When you back up data to a removable drive, the data can be accessed by any computer the drive is connected to. This is of concern for drives that are stolen, lost or kept in offsite locations. BitLocker protects a removable drive from unauthorized access by encrypting the drive and locking it. Only when the drive is unlocked, can the data on it be accessed.
BitLocker is a Microsoft encryption solution that is supported by BackupAssist v8.3 and later for System Protection, File Protection and File Archiving backups to removable drive destinations.
BackupAssist's BitLocker implementation
This section explains how BackupAssist implements BitLocker, and how encryption keys and passwords work. It also explains what operating systems, backup types and backup destinations are supported by BackupAssist's implementation of BitLocker.
BackupAssist requires an unlocked drive to backup, restore and recover data. An unlocked drive will lock itself again if the drive is removed or if the server it is connected to is restarted.
A drive can be unlocked by:
- Manually entering a password that was provided when the drive was encrypted.
- Providing the encryption key that was created for the drive during the encryption process.
Note: Unlocking a drive allows you to access the data on a drive but does not decrypt the drive. It is the sectors on the drive that are encrypted, not the data itself.
When a drive is encrypted, BitLocker creates an encryption key for that specific drive. The key is saved to a USB flash drive, and used by BackupAssist to unlock that drive each time the backup job runs.
Because of server restarts and media rotations, it should be assumed that an encrypted drive is always locked when a backup job runs. For this reason – the USB flash drive containing the encryption keys should always be connected to the server when a backup job backs up to an encrypted destination.
The USB flash drive will contain an encryption key for each drive that is encrypted, and should be used to store the encryption keys for all backup jobs on that server. Each server backing up to encrypted drives should have its own USB flash drive.
Note: The USB flash drive containing the encryption key should never be stored with the encrypted drive.
When you create a backup job with BitLocker selected, you will be asked to provide a password. This password can be used to manually unlock the drives that were encrypted by the backup job. The BitLocker password must conform to requirements specified by the group policy, which may include minimum and maximum length requirements.
When you enter a password to unlock a drive, it must be the password that the backup job used to encrypt the drive. BackupAssist cannot retrieve the password if it is lost or forgotten.If you change the password after having used it to prepare external drives – the new password will only apply to drives that are prepared after the password was changed. It is suggested that all drives are prepared again so that the new password is applied to all drives used by the backup job
Note: BitLocker can use USB External drives as both backup destinations and storage devices for encryption keys. For clarity and best practice, this document described USB External drives as storage for backups and USB flash drives as storage for encryption keys.
Operating Systems supported
Windows Server versions:
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Small Business Server 2011
Windows Desktop versions ( BackupAssist 9.5.5 and later):
- Windows 10
- Windows 8 / 8.1
- Windows 7
Backup types supported
|System Protection||File Protection||File Archiving|
|Alternative encryption||None||None||Zip File Encryption|
Backup destinations supported
|Data container||External disk||RDX Drive|
How to install BitLocker
BitLocker is included as an installable feature in Window Server 2008 and later server operating systems. By default, BitLocker is not installed but it can be added from the Windows Server features list. Adding BitLocker will make it available as an option for BackupAssist backups. For Windows Desktop operating systems, BitLocker is included as an option in the Control Panel.
To install BitLocker on Window Server 2012 and later versions
- Open Server Manager.
- Select Add Roles and Features from the Manage menu.
- Progress to the Features list under Select features.
- Tick BitLocker Drive Encryption. Other roles and features required for Windows to use BitLocker will be automatically selected.
- Select Add features.
- Select Next
- Select Install.
To install BitLocker on Window Server 2008 / Server 2008 R2
- Open Server Manager.
- Select the Add features option from the Features Summary Help menu.
- Tick BitLocker Drive Encryption.
- Select Install.
To install BitLocker on Windows Desktop
BitLocker is simply enabled by drive using an option in the Control Panel.
- For Windows 7, select Control Panel > BitLocker Drive Encryption.
- For Windows Desktop 8, 8.1 and 10, select Control Panel > System and Security > BitLocker Drive Encryption.
Note: After installing the BitLocker, Windows may require a restart before BitLocker can be used. If a reboot is required, it will indicated at the end of the install operation.
How to create a BitLocker backup job
This section explains how to create a backup job that uses BitLocker encryption. A backup job implements BitLocker using 3 of the backup job creation steps: Destination media where BitLocker is selected, Set up destination where BitLocker is configured and Prepare media where the removable drive is encrypted.
- You must be using Windows Server for the BitLocker feature to appear.
- BitLocker must be installed, as explained in the previous section.
- Your backup destination must be an External drive or RDX drive.
- File Archiving also supports Flash drive destinations.
- A USB flash drive is required to store the encryption key.
Follow these steps to use BitLocker encryption when you create a backup job:
- Destination Media
This step is where you select Enable BitLocker encryption.
The Enable BitLocker encryption option will:
- Appear if you are running BackupAssist on a Windows Server
- Be selectable when you select a supported removable drive as a backup destination.
- Be greyed-out if BitLocker is not installed.
This step is used to select the destination media and Bitlocker encryption.
The following two fields are used to provide BitLocker configuration information.
- BitLocker encryption key location: this is used to identify the USB flash drive that the BitLocker encryption key is saved to. You can use the Detect option to identify the drive, or use the drop down list to select the Drive letter that has been allocated to the USB flash drive.
- Password for encrypted backup drive: this field is where you enter the password that can be used to manually unlock any drive that was encrypted by this backup job.
Selecting Safely eject the hard drive after the backup has been completed, is a good way to lock the drive after the backup has been completed.
This step is used to prepare each of the drives that the backup job will use. By default, it will display drives based on the backup schedule.
When you select the Prepare button next to each drive, that drive will be labeled by BackupAssist and selected for BitLocker encryption.
- The encryption process will not start until the backup job has been created.
- It is recommended that you prepare all of your drives so that they can be encrypted.
- If the required drive is not encrypted when the backup job runs, the backup job will fail.
This is the final screen in the backup job creation process, and comes after you have named the backup job. If you have selected BitLocker Encryption, there will be a tick box for - Launch BitLocker encryption tool.
When you select Finish, the backup job will be created and the BitLocker encryption tool will automatically start and begin encrypting the drives that you Prepared in the Prepare media step.
- When you select Finish, the backup job will be created and the BitLocker encryption tool will open.
- When you select the start icon next to a drive that you prepared, and the encryption process will begin.
- If you deselect this box, the drives will not be encrypted.
- If the backup job runs and its drive has not been encrypted, the backup job will fail.
During the encryption process, the drive’s encryption key is saved to the USB flash drive and the password is assigned to the drive. The key will be saved as a hidden system file.
If you want to prepare more drives after the encryption process has finished, you can as follows:
- Select the Backup tab's Manage menu.
- Select the backup job and select Edit from the lower menu.
- Select Prepare media from the job menu.
- Select Prepare for each drive that you want to encrypt.
- Select the BitLocker encryption tool using the link inside the window.
The BitLocker Encryption tool will open and begin the encryption process.
The BitLocker encryption tool
If you create a backup job with Enable BitLocker encryption selected, there will be a step at the end of the job creation called Next steps which will open the BitLocker encryption tool when you select Finish. The tool is used to encrypt the drives that the backup job will use. This should be done before the backup job runs, because if an unencrypted drive is used for a BitLocker backup job, the job will fail.
If you finish creating the backup job without encrypting the drives, you can open the BitLocker encryption tool by going to the Backup tab's Manage menu, opening the backup job and selecting Prepare media from the top menu. This will open the Prepare media dialog, which contains a link to the BitLocker encryption tool.
The BitLocker encryption tool can run in the background after BackupAssist has been closed. The encryption process will tell you how much has been encrypted and how long the process will take. You can encrypt more than one drive at a time, reducing the total time required to encrypt your set of prepared drives.
The encryption tool has 4 action buttons, which will become available when the drive is attached:
- Refresh and display any new drives that have been attached
- Start an encryption process that has been paused
- Pause the encryption process.
- Eject the removable drive. You cannot eject a drive that is being encrypted.
Note: If you do not resume a paused encryption, the drive will be partially encrypted. A partially encrypted drive can still be accessed in Windows but it cannot be used as a backup destination for a BitLocker job. To decrypt the encrypted part of the drive, open BitLocker from the Windows Control Panel, select the drive and click Turn off BitLocker.
Note: If you have previously encrypted a drive using the Windows BitLocker UI, you must unlock the drive before preparing (encrypting) the drive using BackupAssist.
How to restore from an encrypted drive
When you perform a restore from an encrypted drive, you can give the restore job access to the data by providing the password when prompted during the restore process, or by inserting the encryption key before the restore process begins.
Using the password.
If the encryption key is not detected, you will be prompted for the password when the restore job tries to access the backup. Entering the password will allow you to access the data as long as the password is the one that was assigned when the drive was encrypted. For example, if you are using the Integrated Restore Console, you will be prompted to enter the password when you select Restore at the very last step.
Using the encryption key
To unlock an encrypted drive using the key, connect the USB flash drive to the server running BackupAssist. BackupAssist will use the key to unlock the drive that you are restoring from. You will not be prompted to do anything other than the normal restore steps.
How to recover from an encrypted drive
When you perform a recovery, you MUST use the password to access an encrypted drive. The RecoverAssist media will boot the system and ask for the location of the image backup that you want to recover from. When you select the encrypted drive, you will be prompted to enter the password. BackupAssist cannot retrieve the password if it is lost or forgotten.
Drive encryption duration
BitLocker encrypts the drive that the backup resides on at the sector level. This means you only need to encrypt the drive once, but because all the encryption takes place up front, it can take a long time. Microsoft estimates that BitLocker encryption can take 1 minute per 500mb, so you should plan when to perform the encryption based on the information below.
How long the encryption process takes depends on:
- The size of the drive
- The performance of the drive and the server
- The operating system you are using
- How much data is on the drive (for Windows 2012 and later)
If you are using Windows 8 or Windows Server 2012 and later, BitLocker will only encrypt the used space. It does not encrypt unused disk space or disk space containing deleted files. This makes the process very fast when there is not much data on the drive.
Encryption time examples
The below table provides examples for how long the encryption process could take in different scenarios, using sensible estimates.
Windows Server 2012 and later
|New disk||1 - 5 minutes|
|1 TB Drive with 300 GB used||10 hours|
|2 TB Drive with 1.5 TB used||50 hours|
Windows Server 2008
|500 GB Drive||17 hours|
|1 TB Drive||33 hours|
|2 TB Drive||67 hours|
To learn more, see the Microsoft BitLocker FAQ
Windows BitLocker Pop up message
When an encrypted drive is attached to a server that is logged on, Windows will display a pop-up message to tell you that the drive is available and a password is required to access it. Having a USB drive with an encryption key means you do not need to respond to this prompt for your backup job to proceed.
This message will have no impact on your backup job. You do not need to enter the password as long as you have the USB flash drive with the encryption key attached.
Because this is a Windows security pop-up, and because it needs to be allowed to appear for encrypted drives that are not managed by BackupAssist, it’s important to understand how the message applies to BackupAssist.
- If you see this message, you can select Cancel and ignore it. Your backup job will not be affected because the encryption key will be used to unlock the drive.
- If you enter the password into the pop-up and tick Automatically unlock on this computer from now on, the pop-up will not appear again. However, this means that the drive will be automatically unlocked every time it is attached. For security reasons, we recommended that you use the encryption key on the USB flash drive to unlock the drive rather than have it auto unlock.
- Using the encryption key means the drive is only unlocked while the backup job is running. The key unlocks the drive when the backup starts and, if you have the drive set to eject, it will be locked again when the drive ejects at the end of the backup job.
- Using the password auto unlock means the drive will be unlocked for as long as it is attached to the server.