BitLocker Encryption guide

When you back up data to a removable drive, the data can be accessed by any computer the drive is connected to. This is of concern for drives that are stolen, lost or kept in offsite locations. BitLocker protects a removable drive from unauthorized access by encrypting the drive and locking it. Only when the drive is unlocked, can the data on it be accessed.

BitLocker is a Microsoft encryption solution that is supported by BackupAssist v8.3 and later for System Protection, File Protection and File Archiving backups to removable drive destinations.

BackupAssist's BitLocker implementation

This section explains how BackupAssist implements BitLocker, and how encryption keys and passwords work. It also explains what operating systems, backup types and backup destinations are supported by BackupAssist's implementation of BitLocker.

How to install BitLocker

BitLocker is included as an installable feature in Window Server 2008 and later server operating systems. By default, BitLocker is not installed but it can be added from the Windows Server features list. Adding BitLocker will make it available as an option for BackupAssist backups. For Windows Desktop operating systems, BitLocker is included as an option in the Control Panel.

How to create a BitLocker backup job

This section explains how to create a backup job that uses BitLocker encryption. A backup job implements BitLocker using 3 of the backup job creation steps: Destination media where BitLocker is selected, Set up destination where BitLocker is configured and Prepare media where the removable drive is encrypted.

The BitLocker encryption tool

If you create a backup job with Enable BitLocker encryption selected, there will be a step at the end of the job creation called Next steps which will open the BitLocker encryption tool when you select Finish. The tool is used to encrypt the drives that the backup job will use. This should be done before the backup job runs, because if an unencrypted drive is used for a BitLocker backup job, the job will fail.

How to restore from an encrypted drive

When you perform a restore from an encrypted drive, you can give the restore job access to the data by providing the password when prompted during the restore process, or by inserting the encryption key before the restore process begins.

How to recover from an encrypted drive

When you perform a recovery, you MUST use the password to access an encrypted drive. The RecoverAssist media will boot the system and ask for the location of the image backup that you want to recover from. When you select the encrypted drive, you will be prompted to enter the password. BackupAssist cannot retrieve the password if it is lost or forgotten.

Drive encryption duration

BitLocker encrypts the drive that the backup resides on at the sector level. This means you only need to encrypt the drive once, but because all the encryption takes place up front, it can take a long time. Microsoft estimates that BitLocker encryption can take 1 minute per 500mb, so you should plan when to perform the encryption based on the information below.

Windows BitLocker Pop up message

When an encrypted drive is attached to a server that is logged on, Windows will display a pop-up message to tell you that the drive is available and a password is required to access it. Having a USB drive with an encryption key means you do not need to respond to this prompt for your backup job to proceed.