- Thu, Dec 16 2021 at 11:18 pm #1563838
I have a Windows 10 laptop with C drive encrypted using bitlocker.
I need to perform regular backups onto an USB drive. I need two things:
– granular file backups. I suspect using built-in windows backup tool since for online backups the data is accessible.
– Disaster recovery backup. This part is the cumbersome part since I am finding that tools like Acronis need to disable bitlocker before performing a DR backup. This is far from ideal because that means to regenerate bilocker recovery passwords.
- Fri, Dec 17 2021 at 1:19 am #1563839
Miguel, you have to distinguish between DR tools that work on the file level and block-based backup tools. File level tools usually need to run within a Windows session of the installed OS which means they run under the privileges of an authenticated user. They have access to the files as any other application. Block-level tools usually come with their own OS and therefore need to disable BitLocker first. I previously worked with Acronis but I found it too complicated for daily backups.
In any case you have to make sure that you store the BitLicker recovery keys on an external device. You will need them in case of a DR. It also very important that you simulate the DR case. Most DRs fail because admins realize too late that their solution is not working. You can simulate DRs in a virtual environment.
- Fri, Dec 17 2021 at 1:54 am #1563840
Thanks for answering so quickly.
I know all that. I was assuming that I could backup sector by sector as DR backup. Clonezilla claims it can do it.
Of course I am working on testing DR and a procedure before going on production.
I was just giving the whole picture and try to generate a debate and get some inputs.
Regenerating bitlocker passwords for DR every month or quarter I find it a little bit time consuming and error prompt
- Fri, Dec 17 2021 at 3:01 am #1563841
Of course, you can clone BitLocker-encrypted drives. But it is also clear that you first have to disable BitLocker. I mean BitLocker wouldn’t be of much use if could somehow circumvent BitLocker with backup tools.
- Fri, Dec 17 2021 at 3:35 am #1563842
I think I am not making myself understand.
Of course I am not expecting file based backups to work offline with Bitlocker enabled. What I mean is that I want to be abre to backup a whole drive sector by sector and be able to restore the data on the same laptop in case of DR. I assume I would use same bitlocker password all the time.
In case of drive breaks I want to be able to buy a new drive and restore the whole drive sector by sector.
I tried live CD from Acronis and it didn’t work even unlocking (not disabling) bitlocker as mentioned on their docs.
I am going to try clonezilla and I wanted to know experiences from people here.
I hope now I make myself more clear of the assumptions I know and what I try to accomplish here.
- Fri, Dec 17 2021 at 5:49 am #1563843
As explained above, if you boot from an external OS (Acronis CD), the backup tool can’t access the drive as long as BitLocker is enabled. However, if I remember it right, you can install Acronis on your system drive and then you can also secure BitLocker-encrypted drives if you run Acronis from the Windows installation that also runs BitLocker. Acronis will create an image that you can use for a bare metal restore. At least it was like this a couple of years ago.
- Tue, Apr 5 2022 at 12:42 pm #1565176
I’ll share my 1st hand experience:
When you use the famous drive snapshot for DR image backups while windows is running (and the bitlocked drives are of course unlocked), it will create snapshot files (.sna) that you may mount afterwards to retrieve single files or folders if you like. You may also restore these full disk images any time and guess what, the system will be bootable and bitlocked with the same keys.
When you use another famous (and free) tool, clonezilla, you boot it and again, you don’t need to suspend bitlocker. Clonezilla will clone sector for sector to either a new disk or to an image which you may restore to the same disk. The cloned disk will be encrypted and works with the same keys.
- Tue, Apr 5 2022 at 7:42 pm #1565177
I suppose it is possible if you have the encryption keys. However, when it comes to backups I wouldn’t risk all my data because I used a non-standard procedure. It is more secure to copy the unencrypted data with a filed-based solution and encrypt the backup with the backup software. This not only allows you to restore to any kind of device, you can also easily access single files in the backup. In general, my experience with sector-based cloning tools is very bad.
Shooting yourself in the foot with encryption is easy. My guess is that a lot more admins lost data this way than with ransomware attacks.
- Wed, Apr 6 2022 at 2:46 am #1565191
With drive snapshot, this is a standard procedure, supported and documented.
Clonezilla of course doesn’t care at all for whatever encryption, it just clones, so all just works again on the new drive.
- Wed, Apr 6 2022 at 2:57 am #1565192
What you mean with “drive snapshot”? The question is whether sector-based imaging from an external OS is a standard procedure for BitLocker encrypted drives.
- Wed, Apr 6 2022 at 4:46 am #1565193
I understand what the question was, don’t worry. We are doing DR backups of bitlocked drives for as long as Vista is out.
- Wed, Apr 6 2022 at 5:06 am #1565194
Well, a disk image can either be sector-based or file-based and the disk image can either be created from an external OS or from within the OS. What you call a drive snapshot is taken from within the OS. The key phrase on the page you linked to is “While Running Windows.” So that is a completely different thing and of course it is a standard procedure.
But the question remains if it is a standard procedure to boot from an external OS to create a DR backup from a BitLocker-encrypted drive. I would say no.
- Wed, Apr 6 2022 at 5:17 am #1565195
Drive snapshot is a command line tool which (as x64 version) may run from any WinPE or Windows setup based WinPE.
If it does not recognize the file system, it simply copies all sectors. That does not make a difference for the result.
- Wed, Apr 6 2022 at 5:21 am #1565196
That said, it’s also possible from WinPE to mount a bitlocked drive using a bek file for example
(manage-bde -unlock c: -rk e:\some.bek) and do drive snapshot afterwards, if you prefer to get an unencrypted image.
- Wed, Apr 6 2022 at 5:38 am #1565197
Yes, of course you can unlock BitLocker and that is again a totally different matter. Still, the question remains if cloning an encrypted drive is a standard procedure. If only one bit is corrupted in your backup, you are already in trouble. All professional backup solutions I know read unencrypted data from BitLocker drives.
- Wed, Apr 6 2022 at 6:29 am #1565198
We use this since 2006 – never had a problem restoring such a backup no matter how it was created.
For DR, he would not need to use sector based backups nor disable or even suspend Bitlocker – that was his main fear, he confused suspending Bitlocker for disabling (decrypting) the drive, by the way, but even this (suspending) is not needed.
- Wed, Jul 20 2022 at 3:04 am #1566853Paolo MaffezzoliParticipantMember Points: 70,080Rank: 4
Veeam Backup is a powerful tool that allows you to backup volumes even if they are protected by bitlockers.
- You must be logged in to reply to this topic.