Encryption Part 3 – BitLocker and BackupAssist

Encryption can be used to protect a backup media so that if your backup is lost or stolen, the backup media and the information on it cannot be opened or accessed. This article looks at how BitLocker encryption can be used with BackupAssist.


BackupAssist can back up a BitLocker encrypted drive and back up to a BitLocker encrypted destination. This article looks at how to protect your backups by using a BitLocker encrypted destination.

  • BitLocker can be used to encrypt local volumes, local drives, external drives and removable media.
  • BitLocker can be used to encrypt File Protection, File Archiving and System Protection backup destinations.

Protecting backups with BitLocker

BackupAssist provides encryption for its File Archiving and File Protection backups. System Protection however, backs up data using volume imaging, which means encryption requires specialized support. BitLocker has been developed with the support required to encrypt image backups, and is included as an installable feature in Window Server 2008 R2 and later.

By default, BitLocker is not installed but it can be added from the Windows Server features list. Adding BitLocker will not encrypt any drives, it will just make BitLocker available should you wish to use it.

The BIOS of the server that is using BitLocker must be compatible with TPM. Information about the BitLocker BIOs requirements can be found here and here.

How to install BitLocker

  1. Open Server Manager.
  2. Select the Add features option from the Features Summary Help menu.
  3. Tick BitLocker Drive Encryption and select Install.

BitLocker is pre-installed on Windows 7 & 8/8.1 and accessed using the Control Panel\System and Security.

How to encrypt a drive with BitLocker

Once BitLocker is available, you can encrypt any drive that appears on your server as a hard disk drive. This will include directly attached drives and mounted media.

To encrypt a selected drive, follow these steps:

1. Right-click the drive that you want to encrypt and select Turn on BitLocker …

install 1

An encryption wizard will open.

2. Provide a password for the encrypted drive. This is the password that you will use to access the drive after it has been encrypted.

3. Save the key to a secure location, separate from the encrypted drive.

4.The final prompt will ask you to confirm that you want to encrypt the drive. Select Start Encrypting.

The encryption process will begin and it can take a long time. The amount of time required will depend on the size of the drive.

Once you have encrypted the drive with BitLocker, it will appear on your computer’s drive list with a padlock. The padlock indicates whether the drive is locked or unlocked.

How to use a BitLocker encrypted drive

To back up to a BitLocker encrypted destination, the drive must be unlocked. This section looks at how to unlock the drive. In the next section we will look at the how the unlocking function works for backups.

To unlock the drive:

  1. Right click the encrypted drive and select unlock.
  2. Enter the password that you provided when the drive was encrypted.
  3. Select Automatically unlock on this computer from now onThis is an important option when you unlock the drive. Your backup jobs need the destination drive to be unlocked. For this reason, Automatically unlock on this computer from now on, should always be selected.
  4. Select Unlock

The screen shot below shows a drive being unlocked. When a drive is unlocked, it is still encrypted.

The password gives you access to the drive and the data on it. The data can be used as if it was not encrypted, because the encryption takes places at the drive level, not the file level.

 

Using an encrypted destination with BackupAssist

BackupAssist File Protection and File Archiving backups come with their own encryption tools that can be used as part of the backup process. System Protection does not, therefore BitLocker presents an ideal encryption solution for System Protection backups.

To use a BitLocker encrypted backup destination with BackupAssist, you must encrypt the backup destination before you run the backup. Because the encryption process is independent of BackupAssist, some specific conditions must be met for BackupAssist to use the encrypted destination.

  • BackupAssist can back up to a drive that has been encrypted, if the drive is unlocked.
  • BackupAssist can restore from a BitLocker protected drive, if the drive is unlocked.

Backing up to a BitLocker encrypted destination

The key to being able to use BackupAssist to back up to a BitLocker encrypted destination is that the destination is unlocked. Even with “Automatically unlock on this computer from now on,” selected, there are scenarios where this will fail and the drive will remain locked.

BitLocker scenarios where the drive will unlock

  • The server restarts and is logged back on.
  • The server is logged off, drive is disconnected and reconnected, and the server is logged back in.
  • The drive is disconnected and reconnected while the server is logged in – computer screen is locked.

BitLocker scenarios where the encrypted drive will NOT unlock

  • The server restarts and is not logged back on.

If the server restarts, it must be logged back in for the backup to run. Until the server has been logged on, the encrypted drive will not be detected and unlocked, and the backup will fail.

  • If a drive is re-attached / swapped while the server is logged off.

The drive will not automatically unlock, even if the option is selected, and the backup will fail.

If you are using the same destination, you can use the BackupAssist option to not eject the device after the backup job has run. This will ensure the drive remains unlock for the next backup. The BackupAssist backup option, Safely eject the hard drive after the backup has completed, can be selected from the BackupAssist Manage menu > backup job > Edit >Destination.

The importance of the unlock conditions

The unlock conditions explained above are important because they are an ongoing consideration when using a BitLocker encrypted backup destination with BackupAssist.

If the computer is restarted or a new drive is attached when the computer is logged off – you must log back into the computer and ensure that the encrypted destination is unlocked – otherwise the backup job will fail.

Restoring from a BitLocker encrypted destination

To restore from a drive that was encrypted with BitLocker the drive must first be unlocked.

To restore from a BitLocker encrypted drive.

  1. Attach the backup drive to the BackupAssist computer.
  2. Right click the encrypted drive and select unlock.
  3. Enter the password that you provided when the drive was encrypted.
  4. Perform a BackupAssist restore using the normal restore process.

BackupAssist’s support for BitLocker means you can use BitLocker to encrypt your backup destinations, but you do have to be aware of scenarios that could cause the drive to become locked and inaccessible.

The BackupAssist team is continuing to look at BackupAssist enhancements that will make it easier to use BitLocker encryption, and we look forward to posting more articles about this in the near future.

Encryption Part 1 – Backup encryption

Encryption Part 2 – BackupAssist encryption

2 thoughts on “Encryption Part 3 – BitLocker and BackupAssist”

  1. What happens if we need to do a bare metal restore from a USB hard disk that has BitLocker enabled? Does the boot disk allow the disk to be unlocked or will the USB disk need to be decrypted?

    Reply
    • Hi Paul,
      When you perform a bare-metal recovery, the RecoverAssist media will boot the system and load the recovery environment. When you select the recovery environment option, “Recover from a backup located on a local drive” you will see the encrypted drive and have an option to unlock it. To unlock the encrypted drive, all you need to do is enter the password that you provided when the drive was encrypted.
      Kind Regards,
      Rick

      Reply

Leave a Comment

Share on email
Share on print
Share on facebook
Share on google
Share on twitter
Share on linkedin

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email. Join 1,874 other subscribers