BitLocker encryption for BackupAssist
BitLocker is a Microsoft encryption solution that is used to protect data from unauthorized access. BackupAssist System Protection, File Protection and File Archiving use BitLocker to encrypt removable drive destinations. This guide explains BackupAssist’s BitLocker implementation.
When you back up data to a removable drive, the data on that drive can be accessed by any computer that the drive is connected to. This is of concern for drives that are stolen, lost or stored in offsite locations. BitLocker protects a removable drive from unauthorized access by encrypting the sectors on the drive and locking it. Only when the drive is unlocked, can the data on it be accessed.
Online Guide
How BackupAssist uses BitLocker
This section explains how BackupAssist implements BitLocker keys and passwords to unlock encrypted drives.
BackupAssist requires an unlocked drive to backup, restore and recover data. An unlocked drive will lock itself again if the drive is removed or if the server it is connected to is restarted.
A drive can be unlocked by:
- Manually entering a password that was provided when the drive was encrypted.
- Providing the encryption key that was created for the drive during the encryption process.
Encryption key
When a drive is encrypted, BitLocker creates an encryption key for that specific drive. The key is saved to a USB flash drive, and used by BackupAssist to unlock that drive each time the backup job runs.
Because of server restarts and media rotations, it should be assumed that an encrypted drive is always locked when a backup job runs. For this reason – the USB flash drive containing the encryption keys should always be connected to the server when a backup job backs up to an encrypted destination.
The USB flash drive will contain an encryption key for each drive that is encrypted, and should be used to store the encryption keys for all backup jobs on that server. Each server backing up to encrypted drives should have its own USB flash drive.
Password
When you create a backup job with BitLocker selected, you will be asked to provide a password. This password can be used to manually unlock the drives that were encrypted by the backup job. The BitLocker password must conform to requirements specified by the group policy, which may include minimum and maximum length requirements.
Considerations
BitLocker can use USB External drives and USB flash drives (thumb drives) as both backup destinations and storage devices for encryption keys. For clarity and best practice, this document described USB External drives as storage for backups and USB flash drives as storage for encryption keys.
Unlocking a drive allows you to access the data on a drive but does not decrypt the drive. It is the sectors on the drive that are encrypted, not the data itself.
BitLocker Support
BitLocker backup type support
|
System Protection |
File Protection |
File Archiving |
BitLocker encryption |
Yes |
Yes |
Yes |
Alternative encryption |
None |
TrueCrypt |
Zip file encryption |
BitLocker backup destination support
|
Data container |
External disk |
RDX drive |
Flash Drive |
BitLocker encryption |
No |
Yes |
Yes |
File Archiving only |
How to install BitLocker
BitLocker is included as an installable feature in Window Server 2008R1/R2 and 2012R1/R2.
By default, BitLocker is not installed but it can be added from the Windows Server features list. Adding BitLocker will not encrypt any drives, it will just make BitLocker available as an option for BackupAssist System Protection backups.
After installing the BitLocker, Windows may require a restart before BitLocker can be used. If a reboot is required, it will indicated at the end of the install operation.
To install BitLocker on Window Server 2012 / Server 2012 R2
- Open Server Manager.
- Select Add Roles and Features from the Manage menu.
- Progress to the Features list under Select features.
- Tick BitLocker Drive Encryption. Other roles and features required for Windows to use BitLocker will be automatically selected.
- Select Add features.
- Select next
- Select Install.
To install BitLocker on Window Server 2008 / Server 2008 R2
- Open Server Manager.
- Select the Add features option from the Features Summary Help menu.
- Tick BitLocker Drive Encryption
- Select Install.
How to create a BitLocker backup job
This section explains how to create a backup job that uses BitLocker encryption.
Pre-requisites
- You must be using Windows Server for the BitLocker feature to appear.
- BitLocker must be installed, as explained in the previous section.
- Your backup destination must be an External drive or RDX drive.
- File Archiving also supports Flash drive destinations.
- A USB flash drive is required to store the encryption key.
A System Protection backup job implements BitLocker using 3 of the Backup job's set up steps.
- Destination Media
- Appear if you are running BackupAssist on a Windows Server
- Be selectable when you select a supported removable drive as a backup destination.
- Be greyed-out if BitLocker is not installed.
- Set up destination
- BitLocker encryption key location: this is used to identify the USB flash drive that the BitLocker encryption key is saved to. You can use the Detect option to identify the drive, or use the drop down list to select the Drive letter that has been allocated to the USB flash drive.
- Password for encrypted backup drive: this field is where you enter the password that can be used to manually unlock any drive that was encrypted by this backup job.
- Selecting Safely eject the hard drive after the backup has been completed, is a good way to lock the drive after the backup has been completed.
- Prepare media
- The encryption process will not start until the backup job has been created.
- It is recommended that you prepare all of your drives so that they can be encrypted.
- If the required drive is not encrypted when the backup job runs, the backup job will fail.
- Next Steps
- When you select Finish, the backup job will be created and the BitLocker encryption tool will open.
- When you select the start icon next to a drive that you prepared, and the encryption process will begin.
- If you deselect this box, the drives will not be encrypted.
- If the backup job runs and its drive has not been encrypted, the backup job will fail.
- Select the Backup tab's Manage menu.
- Select the backup job and select Edit from the lower menu.
- Select Prepare media from the job menu.
- Select Prepare for each drive that you want to encrypt.
- Select the BitLocker encryption tool using the link inside the window.
- Refresh and display any new drives that have been attached
- Start an encryption process that has been paused
- Pause the encryption process.
- Eject the removable drive. You cannot eject a drive that is being encrypted.
This step is where you select Enable BitLocker encryption.
The Enable BitLocker encryption option will:
The following two fields are used to provide BitLocker configuration information.
This step is used to prepare each of the drives that the backup job will use. By default, it will display drives based on the backup schedule. When you select the Prepare button next to each drive, that drive will be labeled by BackupAssist and selected for BitLocker encryption.
This is the final screen in the backup job creation process, and comes after you have named the backup job. If you have selected BitLocker Encryption, there will be a tick box for - Launch BitLocker encryption tool.
When you select Finish, the backup job will be created and the BitLocker encryption tool will automatically start and begin encrypting the drives that you Prepared in the Prepare media step.
During the encryption process, the drive’s encryption key is saved to the USB flash drive and the password is assigned to the drive. The key will be saved as a hidden system file.
If you want to prepare more drives after the encryption process has finished, you can as follows:
The BitLocker Encryption tool will open and begin the encryption process.
The BitLocker encryption tool
The BitLocker encryption tool can run in the background after BackupAssist has been closed. The encryption process will tell you how much has been encrypted and how long the process will take.
The encryption tool has 4 action buttons:
How to restore & recover from an encrypted drive
When you perform a restore, you CAN use the password to unlock an encrypted drive. This will allow you to access the data as long as the password is the one that was assigned when the drive was encrypted. You will be prompted for the password when the restore job tries to access the backup.
For example, if you are using the BackupAssist Restore Console, you will be prompted to enter the password when you select Restore at the very last step.
When you perform a restore, you CAN use the encryption key to unlock an encrypted drive, by connecting the USB flash drive to the server running BackupAssist. BackupAssist will use the key to unlock the drive that you are restoring from. You will not be prompted to do anything other than the normal restore steps.
When you perform a recovery, you MUST use the password to access an encrypted drive. The RecoverAssist media will boot the system and ask for the location of the image backup that you want to recover from. When you select the encrypted drive, you will be prompted to enter the password.
Drive encryption duration
BitLocker encrypts the drive that the backup resides on at the sector level. This means you only need to encrypt the drive once, but because all the encryption takes place up front, it can take a long time.
Microsoft estimates that BitLocker encryption can take 1 minute per 500mb, so you should plan when to perform the encryption based on the information below.
How long the encryption process takes depends on:
- The size of the drive
- The performance of the drive and the server
- The operating system you are using
- How much data is on the drive (for Windows 2012)
If you are using Windows 8 or Windows Server 2012 and later, BitLocker will only encrypt the used space. It does not encrypt unused disk space or disk space containing deleted files. This makes the process very fast when there is not much data on the drive.
Encryption examples
The below table provides examples for how long the encryption process could take in different scenarios, using sensible estimates.
Windows Server 2008
Disk Size |
Duration |
500 GB drive |
17 hours |
1 TB drive |
33 hours |
2 Tb drive |
67 hours |
Windows Server 2012
Disk Size |
Duration |
New disk |
1-5 minutes |
1 TB / 300 GB used |
10 hours |
2 TB / 1.5 TB used |
50 hours |
To learn more, see the Microsoft BitLocker FAQ.
Windows BitLocker Pop up message
When an encrypted drive is attached to a server that is logged on, Windows will display a pop-up message to tell you that the drive is available and a password is required to access it.
Having a USB drive with an encryption key means you do not need to respond to this prompt for your backup job to proceed.
This message will have no impact on your backup job. You do not need to enter the password as long as you have the USB flash drive with the encryption key attached.
The pop-up message response
Because this is a Windows security pop-up, and because it needs to be allowed to appear for encrypted drives that are not managed by BackupAssist, it’s important to understand how the message applies to BackupAssist.
- If you see this message, you can select Cancel and ignore it. Your backup job will not be affected because the encryption key will be used to unlock the drive.
- If you enter the password into the pop-up and tickAutomatically unlock on this computer from now on,the pop-up will not appear again. However, this means that the drive will be automatically unlocked every time it is attached. For security reasons, we recommended that you use the encryption key on the USB thumb drive to unlock the drive rather than have it auto unlock.
- Using the encryption key means the drive is only unlocked while the backup job is running. The key unlocks the drive when the backup starts and, if you have the drive set to eject, it will be locked again when the drive ejects at the end of the backup job.
- Using the password auto unlock means the drive will be unlocked for as long as it is attached to the server.