Knowledge Base Glossary       Exit
(how to) Search  

Browse by Category
Knowledge Base > Products > Shared Issues > Using BitLocker with TeraByte's Imaging Programs

Using BitLocker with TeraByte's Imaging Programs

Introduction

BitLocker disk encryption is built into many current versions of Windows, which generally makes using it to protect your data a simple matter of enabling it for the desired partitions. However, using disk encryption can present many challenges when it comes to reliably imaging and restoring those encrypted partitions. This article provides details on using the TeraByte imaging programs to back up and restore BitLocker partitions. Utilizing this information will help you avoid potential problems and determine the best backup configuration for your BitLocker encrypted system.

Basic knowledge of how to use BitLocker is assumed.

Versions used in Testing

Partitions encrypted with BitLocker in the following versions of Windows were used in testing:

  • Windows 10 Pro (including the new XTS-AES mode released with version 1511)
  • Windows 8.1 Pro
  • Windows 7 Ultimate

The following TeraByte imaging program versions were used in testing:

  • Image for Windows 3.07
  • Image for Linux 3.07

        Note: Using the current versions of the TeraByte imaging programs is recommended.

Installing Image for Windows

Image for Windows can be installed before or after BitLocker encryption has been enabled. Note that it is not necessary to install Image for Windows if you will only be using Image for DOS, Image for Linux, or Image for Windows from WinRE (e.g. TBWinRE). Even in this case, though, having Image for Windows installed can be advantageous when working with images.

It is strongly recommended to create the TBWinRE boot media as it offers the best support and flexibility in restoring BitLocker partitions outside of Windows.

Backing Up BitLocker Partitions

For the most part, backing up BitLocker partitions is the same as normal partitions. There are a few important differences, however. The recommended methods are detailed below.

For the purpose of this article two types of backups will be defined for easy reference:

Type A Backup

  • Partition being backed up is an unlocked BitLocker partition.
  • Backup is created in Windows using VSS or using the Image for Windows Read from Volume option from either Windows or TBWinRE.
  • Partition data is backed up in the decrypted state.
  • Backup image size is same as if BitLocker wasn't used.
  • Backup image can be used normally with TBIView and TBIMount (partition data is accessible).

Type B Backup

  • Partition being backed up is a BitLocker partition (locked or unlocked).
  • Backup is created in Windows using PHYLock or using a normal lock in TBWinRE.
  • Partition data is backed up in the encrypted state.
  • Backup image will generally be the size of the partition since it's backed up in its entirety and won't compress.
  • Backup image can not be used with TBIView or TBIMount (partition data is not accessible).

Creating a Backup in Windows

Using VSS for the backup will create a normal image that contains decrypted data (a Type A backup). Using PHYLock for the backup will create a backup of the partition in the encrypted state (a Type B backup). Unless there is a specific need to back up the partition as encrypted data, using VSS is recommended. If necessary for security, the image can be encrypted by Image for Windows or you could save it to an encrypted partition.

Assuming VSS works properly on the system, the option to use it just needs to be enabled in Image for Windows settings. Then, make sure the partition has been unlocked (if backing up the Windows partition it would already be unlocked) and create the backup normally.

If VSS fails, Image for Windows will revert to using PHYLock, which will result in a Type B backup. This will also happen when backing up unlocked FAT/FAT32 BitLocker partitions. To work around this issue you can disable PHYLock in Image for Windows settings and use the Read from Volume option when creating the backup.

Creating a Backup in TBWinRE

VSS is not available in TBWinRE. Instead, you need to use the Image for Windows Read from Volume option to allow creating a Type A backup. Backing up without this option will result in a Type B backup.

After booting to TBWinRE you would unlock the BitLocker partition you plan to back up (examples are shown below). In Image for Windows, proceed through the backup wizard until you get to the Backup Options page. Enable the Read from Volume option. Configure any other options you need and start the backup.

If you need to create a Type B backup, you would leave the partition locked and not use the Read from Volume option (it's only valid when the partition is unlocked).

To unlock a BitLocker partition you would open a Command Prompt window (this can be done directly from TBLauncher) and use the manage-bde utility. Examples of unlocking a partition using a password, recovery password, and recovery key are shown below (run manage-bde -unlock /? for more usage details).

manage-bde -unlock c: -pw
   (will be prompted for password)

manage-bde -unlock c: -rp XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX
   (where XXXXXX-XXXXXX... is the recovery password)

manage-bde -unlock c: -rk e:\keys\win10.bek
   (specify the appropriate .BEK file)

Things to keep in mind when Creating a Backup

  • You can suspend BitLocker on the Windows partition before booting to the TBWinRE boot media to avoid having to unlock it manually.

  • Image for Windows tags most partitions with BitLocker encryption in its listings, but the labels for those partitions will likely be generic and not the actual labels. FAT/FAT32 BitLocker partitions will not be tagged as BitLocker partitions in Image for Windows listings.

  • It is recommended to leave the partition locked when creating a Type B backup (backing up in the encrypted state).

Restoring BitLocker Partitions

When restoring BitLocker partitions it's usually desirable to not have to re-encrypt the partition afterwards. This can be accomplished with normal NTFS BitLocker partitions provided you are restoring a Type A backup of a single partition. (This method is not supported with other partition formats, such as FAT/FAT32.)

To do this, unlock the destination partition and restore the Type A backup image to it. Do not use byte-for-byte validation, resizing, or other options that would change partition characteristics. With the exception of restoring the Windows partition (which should be done from TBWinRE), the restore can be done from either Windows or TBWinRE.

Note: A Type A backup image does not have to be restored to an unlocked BitLocker partition. In that case, it would restore as a normal unencrypted partition.

When restoring Type B backup images to an existing BitLocker partition you would want the partition locked. The partition can also be deleted before the restore, if necessary (either manually or by using the Image for Windows Delete Restore Destination option).

Things to keep in mind when Restoring

  • You can suspend BitLocker on the Windows partition before booting to the TBWinRE boot media to avoid having to unlock it manually.

  • Both Type A and Type B backup images can be restored to an alternate location or disk. For Type B images, if restoring a Windows partition this will break booting and require repairs (which may require decrypting the partition to implement).

  • Resizing or scaling BitLocker partitions is not supported. Other options that would change the partition would also not work, such as changing the volume label.

  • When restoring a Type A backup image to an unlocked BitLocker partition (to restore in the encrypted state), using Validate Byte-for-Byte is not supported and will fail.

  • When restoring a Type A backup image to an unlocked BitLocker partition, the image being restored should be an image of that BitLocker partition. Restoring a different image to an unlocked BitLocker partition will not work properly.

  • Restoring an entire disk Type A backup image (e.g. a backup of the Windows disk taken using VSS) will result in the restored partition not being encrypted even if the encrypted destination partition was unlocked. You would need to enable BitLocker on the partition to encrypt it.

  • Restoring a Type A backup image (e.g. a backup of a data partition taken using VSS) to a new location (or its existing location, if locked) will result in the restored partition not being encrypted. You would need to enable BitLocker on the partition to encrypt it.

  • Restoring a Type A backup image (e.g. a backup of a partition taken using VSS) to an unlocked encrypted partition (to restore in the encrypted state), will result in the restored partition not being encrypted if the Image for Windows Delete Restore Destination option is used. You would need to enable BitLocker on the partition to encrypt it.

  • Booting to the installed WinRE to perform restores of the Windows partition or disk is more likely to cause issues with Image for Windows obtaining a lock on the partition(s) or writing to blocked sectors. This may require clicking Ignore on the error message to invalidate handles and force a dismount. It may also require deleting the destination partition(s) before restoring to avoid write errors (use the Delete Restore Destination option in Settings). It is recommended to boot to the TBWinRE boot media to perform these types of restores.

  • Restoring a domain controller using active directory to an encrypted state (Type A backup to an unlocked partition or a Type B backup) will not notify directory services it has been restored, which can cause problems with active directory. These types of systems should be restored unencrypted and then reencrypted after the restore.

Mounting and Viewing (TBIMount / TBIView)

Images of encrypted partitions cannot be opened with TBIView (Type B backups). They can be mounted with TBIMount, but cannot be browsed as there is no detectable file system. Windows will assign a drive letter, but errors if it’s accessed (The volume does not contain a recognized file system…). It is not possible to mount the image with TBIMount and then unlock it using BitLocker as it's not seen as a valid BitLocker volume.

Images of an unlocked BitLocker partition taken using VSS (or the Read from Volume option in TBWinRE) can be mounted (TBIMount) or viewed (TBIView) normally since the backup image contains the decrypted data (Type A backups).

Accessing BitLocker Partitions from Image for Linux

Image for Linux (both CUI and GUI versions) include the dislocker utility, which allows mounting of BitLocker partitions. For example, you could mount the BitLocker partition containing the backup image you need to restore. Backing up the mounted BitLocker partition is not supported.

Note: While writing to the mounted BitLocker partition is possible (when not mounted read-only), it is not recommended to save images to it as the partition and/or image may be corrupted in the process. If writing is required you should use Image for Windows from either Windows or TBWinRE.

The basic steps for mounting a BitLocker partition are outlined below. Using the current version of Image for Linux is recommended to provide the best support.

Using dislocker to Mount a BitLocker Partition
  1. Open a Terminal or exit to the command prompt.

  2. Create two mount points for the BitLocker partition:
    mkdir  /mnt/bitlocker  /mnt/mount

  3. Run fdisk to list the disks and partitions:
    fdisk -l

  4. Find the BitLocker partition in the output. /dev/sdb4 will be used here.

  5. Run dislocker to mount the partition. For dislocker usage and more options you can run dislocker without any parameters.

    To mount using a password:
    dislocker -r -V /dev/sdb4 -uPASSWORD -- /mnt/bitlocker
       (where PASSWORD is the password)

    To mount using a password (with prompt):
    dislocker -r -V /dev/sdb4 -u -- /mnt/bitlocker
       (will be prompted to enter the password)

    To mount using a recovery password:
    dislocker -r -V /dev/sdb4 -pXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX -- /mnt/bitlocker
       (where XXXXXX-XXXXXX... is the recovery password)

    To mount using a recovery password (with prompt):
    dislocker -r -V /dev/sdb4 -p -- /mnt/bitlocker
       (will be prompted to enter the recovery password)

    To mount using a recovery key:
    dislocker -r -V /dev/sdb4 -f /tbu/mnt1/keys/myrecoverykey.bek -- /mnt/bitlocker
       (you will likely need to mount a partition to access the .BEK file)

    The above examples mount the partition as read-only. To mount with write access omit the -r parameter. For example, when using a password:
    dislocker -V /dev/sdb4 -uPASSWORD -- /mnt/bitlocker

  6. Next, mount the dislocker file to the second mount point:
    mount -ro loop /mnt/bitlocker/dislocker-file /mnt/mount

    To mount with write access:
    mount -o loop /mnt/bitlocker/dislocker-file /mnt/mount

  7. The BitLocker partition is now available in the Linux file system at /mnt/mount.

Unmount the BitLocker Partition

Note: It is highly recommended to unmount the BitLocker partition before restarting or shutting down the system.

  1. Open a Terminal or exit to the command prompt.

  2. Unmount the dislocker file:
    umount /mnt/mount

  3. Unmount the BitLocker partition:
    umount /mnt/bitlocker

 


How helpful was this article to you?


powered by Lore