BitLocker encryption for BackupAssist

BitLocker is a Microsoft encryption solution that is used to protect data from unauthorized access. BackupAssist v8.3 and later supports BitLocker for System Protection, File Protection and File Archiving backups to removable drive destinations. This guide explains BackupAssist’s BitLocker implementation.

When you back up data to a removable drive, the data on that drive can be accessed by any computer that the drive is connected to. This is of concern for drives that are stolen, lost or stored in offsite locations. BitLocker protects a removable drive from unauthorized access by encrypting the sectors on the drive and locking it. Only when the drive is unlocked, can the data on it be accessed.

Online Guide

How BackupAssist uses BitLocker

This section explains how BackupAssist implements BitLocker keys and passwords to unlock encrypted drives.

BackupAssist requires an unlocked drive to backup, restore and recover data. An unlocked drive will lock itself again if the drive is removed or if the server it is connected to is restarted.

A drive can be unlocked by:

Manually entering a password that was provided when the drive was encrypted.
Providing the encryption key that was created for the drive during the encryption process.

Encryption key

When a drive is encrypted, BitLocker creates an encryption key for that specific drive. The key is saved to a USB flash drive, and used by BackupAssist to unlock that drive each time the backup job runs.

Because of server restarts and media rotations, it should be assumed that an encrypted drive is always locked when a backup job runs. For this reason – the USB flash drive containing the encryption keys should always be connected to the server when a backup job backs up to an encrypted destination.

The USB flash drive will contain an encryption key for each drive that is encrypted, and should be used to store the encryption keys for all backup jobs on that server. Each server backing up to encrypted drives should have its own USB flash drive.

The USB flash drive containing the encryption key should never be stored with the encrypted drive.

Password

When you create a backup job with BitLocker selected, you will be asked to provide a password. This password can be used to manually unlock the drives that were encrypted by the backup job. The BitLocker password must conform to requirements specified by the group policy, which may include minimum and maximum length requirements.

When you enter a password to unlock a drive, it must be the password that the backup job used to encrypt the drive. BackupAssist cannot retrieve the password if it is lost or forgotten.

If you change the password after having used it to prepare external drives – the new password will only apply to drives that are prepared after the password was changed. It is suggested that all drives are prepared again so that the new password is applied to all drives used by the backup job

Considerations

BitLocker can use USB External drives and USB flash drives (thumb drives) as both backup destinations and storage devices for encryption keys. For clarity and best practice, this document described USB External drives as storage for backups and USB flash drives as storage for encryption keys.

Unlocking a drive allows you to access the data on a drive but does not decrypt the drive. It is the sectors on the drive that are encrypted, not the data itself.

BackupAssist BitLocker Support

Operating systems supported:

Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2

Backup types supported

	System Protection	File Protection	File Archiving
BitLocker encryption	Yes	Yes	Yes
Alternative encryption	None	TrueCrypt	Zip file encryption

Backup destinations supported

	Data container	External disk	RDX drive	Flash Drive
BitLocker encryption	No	Yes	Yes	File Archiving only

How to install BitLocker

BitLocker is included as an installable feature in Window Server 2008R1/R2 and 2012R1/R2.

By default, BitLocker is not installed but it can be added from the Windows Server features list. Adding BitLocker will not encrypt any drives, it will just make BitLocker available as an option for BackupAssist System Protection backups.

After installing the BitLocker, Windows may require a restart before BitLocker can be used. If a reboot is required, it will indicated at the end of the install operation.

To install BitLocker on Window Server 2012 / Server 2012 R2

Open Server Manager.
Select Add Roles and Features from the Manage menu.
Progress to the Features list under Select features.
Tick BitLocker Drive Encryption. Other roles and features required for Windows to use BitLocker will be automatically selected.
Select Add features.
Select next
Select Install.

To install BitLocker on Window Server 2008 / Server 2008 R2

Open Server Manager.
Select the Add features option from the Features Summary Help menu.
Tick BitLocker Drive Encryption
Select Install.

How to create a BitLocker backup job

This section explains how to create a backup job that uses BitLocker encryption.

Pre-requisites

You must be using Windows Server for the BitLocker feature to appear.
BitLocker must be installed, as explained in the previous section.
Your backup destination must be an External drive or RDX drive.
File Archiving also supports Flash drive destinations.
A USB flash drive is required to store the encryption key.

A System Protection backup job implements BitLocker using 3 of the Backup job's set up steps.

Destination Media

This step is where you select Enable BitLocker encryption.

The Enable BitLocker encryption option will:

Appear if you are running BackupAssist on a Windows Server
Be selectable when you select a supported removable drive as a backup destination.
Be greyed-out if BitLocker is not installed.

Set up destination

The following two fields are used to provide BitLocker configuration information.

BitLocker encryption key location: this is used to identify the USB flash drive that the BitLocker encryption key is saved to. You can use the Detect option to identify the drive, or use the drop down list to select the Drive letter that has been allocated to the USB flash drive.
Password for encrypted backup drive: this field is where you enter the password that can be used to manually unlock any drive that was encrypted by this backup job.
Selecting Safely eject the hard drive after the backup has been completed, is a good way to lock the drive after the backup has been completed.

Prepare media

This step is used to prepare each of the drives that the backup job will use. By default, it will display drives based on the backup schedule. When you select the Prepare button next to each drive, that drive will be labeled by BackupAssist and selected for BitLocker encryption.

The encryption process will not start until the backup job has been created.
It is recommended that you prepare all of your drives so that they can be encrypted.
If the required drive is not encrypted when the backup job runs, the backup job will fail.

Next Steps

This is the final screen in the backup job creation process, and comes after you have named the backup job. If you have selected BitLocker Encryption, there will be a tick box for - Launch BitLocker encryption tool.

When you select Finish, the backup job will be created and the BitLocker encryption tool will automatically start and begin encrypting the drives that you Prepared in the Prepare media step.

When you select Finish, the backup job will be created and the BitLocker encryption tool will open.

When you select the start icon next to a drive that you prepared, and the encryption process will begin.

If you deselect this box, the drives will not be encrypted.
If the backup job runs and its drive has not been encrypted, the backup job will fail.

During the encryption process, the drive’s encryption key is saved to the USB flash drive and the password is assigned to the drive. The key will be saved as a hidden system file.

If you want to prepare more drives after the encryption process has finished, you can as follows:

Select the Backup tab's Manage menu.
Select the backup job and select Edit from the lower menu.
Select Prepare media from the job menu.
Select Prepare for each drive that you want to encrypt.
Select the BitLocker encryption tool using the link inside the window.

The BitLocker Encryption tool will open and begin the encryption process.

The BitLocker encryption tool

The BitLocker encryption tool can run in the background after BackupAssist has been closed. The encryption process will tell you how much has been encrypted and how long the process will take.

You can encrypt more than one drive at a time, reducing the total time required to encrypt your set of prepared drives.

The encryption tool has 4 action buttons:

Refresh and display any new drives that have been attached
Start an encryption process that has been paused
Pause the encryption process.
Eject the removable drive. You cannot eject a drive that is being encrypted.

If you do not resume a paused encryption, the drive will be partially encrypted. A partially encrypted drive can still be accessed in Windows but it cannot be used as a backup destination for a BitLocker job. To decrypt the encrypted part of the drive, open BitLocker from the Windows Control Panel, select the drive and click Turn off BitLocker.

If you have previously encrypted a drive using the Windows BitLocker UI, you must unlock the drive before preparing (encrypting) the drive using BackupAssist.

How to restore & recover from an encrypted drive

When you perform a restore, you CAN use the password to unlock an encrypted drive. This will allow you to access the data as long as the password is the one that was assigned when the drive was encrypted. You will be prompted for the password when the restore job tries to access the backup.

For example, if you are using the BackupAssist Restore Console, you will be prompted to enter the password when you select Restore at the very last step.

When you perform a restore, you CAN use the encryption key to unlock an encrypted drive, by connecting the USB flash drive to the server running BackupAssist. BackupAssist will use the key to unlock the drive that you are restoring from. You will not be prompted to do anything other than the normal restore steps.

When you perform a recovery, you MUST use the password to access an encrypted drive. The RecoverAssist media will boot the system and ask for the location of the image backup that you want to recover from. When you select the encrypted drive, you will be prompted to enter the password.

WARNING: BackupAssist cannot retrieve the password if it is lost or forgotten.

Drive encryption duration

BitLocker encrypts the drive that the backup resides on at the sector level. This means you only need to encrypt the drive once, but because all the encryption takes place up front, it can take a long time.

Microsoft estimates that BitLocker encryption can take 1 minute per 500mb, so you should plan when to perform the encryption based on the information below.

How long the encryption process takes depends on:

The size of the drive
The performance of the drive and the server
The operating system you are using
How much data is on the drive (for Windows 2012)

If you are using Windows 8 or Windows Server 2012 and later, BitLocker will only encrypt the used space. It does not encrypt unused disk space or disk space containing deleted files. This makes the process very fast when there is not much data on the drive.

Encryption examples

The below table provides examples for how long the encryption process could take in different scenarios, using sensible estimates.

Windows Server 2008

Disk Size	Duration
500 GB drive	17 hours
1 TB drive	33 hours
2 Tb drive	67 hours

Windows Server 2012

Disk Size	Duration
New disk	1-5 minutes
1 TB / 300 GB used	10 hours
2 TB / 1.5 TB used	50 hours

To learn more, see the Microsoft BitLocker FAQ.