Helping people with computers... one answer at a time.
BitLocker is Microsoft's encryption technology available in some versions of Windows. I'll explain why I don't use it and don't recommend it for backups.
I recently had the unfortunate situation where I needed to recover my system from a backup stored on a USB drive that was 'BitLocker Drive Encrypted'. When trying to restore from the boot sequence, both Acronis Backup and Windows Backup (yes, I had two versions of my backup) were unable to read the drive that my backup files were encrypted on. Fortunately, I was able to decrypt the USB drive that the backups were on, but this took nearly 20 hours to do before I could recover my system properly. Is there a way to access and unlock a BitLocker-encrypted drive from the boot-up sequence and then recover my system without having to go through this long, drawn-out process? With the Windows backup, I had to unlock my system hard drive before I could proceed to the backups, but it didn't allow access to the drive where the backup was stored. Surely, someone at Microsoft should have thought of this when they designed the OS? Or are they that dumb?
•
No, they're not that dumb.
They're just operating from a different set of assumptions.
You assumed that putting a backup on a BitLocker Encrypted Drive would work, and I'm guessing that Microsoft assumed that this would be outside of BitLocker's scope. With BitLocker, Windows needs to be running and you need to be logged into your account. So if you're restoring, it just doesn't make sense if Windows isn't completely running.
That's just one of the problems that I have with BitLocker, and one of the reasons why I avoid it completely.
•
How Not To Encrypt a Backup
The fundamental approach that you've taken with your backups is somewhat problematic, no matter what encryption technique you use. As we'll see, it can be particularly problematic with BitLocker.
The problem is this: you're assuming that the technology will be in place at recovery time so you'll be able to decrypt your encrypted backup.
Unfortunately, when performing a restore of a system image, the recovery software may be running on a very bare-bones copy of Windows - or it may not be running Windows at all. In either case, the decryption component that you need may not be in place.
There's also the possibility of a chicken-and-egg scenario. When you use BitLocker, it uses information from your logged-in account and a decryption key kept on the machine to decrypt the information. If that's in the image that you're trying to restore... well, you need the key to decrypt the data, but you need to decrypt the data to get the key. You're stuck.
The same may be true of other encryption technologies, such as my preferred alternative, TrueCrypt. I know that, when using my Acronis recovery disk, I'm not given a way to load TrueCrypt so I can't decrypt anything if I've stored my backup image in a TrueCrypt volume or drive.
Now, it may be that Microsoft does have some way to deal with the backup restore scenario that neither of us are aware of. But, that's not my only concern with BitLocker.
My More Global Concern With BitLocker
As I said, I avoid BitLocker like the plague. I'm sure that it's fantastic encryption technology and, when managed properly, it might well be appropriate for some: perhaps for well-managed corporate or institutional use. But I really don't like the assumptions that it makes. That's best summed up by this quote from a Microsoft write-up on BitLocker:
When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the BitLocker-protected drive.
Note the use of the word "should". It's simply too easy to enable BitLocker and not create a recovery password or key. It's also really easy to forget or misplace the recovery password or key because it's not required for day-to-day use.
The net result is that if you lose the login account that created it, or if you ever need to access that drive on another machine (say after a hardware failure) without the recovery information, the encrypted data is lost and gone forever.
It also concerns me that BitLocker is for Windows only and even then only specific editions of Windows. Even with the recovery information, you can still only retrieve the encrypted data on Windows machines that support BitLocker.
My recommended alternative is TrueCrypt, which is most commonly pass-phrase based for all access and is open-source and cross-platform.
How To Encrypt Backups
Encrypting backups can be important, particularly because backups often contain sensitive information and are stored in less than completely secure locations.
There are two approaches that I recommend:
-
Use encryption offered by the backup tool. I know Acronis offers this as an option when configuring backups, and it's perhaps the easiest, most reliable way of securing the backup. Other tools may have similar capabilities. This way, you'll know that when you use that same tool to restore your backup, it'll be able to decrypt its own encryption.
-
Create the backup unencrypted, and then encrypt it separately. Naturally, I recommend TrueCrypt, but tools like 7-zip, AxCrypt and even PGP or GPG can be used. When the backup is needed, you can then decrypt it on another working machine and then restore from the decrypted backup.
As you may know, I believe backups are a critical component to using your computer wisely. I'm also a fan of encryption to keep your data safe from prying eyes. The two can and often should be combined, but make sure that they're combined in a way that both protects you and allows you the access that you need when you need it.
Article C4758 - March 4, 2011
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
HOW DID YOU DO TO decrypt and recover the bitlocked USB drive that the backups were on, what took you nearly 20 hours to do before you could recover your files properly???????????
what kind of backup or recover software did you use, aftermath with what and/or how did you to unformat or format your encrypted recovered files????
because i have a bitlocked portable drive, and i know the password, but the computer does not give me the chance to use it.
instead, it asks me for the activation key. all that happens after i reformatted my windows 7 computer.
any advise???
Posted by: BEN SMITH at May 31, 2011 1:10 AMHi Leo, you said:
Unfortunately, when performing a restore of a system image, the recovery software may be running on a very bare-bones copy of Windows - or it may not be running Windows at all. In either case, the decryption component that you need may not be in place.
This makes sense. There is no ability in the recovery console to decrypt the data on the fly, requiring a full decryption. However your two suggestions both involve creating encrypted backups, which creates exactly the same problem. The recovery console would not be able to read the data, requiring a full decryption.
I think if we want to have encrypted backups and use the recovery console to restore a system image, we just have to live with a full decryption upon recovery. My interpretation of what the asker was suggesting was that although that would ordinarily be the case, since Microsoft has chosen to create a drive encryption technology, it would have been nice if their own recovery console was able to read data encrypted by their own backup program.
Posted by: Adam at September 4, 2011 7:48 AMIt is actually easier to backup Bitlocker recovery passwords (keys) than the author makes it seem. In an enterprise environment using Windows 7 and Server 2008, Active Directory can be configured to backup the passwords (keys). When AD is set up to do this and something is not configured correctly, it will actually PREVENT you from enabling Bitlocker on the systems until it is configured properly.
Of course this is all based on having a properly configured AD and that the systems are being logged into the domain and not locally. As with any encryption being used, one should always completely familiarize themselves in it's operation before deploying the encryption. This will ensure you do not run into situations as described in this article.
Posted by: RobertH at September 28, 2011 8:00 AMI would also like to point several fundamental flaws with the woman's scenario using a Bitlocker encrypted USB drive. First, did she store the recovery key on the very system that was being backed up? If so (and it sounds like she was) it should have been to another location (another USB drive perhaps).
Second, did she try and access the USB drive from another Vista/Win7 machine? It doesn't sound like she did. I use Bitlocker extensively for laptop and USB drive encryption where I work. And bitlocker requires either the use of a passphrase or CAC type card when encrypting the USB drive. this allows you to access the drive from another Vista/Win7 machine. She could have easily unlocked the USB drive on another system, copied off the backups and burned them to a CD/DVD then re-imaged her system.
It may be a few more steps to get where she needed, but it certainly wouldn't have taken 20 hours to perform. I use bitlocker extensively for laptop and USB drive encryption and we have few problems with it. It just sounds as is this woman did not have a proper understanding of the operation and deployment of the encryption.
Finally I would also like to point out what another person commented. If you are looking for encryption software that allows easy access to the data in these types of scenarios, then you are obviously missing the point of encrypting data. And in that case, why even bother.
Posted by: RobertH at September 28, 2011 8:57 AMOk, I'm no computer geek (no offense) so this whole encryption business was like reading chinese for me. I tried following some guides but I would get stuck at one point or another. finally i was able to get it figured out using a guide that had pictures. In case some of you are as lost as me, this should help out: http://www.landofjacks.com/forum/viewtopic.php?f=3&t=13
Posted by: Mike at October 18, 2011 10:43 AM