You are here: Resources > Using BitLocker Encryption

BitLocker Encryption guide

When you back up data to a removable drive, the data can be accessed by any computer the drive is connected to. This is of concern for drives that are stolen, lost or kept in offsite locations. BitLocker protects a removable drive from unauthorized access by encrypting the drive and locking it. Only when the drive is unlocked, can the data on it be accessed.

BitLocker is a Microsoft encryption solution that is supported by BackupAssist v8.3 and later for System Protection, File Protection and File Archiving backups to removable drive destinations.

How BackupAssist uses BitLocker

This section explains how BackupAssist implements BitLocker keys and passwords to unlock encrypted drives. BackupAssist requires an unlocked drive to backup, restore and recover data. An unlocked drive will lock itself again if the drive is removed or if the server it is connected to is restarted.

ClosedShow more

A drive can be unlocked by:

  • Manually entering a password that was provided when the drive was encrypted.
  • Providing the encryption key that was created for the drive during the encryption process.

Encryption key

When a drive is encrypted, BitLocker creates an encryption key for that specific drive. The key is saved to a USB flash drive, and used by BackupAssist to unlock that drive each time the backup job runs.

Because of server restarts and media rotations, it should be assumed that an encrypted drive is always locked when a backup job runs. For this reason – the USB flash drive containing the encryption keys should always be connected to the server when a backup job backs up to an encrypted destination.

The USB flash drive will contain an encryption key for each drive that is encrypted, and should be used to store the encryption keys for all backup jobs on that server. Each server backing up to encrypted drives should have its own USB flash drive.

Note: The USB flash drive containing the encryption key should never be stored with the encrypted drive.

Password

When you create a backup job with BitLocker selected, you will be asked to provide a password. This password can be used to manually unlock the drives that were encrypted by the backup job. The BitLocker password must conform to requirements specified by the group policy, which may include minimum and maximum length requirements.

When you enter a password to unlock a drive, it must be the password that the backup job used to encrypt the drive. BackupAssist cannot retrieve the password if it is lost or forgotten.If you change the password after having used it to prepare external drives – the new password will only apply to drives that are prepared after the password was changed. It is suggested that all drives are prepared again so that the new password is applied to all drives used by the backup job

Considerations

BitLocker can use USB External drives as both backup destinations and storage devices for encryption keys. For clarity and best practice, this document described USB External drives as storage for backups and USB flash drives as storage for encryption keys.

Unlocking a drive allows you to access the data on a drive but does not decrypt the drive. It is the sectors on the drive that are encrypted, not the data itself.

BackupAssist BitLocker Support

Operating systems supported:

  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2

Backup types supported

  System Protection File Protection File Archiving
BitLocker encryption Yes Yes Yes
Alternative encryption None None Zip File Encryption

Backup destinations supports

  Data container External disk RDX Drive Flash Drive
BitLocker encryption No Yes Yes File Archiving only

 

How to install BitLocker

BitLocker is included as an installable feature in Window Server 2008R1/R2 and 2012R1/R2. By default, BitLocker is not installed but it can be added from the Windows Server features list. Adding BitLocker will not encrypt any drives, it will just make BitLocker available as an option for BackupAssist System Protection backups.

ClosedBitLocker Installation steps

To install BitLocker on Window Server 2012 / Server 2012 R2

Installing Bitlocker on Windows 2012

  1. Open Server Manager.
  2. Select Add Roles and Features from the Manage menu.
  3. Progress to the Features list under Select features.
  4. Tick BitLocker Drive Encryption. Other roles and features required for Windows to use BitLocker will be automatically selected.
  5. Select Add features.
  6. Select Next
  7. Select Install.

To install BitLocker on Window Server 2008 / Server 2008 R2

Installing Bitlocker on Windows 2008

  1. Open Server Manager.
  2. Select the Add features option from the Features Summary Help menu.
  3. Tick BitLocker Drive Encryption.
  4. Select Install.

Note: After installing the BitLocker, Windows may require a restart before BitLocker can be used. If a reboot is required, it will indicated at the end of the install operation.

How to create a BitLocker backup job

This section explains how to create a backup job that uses BitLocker encryption. A backup job implements BitLocker using 3 of the backup job creation steps: Destination media where BitLocker is selected, Set up destination where BitLocker is configured and Prepare media where the removable drive is encrypted.

ClosedShow more

The Pre-requisites

  • You must be using Windows Server for the BitLocker feature to appear.
  • BitLocker must be installed, as explained in the previous section.
  • Your backup destination must be an External drive or RDX drive.
  • File Archiving also supports Flash drive destinations.
  • A USB flash drive is required to store the encryption key.

The steps

Follow these steps to use BitLocker encryption when you create a backup job:

  1. Destination Media

    2. This step is where you select Enable BitLocker encryption.

    The Enable BitLocker encryption option will:

    • Appear if you are running BackupAssist on a Windows Server
    • Be selectable when you select a supported removable drive as a backup destination.
    • Be greyed-out if BitLocker is not installed.
  2. Set up destination

    3. This step is used to select the destination media and Bitlocker encryption.

    Set up destination

    The following two fields are used to provide BitLocker configuration information.

    • BitLocker encryption key location: this is used to identify the USB flash drive that the BitLocker encryption key is saved to. You can use the Detect option to identify the drive, or use the drop down list to select the Drive letter that has been allocated to the USB flash drive.
    • Password for encrypted backup drive: this field is where you enter the password that can be used to manually unlock any drive that was encrypted by this backup job.

      • Selecting Safely eject the hard drive after the backup has been completed, is a good way to lock the drive after the backup has been completed.

  3. Prepare media

    4. This step is used to prepare each of the drives that the backup job will use. By default, it will display drives based on the backup schedule.

    Prepare media

    When you select the Prepare button next to each drive, that drive will be labeled by BackupAssist and selected for BitLocker encryption.

    • The encryption process will not start until the backup job has been created.
    • It is recommended that you prepare all of your drives so that they can be encrypted.
    • If the required drive is not encrypted when the backup job runs, the backup job will fail.
  4. Next Steps

    5. This is the final screen in the backup job creation process, and comes after you have named the backup job. If you have selected BitLocker Encryption, there will be a tick box for - Launch BitLocker encryption tool.

    When you select Finish, the backup job will be created and the BitLocker encryption tool will automatically start and begin encrypting the drives that you Prepared in the Prepare media step.

    • When you select Finish, the backup job will be created and the BitLocker encryption tool will open.
    • When you select the start icon next to a drive that you prepared, and the encryption process will begin.
    • If you deselect this box, the drives will not be encrypted.
    • If the backup job runs and its drive has not been encrypted, the backup job will fail.

    During the encryption process, the drive’s encryption key is saved to the USB flash drive and the password is assigned to the drive. The key will be saved as a hidden system file.

    If you want to prepare more drives after the encryption process has finished, you can as follows:

    1. Select the Backup tab's Manage menu.
    2. Select the backup job and select Edit from the lower menu.
    3. Select Prepare media from the job menu.
    4. Select Prepare for each drive that you want to encrypt.
    5. Select the BitLocker encryption tool using the link inside the window.

The BitLocker Encryption tool will open and begin the encryption process.

The BitLocker encryption tool

If you create a backup job with Enable BitLocker encryption selected, there will be a step at the end of the job creation called Next steps which will open the BitLocker encryption tool when you select Finish. The tool is used to encrypt the drives that the backup job will use. This should be done before the backup job runs, because if an unencrypted drive is used for a BitLocker backup job, the job will fail.

ClosedShow more

BitLocker Encryption tool

If you finish creating the backup job without encrypting the drives, you can open the BitLocker encryption tool by going to the Backup tab's Manage menu, opening the backup job and selecting Prepare media from the top menu. This will open the Prepare media dialog, which contains a link to the BitLocker encryption tool.

The BitLocker encryption tool can run in the background after BackupAssist has been closed. The encryption process will tell you how much has been encrypted and how long the process will take. You can encrypt more than one drive at a time, reducing the total time required to encrypt your set of prepared drives.

The encryption tool has 4 action buttons, which will become available when the drive is attached:

  • Refresh and display any new drives that have been attached
  • Start an encryption process that has been paused
  • Pause the encryption process.
  • Eject the removable drive. You cannot eject a drive that is being encrypted.

Note: If you do not resume a paused encryption, the drive will be partially encrypted. A partially encrypted drive can still be accessed in Windows but it cannot be used as a backup destination for a BitLocker job. To decrypt the encrypted part of the drive, open BitLocker from the Windows Control Panel, select the drive and click Turn off BitLocker.

Note: If you have previously encrypted a drive using the Windows BitLocker UI, you must unlock the drive before preparing (encrypting) the drive using BackupAssist.

How to restore from an encrypted drive

When you perform a restore from an encrypted drive, you can give the restore job access to the data by providing the password when prompted during the restore process, or by inserting the encryption key before the restore process begins.

ClosedShow more

Using the password.

If the encryption key is not detected, you will be prompted for the password when the restore job tries to access the backup. Entering the password will allow you to access the data as long as the password is the one that was assigned when the drive was encrypted. For example, if you are using the Integrated Restore Console, you will be prompted to enter the password when you select Restore at the very last step.

Using the encryption key

To unlock an encrypted drive using the key, connect the USB flash drive to the server running BackupAssist. BackupAssist will use the key to unlock the drive that you are restoring from. You will not be prompted to do anything other than the normal restore steps.

How to recover from an encrypted drive

When you perform a recovery, you MUST use the password to access an encrypted drive. The RecoverAssist media will boot the system and ask for the location of the image backup that you want to recover from. When you select the encrypted drive, you will be prompted to enter the password. BackupAssist cannot retrieve the password if it is lost or forgotten.

Drive encryption duration

BitLocker encrypts the drive that the backup resides on at the sector level. This means you only need to encrypt the drive once, but because all the encryption takes place up front, it can take a long time. Microsoft estimates that BitLocker encryption can take 1 minute per 500mb, so you should plan when to perform the encryption based on the information below.

ClosedShow more

How long the encryption process takes depends on:

  • The size of the drive
  • The performance of the drive and the server
  • The operating system you are using
  • How much data is on the drive (for Windows 2012)

If you are using Windows 8 or Windows Server 2012 and later, BitLocker will only encrypt the used space. It does not encrypt unused disk space or disk space containing deleted files. This makes the process very fast when there is not much data on the drive.

Encryption time examples

The below table provides examples for how long the encryption process could take in different scenarios, using sensible estimates.

Windows Server 2012

Disk Size Duration
New disk 1 - 5 minutes
1 TB Drive with 300 GB used 10 hours
2 TB Drive with 1.5 TB used 50 hours

Windows Server 2008

Disk Size Duration
500 GB Drive 17 hours
1 TB Drive 33 hours
2 TB Drive 67 hours

To learn more, see the Microsoft BitLocker FAQ

Windows BitLocker Pop up message

When an encrypted drive is attached to a server that is logged on, Windows will display a pop-up message to tell you that the drive is available and a password is required to access it. Having a USB drive with an encryption key means you do not need to respond to this prompt for your backup job to proceed.

ClosedThe pop-up message response

This message will have no impact on your backup job. You do not need to enter the password as long as you have the USB flash drive with the encryption key attached.

Bitlocker pop-up

Because this is a Windows security pop-up, and because it needs to be allowed to appear for encrypted drives that are not managed by BackupAssist, it’s important to understand how the message applies to BackupAssist.

  • If you see this message, you can select Cancel and ignore it. Your backup job will not be affected because the encryption key will be used to unlock the drive.
  • If you enter the password into the pop-up and tick Automatically unlock on this computer from now on, the pop-up will not appear again. However, this means that the drive will be automatically unlocked every time it is attached. For security reasons, we recommended that you use the encryption key on the USB flash drive to unlock the drive rather than have it auto unlock.
  • Using the encryption key means the drive is only unlocked while the backup job is running. The key unlocks the drive when the backup starts and, if you have the drive set to eject, it will be locked again when the drive ejects at the end of the backup job.
  • Using the password auto unlock means the drive will be unlocked for as long as it is attached to the server.