BitLocker-Encrypted Volumes
CloudBerry Backup supports BitLocker-encrypted volume backup and restore.
What is BitLocker?
BitLocker is a volume encryption tool in Windows Enterprise and Ultimate versions. BitLocker differs from most other encryption approaches since it uses your Windows login to encrypt your data. BitLocker suits for standing against threats of data theft or disclosure from lost, stolen, or inappropriately decommissioned PC hardware.
To learn more about BitLocker, refer to the BitLocker section at docs.microsoft.com.
Backing Up BitLocker-Encrypted Volumes
The Keep BitLocker option is configured on the Select Partitions step of an image-based backup wizard.
BitLocker-encrypted volumes are detected automatically, the Keep BitLocker check box is selected by default. With this option enabled, the BitLocker-encrypted volume will be backed up 'as is', namely, with the BitLocker encryption.
Note that if you have system partitions encrypted with BitLocker, it is highly recommended not to use the BitLocker encryption to back them up. Instead, you can use the built-in encryption of Backup for Windows.
This recommendation comes because image-based backups can be easily corrupted if a partition is BitLocker-encrypted. For these partitions, VSS (Volume Shadow Copy) is not available. This can cause the following issues on restore: the operating system may not start properly and result in a BSOD message BAD_SYSTEM_CONFIG_INFO
For volumes that are not BitLocker-encrypted, the Keep BitLocker option is unavailable.
Note that the Bitlocker-encrypted partition backup dataset contains the whole partition and includes free space. For example, a 2 GB partition with 50 MB occupied space will be of 2 GB size on backup storage. On the drawing below, the latest backup (with the 53 MB Size on Storage value) is with the disabled Keep BitLocker option and the previous backup (with the 1,95 GB Size on Storage value) is with the Keep BitLocker option enabled
If you disable the Keep BitLocker option, the volume will be backed up in decrypted form. Note that the decryption does not happen automatically, MSP360 (CloudBerry) Backup only performs checks of volume state. Decrypt the required volumes using the standard Windows tools for BitLocker
Restore of BitLocker-Encrypted Volumes
If you restore a BitLocker-encrypted volume that was backed up in its encrypted state with the Keep Bitlocker option enabled, the volume will be mounted to the specified location without any changes.
If you restore a volume that was decrypted before backup, it is restored as follows:
- If you select the original volume as a restore destination and it is still decrypted, the volume will be restored as is
- If you select the original volume as a restore destination and the volume is encrypted, you will be prompted to provide one of the credential types to unlock the volume
- If you select another BitLocker-encrypted disk as a target restore destination, provide the required credentials to unlock the disk and continue to restore
Item-Level Restore from BitLocker-Encrypted Backups
As of version 6.3.1, MSP360 (CloudBerry) Backup supports the item-level restore for BitLocker-encrypted backups. Volumes that are BitLocker-encrypted are displayed with a special icon indicating the encryption.
To view the contents of the BitLocker-encrypted volume on backup storage, select it, then specify one of the credential types to unlock the volume:
- Password
- Recovery password
- Key file.
Once you are done, click OK, then follow the restore wizard steps to configure the restore.