot from an external OS (Acronis CD), the backup tool can’t access the drive as long as BitLocker is enabled. However, if I remember it right, you can install Acronis on your system drive and then you can also secure BitLocker-encrypted drives if you run Acronis from the Windows installation that also runs BitLocker. Acronis will create an image that you can use for a bare metal restore. At least it was like this a couple of years ago.

    • #1565176
      Welf Alberts
      Participant
      Member Points: 1,112
      Rank: 3

      I’ll share my 1st hand experience:

      When you use the famous drive snapshot for DR image backups while windows is running (and the bitlocked drives are of course unlocked), it will create snapshot files (.sna) that you may mount afterwards to retrieve single files or folders if you like. You may also restore these full disk images any time and guess what, the system will be bootable and bitlocked with the same keys.

      When you use another famous (and free) tool, clonezilla, you boot it and again, you don’t need to suspend bitlocker. Clonezilla will clone sector for sector to either a new disk or to an image which you may restore to the same disk. The cloned disk will be encrypted and works with the same keys.

      avatar
      • #1565177
        Michael Pietroforte
        Keymaster
        Member Points: 38,730
        Author of the year 2018
        Rank: 4

        I suppose it is possible if you have the encryption keys. However, when it comes to backups I wouldn’t risk all my data because I used a non-standard procedure. It is more secure to copy the unencrypted data with a filed-based solution and encrypt the backup with the backup software. This not only allows you to restore to any kind of device, you can also easily access single files in the backup. In general, my experience with sector-based cloning tools is very bad.

        Shooting yourself in the foot with encryption is easy. My guess is that a lot more admins lost data this way than with ransomware attacks.

    • #1565191
      Welf Alberts
      Participant
      Member Points: 1,112
      Rank: 3

      With drive snapshot, this is a standard procedure, supported and documented.

      Clonezilla of course doesn’t care at all for whatever encryption, it just clones, so all just works again on the new drive.

      • #1565192
        Michael Pietroforte
        Keymaster
        Member Points: 38,730
        Author of the year 2018
        Rank: 4

        What you mean with “drive snapshot”? The question is whether sector-based imaging from an external OS is a standard procedure for BitLocker encrypted drives.

    • #1565193
      Welf Alberts
      Participant
      Member Points: 1,112
      Rank: 3

      Drive Snapshot – Disk Image Backup for Windows NT/2000/XP/2003/X64

      I understand what the question was, don’t worry. We are doing DR backups of bitlocked drives for as long as Vista is out.

      • #1565194
        Michael Pietroforte
        Keymaster
        Member Points: 38,730
        Author of the year 2018
        Rank: 4

        Well, a disk image can either be sector-based or file-based and the disk image can either be created from an external OS or from within the OS. What you call a drive snapshot is taken from within the OS. The key phrase on the page you linked to is “While Running Windows.” So that is a completely different thing and of course it is a standard procedure.

        But the question remains if it is a standard procedure to boot from an external OS to create a DR backup from a BitLocker-encrypted drive. I would say no.

        • #1565195
          Welf Alberts
          Participant
          Member Points: 1,112
          Rank: 3

          Drive snapshot is a command line tool which (as x64 version) may run from any WinPE or Windows setup based WinPE.

          If it does not recognize the file system, it simply copies all sectors. That does not make a difference for the result.

        • #1565196
          Welf Alberts
          Participant
          Member Points: 1,112
          Rank: 3

          That said, it’s also possible from WinPE to mount a bitlocked drive using a bek file for example

          (manage-bde -unlock c: -rk e:\some.bek) and do drive snapshot afterwards, if you prefer to get an unencrypted image.

        • #1565197
          Michael Pietroforte
          Keymaster
          Member Points: 38,730
          Author of the year 2018
          Rank: 4

          Yes, of course you can unlock BitLocker and that is again a totally different matter. Still, the question remains if cloning an encrypted drive is a standard procedure. If only one bit is corrupted in your backup, you are already in trouble. All professional backup solutions I know read unencrypted data from BitLocker drives.

        • #1565198
          Welf Alberts
          Participant
          Member Points: 1,112
          Rank: 3

          We use this since 2006 – never had a problem restoring such a backup no matter how it was created.

          For DR, he would not need to use sector based backups nor disable or even suspend Bitlocker – that was his main fear, he confused suspending Bitlocker for disabling (decrypting) the drive, by the way, but even this (suspending) is not needed.

          avatar
    • #1566853
      Paolo Maffezzoli
      Participant
      Member Points: 75,815
      4sysops member of the year 2018Member of the Year 2019Member of the Year 2020Member of the Year 2021
      Rank: 4

      Veeam Backup is a powerful tool that allows you to backup volumes even if they are protected by bitlockers.

    • #1568701
      Miguel Gonzalez
      Participant
      Member Points: 666
      Rank: 2

      Sorry I didn’t get into the debate earlier. I did a test with clonezilla and worked fine restoring the whole drive encrypted with Bitlocker

      • #1568702
        Michael Pietroforte
        Keymaster
        Member Points: 38,730
        Author of the year 2018
        Rank: 4

        How would you restore to a new laptop, if the original laptop is broken and you no longer have the keys?

        • #1568703
          Welf Alberts
          Participant
          Member Points: 1,112
          Rank: 3

          The numerical recovery password does not depend on the hardware, it works anywhere, also when the drive is cloned to a new machine.

    • #1568706
      Michael Pietroforte
      Keymaster
      Member Points: 38,730
      Author of the year 2018
      Rank: 4

      When you have to restore a backup, you don’t want to rely on a password that you never used before and that you may have or may not have available. This is especially true for mobile devices.

      I have been using cloning tools since the very first one became available decades ago. My advice is to never ever use a cloning tool for backups. Sector-based tools are the worst of all. These tools were never built for creating backups. A backup is not just a copy of your data. For a professional backup strategy you need a tool that was made for this purpose. And when it comes to backups of mobile devices, you must ensure that an end user can access single files without the help of an admin and even more important without any fancy passwords or even the original backup tool being available. This can all be done with encrypted drives and encrypted backups.

      Just because something is doable, doesn’t mean it should be done. This particularly applies to unstable and unreliable Microsoft environments.

Viewing 9 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account