Hello --- If I would turn on windows encryption for my drive how would that affect my current reflect backup? 

If in the event I had to mount reflect backup that was of an encrypted drive, would that be an issue? What if I was doing the mount a a different computer?

Thanks

I don't feel qualified to advise you on BitLocker with Reflect, although one of my systems already had a locked C:\ volume when I bought it.  I'm aware of it, but have options checked in Rescue Media Builder options so that it's painless using Rescue Media as well as regular backups and restores.  I do also protect image files with a password and AES encryption via Reflect options, as recommended by Macrium.

I recommend you review the KnowledgeBase/UserGuide - I searched for "BitLocker" and got this informative article.  There were other additional responses  to the search.
If you then still have questions, feel free to reply to this forum post with your questions.


L.W. (Dan) Danz, Overland Park KS

If you make backups from inside Windows, then your data in the Reflect image will not be encrypted because the partition will be unlocked at the time of the backup. So mounting backups will work the same way, regardless of where you mount them. If you want to start encrypting your backups too, the better solution is to enable Reflect’s own encryption.

+x

 

jphughan - 13 September 2023 7:42 PM

If you make backups from inside Windows, then your data in the Reflect image will not be encrypted because the partition will be unlocked at the time of the backup. So mounting backups will work the same way, regardless of where you mount them. If you want to start encrypting your backups too, the better solution is to enable Reflect’s own encryption.

thanks for the info

I think this also applies from inside the Rescue Environment, if the option to automatically unlock BitLocker drives has been enabled (although I suppose the Rescue Environment is also "inside Windows", if one considers Windows to encompass also WinRE and WinPE).

But I'm curious about what would happen in my current situation (laptop motherboard malfunction) if I had had BitLocker enabled.  Since I did disable BitLocker "Device Encryption" a few weeks before the hardware failure, I am now able to read (and image) data from the SSD after removing it from the failed motherboard and placing it in an external USB enclosure.  However, if I had not disabled BitLocker, would the Recovery Key from my Microsoft Account still work to unlock the drive contents in this context?  Furthermore, once the motherboard (and its TPM) are replaced (and the original SSD inserted into the PCIe slot on the new motherboard), would it be possible to unlock the BitLocker-encrypted volumes using the TPM?

                                

Yes on the Rescue note. Didn’t want to go down that rabbit hole, especially given that the KB article was already linked.

Yes, the Recovery Key in your MS account can always be used to unlock a BitLocker volume, regardless of how it’s connected.

If you replace a motherboard and therefore the TPM, the new TPM on the new motherboard won’t have the old TPM’s info. So you would have to remove and recreate the TPM protector on the volume to regain the ability to use TPM unlocking. (Disabling and re-enabling encryption entirely would also accomplish this in am arguably simpler but more time-consuming fashion, though it would also change the Recovery Key and invalidate any other protectors.) But TPM protectors can only be set on Windows volumes and only work when booting into the Windows environment you want to unlock that way — so that unlock method would NOT work in your USB enclosure scenario, even if the TPM of the system you were using contained a key to unlock the volume in question. This is also why Rescue cannot use TPM unlocks.

So basically, if I hadn't disabled BitLocker before this crash, my only* recourse for accessing my data while waiting for my motherboard to get replaced (which took 6 days, even with a ProSupport Plan) would have been to connect the external enclosure to a computer that has BitLocker installed, and manually enter the Recovery Key each time that I connect the external enclosure?  And I assume that I would have to do this using manage-bde in a command shell, or is Windows Explorer somehow BitLocker-aware? 

(*Not considering alternatives involving mounting of backup images, of course.)


When I was experimenting with BitLocker and the "Device Encryption" option and struggling with default system settings that caused BitLocker to enable itself automatically for all fixed drives, BitLocker encryption did become enabled and subsequently disabled a number of times for a several partitions on my SSD. As a result, my Microsoft account now has a large list of BitLocker recovery keys. If I've understood you correctly, none of these keys have any use (and they can therefore all be safely deleted), given that BitLocker encryptions is currently disabled on all partitions of the internal SSD. Is this accurate?


                                

Every version of Windows since Vista has had BitLocker available, so you don’t have to install anything special if you want to access a BitLockered volume from within Windows. And if the system in question had BitLocker enabled on its own Windows partition, you could have enabled auto-unlock for your USB-connected volume.

Windows Explorer is BitLocker-aware and has a GUI. When you attach a volume that has BitLocker enabled, you get a toast notification that you can click on to enter a password (for BitLocker To Go volumes) or a Recovery Key.

If you’re sure that you no longer have any BitLocker volumes anywhere that you care about — including BitLocker enabled within VHDX-hosted virtual disks? — then you can safely delete your Recovery Keys because they amount to keys for locks that no longer exist.

I may have one backup set of an encrypted drive that was imaged using Rescue Media that did not have BitLocker support.  I can probably just add the corresponding Recovery Key to the backup file comments for that image set.