Helping people with computers... one answer at a time.

BitLocker is Microsoft's encryption technology available in some versions of Windows. I'll explain why I don't use it and don't recommend it for backups.

I recently had the unfortunate situation where I needed to recover my system from a backup stored on a USB drive that was 'BitLocker Drive Encrypted'. When trying to restore from the boot sequence, both Acronis Backup and Windows Backup (yes, I had two versions of my backup) were unable to read the drive that my backup files were encrypted on. Fortunately, I was able to decrypt the USB drive that the backups were on, but this took nearly 20 hours to do before I could recover my system properly. Is there a way to access and unlock a BitLocker-encrypted drive from the boot-up sequence and then recover my system without having to go through this long, drawn-out process? With the Windows backup, I had to unlock my system hard drive before I could proceed to the backups, but it didn't allow access to the drive where the backup was stored. Surely, someone at Microsoft should have thought of this when they designed the OS? Or are they that dumb?

No, they're not that dumb.

They're just operating from a different set of assumptions.

You assumed that putting a backup on a BitLocker Encrypted Drive would work, and I'm guessing that Microsoft assumed that this would be outside of BitLocker's scope. With BitLocker, Windows needs to be running and you need to be logged into your account. So if you're restoring, it just doesn't make sense if Windows isn't completely running.

That's just one of the problems that I have with BitLocker, and one of the reasons why I avoid it completely.

How Not To Encrypt a Backup

The fundamental approach that you've taken with your backups is somewhat problematic, no matter what encryption technique you use. As we'll see, it can be particularly problematic with BitLocker.

The problem is this: you're assuming that the technology will be in place at recovery time so you'll be able to decrypt your encrypted backup.

"... you're assuming that the technology will be in place at recovery time so you'll be able to decrypt your encrypted backup."

Unfortunately, when performing a restore of a system image, the recovery software may be running on a very bare-bones copy of Windows - or it may not be running Windows at all. In either case, the decryption component that you need may not be in place.

There's also the possibility of a chicken-and-egg scenario. When you use BitLocker, it uses information from your logged-in account and a decryption key kept on the machine to decrypt the information. If that's in the image that you're trying to restore... well, you need the key to decrypt the data, but you need to decrypt the data to get the key. You're stuck.

The same may be true of other encryption technologies, such as my preferred alternative, TrueCrypt. I know that, when using my Acronis recovery disk, I'm not given a way to load TrueCrypt so I can't decrypt anything if I've stored my backup image in a TrueCrypt volume or drive.

Now, it may be that Microsoft does have some way to deal with the backup restore scenario that neither of us are aware of. But, that's not my only concern with BitLocker.

My More Global Concern With BitLocker

As I said, I avoid BitLocker like the plague. I'm sure that it's fantastic encryption technology and, when managed properly, it might well be appropriate for some: perhaps for well-managed corporate or institutional use. But I really don't like the assumptions that it makes. That's best summed up by this quote from a Microsoft write-up on BitLocker:

When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the BitLocker-protected drive.

Note the use of the word "should". It's simply too easy to enable BitLocker and not create a recovery password or key. It's also really easy to forget or misplace the recovery password or key because it's not required for day-to-day use.

The net result is that if you lose the login account that created it, or if you ever need to access that drive on another machine (say after a hardware failure) without the recovery information, the encrypted data is lost and gone forever.

It also concerns me that BitLocker is for Windows only and even then only specific editions of Windows. Even with the recovery information, you can still only retrieve the encrypted data on Windows machines that support BitLocker.

My recommended alternative is TrueCrypt, which is most commonly pass-phrase based for all access and is open-source and cross-platform.

How To Encrypt Backups

Encrypting backups can be important, particularly because backups often contain sensitive information and are stored in less than completely secure locations.

There are two approaches that I recommend:

  • Use encryption offered by the backup tool. I know Acronis offers this as an option when configuring backups, and it's perhaps the easiest, most reliable way of securing the backup. Other tools may have similar capabilities. This way, you'll know that when you use that same tool to restore your backup, it'll be able to decrypt its own encryption.

  • Create the backup unencrypted, and then encrypt it separately. Naturally, I recommend TrueCrypt, but tools like 7-zip, AxCrypt and even PGP or GPG can be used. When the backup is needed, you can then decrypt it on another working machine and then restore from the decrypted backup.

As you may know, I believe backups are a critical component to using your computer wisely. I'm also a fan of encryption to keep your data safe from prying eyes. The two can and often should be combined, but make sure that they're combined in a way that both protects you and allows you the access that you need when you need it.

Article C4758 - March 4, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

14 Comments
Richard Deem
March 8, 2011 9:01 AM

I had the unfortunate experience of trying to use TrueCrypt to encrypt the data drive on my laptop. Windows kept saying the drive was unformatted and wanted to format it. Half the time it wouldn't recognize the drive even after the password was entered and required retrieving the information from the volume headers. I now use BitLocker, with a encrypted backup system drive (made with Norton Ghost) in case of a catastrophic failure. BitLocker has had zero problems in the two years I have used it - set it and forget it. Everything is automatically encrypted without having to remember to save it some container. More info.

John Madden
March 8, 2011 10:50 AM

Acronis TrueImage does indeed use it's own bootdisk which is not Windows dependant at all. You simply have to create this disk and boot from it as needed. You can then point it at the backups wherever they reside be it on network, local or external drive. I have used Acronis from the very earliest versions and this has always been the case and has saved my bacon many times in the past especially for portables.

Snert
March 8, 2011 11:32 AM

My Acronis backup disks have no sensitive data on them - just backups for my system.
I use an external Maxtor 'Black Armor' HD for my sensitive data. I need a password to access it and the data sits inside Truecrypt, which suits me fine.

Geoff
March 8, 2011 5:42 PM

I used BITLOCKER but it was rubbish, I now use TRUECRYPT tricky at first but now it's a must for me I can create containers for my data and a virtual hard drive, that can disappear. Only I know where it is.
Thanks to the guys at truecrypt. it's free but I donated some cash it was worth it.

Sandy Smith
March 10, 2011 7:54 PM

The poster should have done their homework first... to find out how Acronis would handle BitLocker. I use Acronis and BitLocker successfully, but I did much reading first. I use BitLocker for WDE, not for my external drives. I do not think BitLocker needs to be avoided - take the necessary steps so you have the recovery keys (and backups of recovery keys) and there won't be a problem. Remember, encryption is supposed to protect you. If you could get out of it easily, why bother encrypting. Just as a side note - if you format to fat 32 as opposed to NTFS, all external drives encrypted with BitLocker can be read on any Window OS.

Steve
March 15, 2011 1:21 PM

I use TruCrypt on the hard drive for my sensitive data. When I backup my data, the encrypted file is copied to my backup medium.

I also back up the install files (think ZIP) of my software. Which means I have copies of my software, including TruCrypt.

I can install the OS - or even go to another machine - and replace my "data" files and my "software" files, run the install of the software (including TruCrypt) and I'm back in business.

Ok, folks, what am I missing? What have I done wrong? Please tell me.

Sounds exactly like what I do as well.
Leo
16-Mar-2011

Kannan Iyer
March 18, 2011 10:55 AM

Hi guys,

I keep an External HDD to which I copy the essential files manually and then "TrueCrypt" them! I have an OS disc with me which I use if the PC crashes! All software; I download again! I never used Acronis or other such software! Am I doing it wrong?

BEN SMITH
May 31, 2011 1:10 AM

HOW DID YOU DO TO decrypt and recover the bitlocked USB drive that the backups were on, what took you nearly 20 hours to do before you could recover your files properly???????????

what kind of backup or recover software did you use, aftermath with what and/or how did you to unformat or format your encrypted recovered files????

because i have a bitlocked portable drive, and i know the password, but the computer does not give me the chance to use it.
instead, it asks me for the activation key. all that happens after i reformatted my windows 7 computer.

any advise???

Adam
September 4, 2011 7:48 AM

Hi Leo, you said:

Unfortunately, when performing a restore of a system image, the recovery software may be running on a very bare-bones copy of Windows - or it may not be running Windows at all. In either case, the decryption component that you need may not be in place.

This makes sense. There is no ability in the recovery console to decrypt the data on the fly, requiring a full decryption. However your two suggestions both involve creating encrypted backups, which creates exactly the same problem. The recovery console would not be able to read the data, requiring a full decryption.

I think if we want to have encrypted backups and use the recovery console to restore a system image, we just have to live with a full decryption upon recovery. My interpretation of what the asker was suggesting was that although that would ordinarily be the case, since Microsoft has chosen to create a drive encryption technology, it would have been nice if their own recovery console was able to read data encrypted by their own backup program.

RobertH
September 28, 2011 8:00 AM

It is actually easier to backup Bitlocker recovery passwords (keys) than the author makes it seem. In an enterprise environment using Windows 7 and Server 2008, Active Directory can be configured to backup the passwords (keys). When AD is set up to do this and something is not configured correctly, it will actually PREVENT you from enabling Bitlocker on the systems until it is configured properly.

Of course this is all based on having a properly configured AD and that the systems are being logged into the domain and not locally. As with any encryption being used, one should always completely familiarize themselves in it's operation before deploying the encryption. This will ensure you do not run into situations as described in this article.

RobertH
September 28, 2011 8:57 AM

I would also like to point several fundamental flaws with the woman's scenario using a Bitlocker encrypted USB drive. First, did she store the recovery key on the very system that was being backed up? If so (and it sounds like she was) it should have been to another location (another USB drive perhaps).

Second, did she try and access the USB drive from another Vista/Win7 machine? It doesn't sound like she did. I use Bitlocker extensively for laptop and USB drive encryption where I work. And bitlocker requires either the use of a passphrase or CAC type card when encrypting the USB drive. this allows you to access the drive from another Vista/Win7 machine. She could have easily unlocked the USB drive on another system, copied off the backups and burned them to a CD/DVD then re-imaged her system.

It may be a few more steps to get where she needed, but it certainly wouldn't have taken 20 hours to perform. I use bitlocker extensively for laptop and USB drive encryption and we have few problems with it. It just sounds as is this woman did not have a proper understanding of the operation and deployment of the encryption.

Finally I would also like to point out what another person commented. If you are looking for encryption software that allows easy access to the data in these types of scenarios, then you are obviously missing the point of encrypting data. And in that case, why even bother.

Mike
October 18, 2011 10:43 AM

Ok, I'm no computer geek (no offense) so this whole encryption business was like reading chinese for me. I tried following some guides but I would get stuck at one point or another. finally i was able to get it figured out using a guide that had pictures. In case some of you are as lost as me, this should help out: http://www.landofjacks.com/forum/viewtopic.php?f=3&t=13

how can i unlocked a bitlocker encrypted usb i have forgotten the password
August 12, 2012 11:10 AM

please make it simple, as to how i encrypt the usb flash drive, i have forgotten the password. i cannot open my usb..i'm not a computer genius i'm a lay man with common knowledge about computers..

connie
August 12, 2012 5:13 PM

@forgot password,
Unfortunately that's the whole point of encryption... that you can't get in without the password. Only think to learn is how to never forget a password again. Here's a great article by Leo on that Why do so many people forget their passwords?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.