Full image restore is decrypting BitLocker despite the rescue disk being set not to do this before...


Author
Message
Wensleydale
Wensleydale
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)
Group: Forum Members
Posts: 9, Visits: 49
Full image restore is decrypting BitLocker despite the rescue disk image being set not to do this.

I have repeatedly tested full image restores using different Macrium Win PE 10.0 Rescue Disks on which, if the Rebuild button is used, the image file was created and the disk was set to be burned with BitLocker enabled but "Automatically unlock encrypted drives" disabled. The full image restore is done correctly except that the drive is decrypted with BitLocker turned off during the restore process. In the most recent trial I could not have been more careful to be sure I am selecting the correct options before burning a new rescue disk, before backing up the image to restore Windows, and before restoring the image.

Decrypting the hard drive during restore is not acceptable to me. *Everything* else I need from backup software is here in Macrium Reflect 7 Home, except preserving encryption with restore, something that was supposedly added as a feature within the past year. Each time I test, it forces a major delay in retesting because the drive has to be re-encrypted under BitLocker before proceeding. What is going wrong? Is there a log file that might shed light on the issue?

My configuration:
Windows 10 Pro 64-bit v1607
Macrium Reflect 7 Home v7.0.2173 trial
Backup of (and restoration to) <600 GB out of a 2-TB SSD in three partitions using "Create an image of the partition(s) required to backup and restore Windows" to-and-from a WD Elements 2 TB USB external hard drive.
Windows PE 10.0 Rescue Disk, all drivers green-checked, updated twice, once to include BitLocker and/or SSD support, once to v1607, prior to creation of the image and prior to burning the restore disk. Hitting the Rebuild button, BitLocker is enabled, but "Automatically unlock encrypted drives" is NOT enabled prior to creation of the image and burning the rescue DVD.
Blu-Ray drive, DVD burner burning a blank DVD.











Edited 25 May 2017 12:29 AM by Wensleydale
Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8K
I think you may perhaps have misunderstood that rescue media option to unlock encrypted drives.  It only affects what's available when booted to the Reflect WinPE rescue media.  Specifically, it enables intelligent sector copy imaging and cloning, RDR and PE Explorer access in that rescue environment as noted at the top of this KB article.  Re-encryption of the partition as restored from the backup image occurs automatically as required on reboot.

Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Edited 25 May 2017 1:55 AM by Arvy
Nick
Nick
Macrium Representative
Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)Macrium Representative (4K reputation)
Group: Administrators
Posts: 2.3K, Visits: 14K
Hi

Thanks for posting. 

When an image is created of a Bitockered volume it is not encrypted. This is because it is created of the volume in it's 'unlocked' state.

If you want to preserve the Bitocker state when restoring then you must restore to the unlocked drive. The restore process will then preserve the Bitocker state using Rapid Delta Restore (RDR). So, please check the option to "Automatically unlock encrypted drives".  After the restore, the BitLocker encryption will then be preserved. 

Kind Regards

Nick - Macrium Support

Next Webinar


jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)
Group: Forum Members
Posts: 8.8K, Visits: 59K
To build on Nick's post above, I wanted a way to restore to a BitLocker volume without having to enable auto-unlock and thereby store the keys in my Rescue Media, and ideally also a way to mount a BitLocker To Go volume if I wanted to store my image backups on a disk protected that way. Turns out that if you open Command Prompt, the Windows "manage-bde" command is available, at least on newer WinPE versions, which gives you everything you need to work with BitLocker, no need to store keys on Rescue Media. It also fortunately supports using the "-?" parameter to see expected syntax and help you build the appropriate commands.

But yes, if you restore a partition before unlocking the target, the encrypted target partition will be deleted and replaced with the backed up data, and backups of BitLockered volumes do NOT preserve encryption (unless you captured a forensic image from Rescue Media), which is why it's advisable to either enable Reflect's encryption for backup files or else store them on a BitLocker To Go volume.
Edited 25 May 2017 2:44 AM by jphughan
Wensleydale
Wensleydale
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)
Group: Forum Members
Posts: 9, Visits: 49
OK thanks. All three of those posts were helpful in clarifying how this works. I'm still a little confused, but some of the main points I understand much better. I have not experimented with the RDR options, and maybe if I did that, it would remove my  remaining confusion about restoring encrypted vs. unencrypted.

Arvy:  Is using RDR  what you had in mind when you posted:  "Re-encryption of the partition as restored from the backup image occurs automatically as required on reboot."?   I think I already tested a full image restore without RDR and with both BitLocker boxes checked when burning a different Win PE 10.0 Rescue Disk early on, one I since shredded before creating others, and still ended up unencrypted booting to that first rescue disk with no automatic BitLocker re-encryption at reboot after restoring the image. Not sure how that could work outside of RDR because there would be no opportunity for Windows to prompt the user to save a rescue key, and the previous BitLocker rescue key would not work after automatic re-encryption. But RDR takes care of that. Is that correct?    

Nick:  Consider adding to the BitLocker area of the Online User Manual a small boxed-in "NOTE:  When Macrium Restore creates an image of a BitLockered volume, the image is created in it's 'unlocked' state." Others may be confused about this as well.

I guess the point here is, if I'm understanding this better, that with a volume encrypted with BitLocker, Windows unlocks it at bootup when the user enters the password or uses the key, etc. At that point, Macrium Restore when run will see the volume decrypted, so that's how the image is created. Macrium enables the user to optionally encrypt its image, but that encryption would be completely different from what Windows does with BitLocker, and Macrium Restore's optionally-set encryption would be removed when the user enters the password to unlock the image before being recovered back to the restored hard drive. If some or all of that is off the mark, I'd appreciate another clarification.





Edited 26 May 2017 7:39 PM by Wensleydale
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)
Group: Forum Members
Posts: 8.8K, Visits: 59K
RDR can only work when Reflect can actually interpret the data that currently resides on the target, which of course isn't possible for a BitLocker volume that's still locked.  If you unlock it in WinPE, either by having the unlock keys embedded in your Rescue Media (using the "Automatically unlock" checkbox when you create it) or by manually using the manage-bde commands, RDR can work and your target will remain encrypted when you perform a restore, since the restored data will be encrypted on the fly with the key you provided. RDR will also usually make your restores MUCH faster.  If on the other hand you do NOT unlock your target partition prior to restoring, Reflect will simply delete the existing partition on your target and restore it in its entirety from the specified backup, and unless you manually enable Reflect's encryption, the data in your backup files will NOT be encrypted even if it came from a BitLockered volume. The only exception would be if you captured your backup in forensic mode from Rescue Media without unlocking it, but in that case every sector of the partition would have to be captured and compression would become impossible, both of which would make for much larger images.  I think that would also preclude Incremental/Differentials, but I'm not sure.  But other than that special mode, because Reflect backups run within Windows, which by necessity must see data in its unencrypted form, the data in the Reflect backup will also be unencrypted by default.  This is already explained in Macrium's documentation:  http://kb.macrium.com/KnowledgebaseArticle50140.aspx

A backup of a BitLockered volume restored in unencrypted form (by not unlocking it first) is NOT automatically re-encrypted with BitLocker I've tried this scenario numerous times, and as you say this means you'd have a new Recovery Key after restoring if you re-enabled it.  Further, you might also have to clear your cache of auto-unlock keys if you use that feature for other volumes, since otherwise you'll get a CRC error when you try to store them again, even after re-enabling encryption.  Windows doesn't allow you to store auto-unlock keys to a system partition that isn't itself protected by BitLocker, but if keys are already there from restoring an encrypted partition in unencrypted form, it seems they can cause problems when you try to re-add an auto-unlock key for the same volume.  There's a manage-bde parameter called "clearallkeys" or something in order to handle this scenario.

Your "as I understand it" paragraph is almost exactly right. My only correction/clarification is that Reflect's encryption isn't "removed" when you restore the data in the sense that the backup files themselves remain encrypted, but yes the data they contain is written to the target unencrypted, UNLESS you're restoring to a BitLocker volume you already unlocked. But there's no way at all to restore a Reflect-encrypted backup file without supplying the Reflect decryption password. If you want to make sure that no unencrypted data is ever written anywhere, you would have to a) enable Reflect's encryption or else store the files on a BitLockered volume, and then b) when performing a restore to a BitLockered partition, unlock the partition before executing the restore so that Reflect doesn't have to delete the existing partition.  The tricky part would be if you wanted to restore onto a brand new disk.  In that case, you might be able to create a brand new BitLocker partition within Rescue Media, including backing up the recovery key, before executing the restore (never tried that though), or I suppose you could just do a basic installation of Windows just to enable BitLocker and then use the method I just described.

Edited 26 May 2017 8:19 PM by jphughan
Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8K
=Wensleydale -- Arvy:  Is using RDR  what you had in mind when you posted:  "Re-encryption of the partition as restored from the backup image occurs automatically as required on reboot."?

Sorry about those "automatically as required" weasel words.  They certainly could have been more clear.  My comment was related to RDR only insofar as RDR is available within the Reflect WinPE rescue environment (along with those other optional capabilities that I mentioned) only when the option to "Automatically unlock encrypted drives" has been selected.  You can then then preserve the Bitlocker state by using RDR to restore to the unlocked drive as Nick points out.  Otherwise, as the image of a Bitlockered volume it is not encrypted within the backup, it must be re-encrypted when restored from that image and, according to the relevant KB article, that occurs automatically on reboot.

Hope that helps to clarify the issue for you.  And again I apologise for not being clearer in the first place, but I was trying to keep it short so as not to add to the confusion.


Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Edited 26 May 2017 8:59 PM by Arvy
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)Macrium Evangelist (13K reputation)
Group: Forum Members
Posts: 8.8K, Visits: 59K
@Nick, I just saw the User Guide page that the OP is talking about here: http://knowledgebase.macrium.com/display/KNOW7/Adding+BitLocker+support+to+Windows+PE

The Note at the top of the page claims that, "It isn't absolutely necessary to unlock a BitLocker encrypted drive when restoring an image of the encrypted partition. The partition will restore without a problem and will be automatically re-encrypted on reboot".  That is not the case. Restored data can be encrypted on the fly in Rescue if the target is unlocked, or (I assume) a forensic image of a BitLocker volume captured while it was locked would restore already encrypted, but in the case described by the Note involving not unlocking a BitLocker encrypted drive prior to performing a restore, Reflect will restore the partition unencrypted and then the user would have to manually re-enable BitLocker.  Windows will not even warn the user that the system partition used to be protected by BitLocker and isn't anymore.  I agree with the OP that this would be worth rewording.

Edited 28 May 2017 12:17 AM by jphughan
Wensleydale
Wensleydale
New Member
New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)New Member (24 reputation)
Group: Forum Members
Posts: 9, Visits: 49
Okay, great, I think I've got it now. I will test some more using RDR. Thank you, thank you, jpughan and Arvy.

Edited 26 May 2017 9:05 PM by Wensleydale
Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8K
From the relevant KB article -- Created by Nick Sills, last modified by Macrium Software on Nov 17, 2015 --
Note: It isn't absolutely necessary to unlock a BitLocker encrypted drive when restoring an image of the encrypted partition. The partition will restore without a problem and will be automatically re-encrypted on reboot, ... [Emphasis added]

The above contention regarding this statement is sorely in need of some direct response from the author or modifiers of that KB article.  As it stands, there is really no other way (neither grammatically nor legally) to interpret "will be" than as a simple and straightforward declarative. It's either correct or incorrect and, if it isn't correct, it has been and remains misleading for users since its publication -- potentially disastrously so.

Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Edited 27 May 2017 4:46 PM by Arvy
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search