Cloning Encrypted (BitLocker) Hard Drive
Up to now I have been cloning my hard drive with the various versions of Acronis TI (now version 2013) without any issues. Unfortunately, I now need to clone my BitLocker encrypted drive. It appears from searching the forums that TI does not support this. Does anyone know if it will and if so when? Otherwise I have found another program Casper Secure Backup (http://www.fssdev.com/products/caspersecure/) that does clone an encrypted hard drive. I am now using the 30 day trial version and it works well, but I really don't want to buy it for $90 when TI has been working well for me for so long. Does anyone know of a solution with TI 2013 that I am missing? I really need to be able to clone the hard drive since it allows quick drive switch-out so I can be up and running in a matter of minutes not hours or even a day. Unfortunately, drive encryption is not a option - the data has to be protected.
I am interested in the same feature.
Pat, speaking for both myself and David, the 1st solution that you proposed is not ideal from a security perspective. The resulting image file will have unencrypted data within it and anyone that gets hold of that image will have access to this data.
Of course, anyone who creates such an image could encrypt the resulting image file himself afterwards with some other tool (e.g. TrueCrypt), but this is very tedious. Also, such an encrypted image cannot be used as a basis for any incremental backups as it is post-encrypted after creating the ATI image and ATI will not be able to process such an encrypted image file.
The 2nd solution that you proposed - sector by sector - may be more promising. I haven't done such a back up yet, but I am presuming it doesn't need to get ANY data/tables from the partition - as everything is encrypted. I am not an expert on Bit Locker or hard drive structures, but I am presuming Bit Locker encrypts all the "structural" information on the drive as well.
Either way, this feature needs to be introduced to ATI soon, since it is not ideal to have to do different types of backups for different partitions. For example, I tried to do a full system backup yesterday, and ATI complained that it couldn't access my Bit Locker drive, which was encrypted at the time. I unencrypted it for the purposes of the backup since I didn't have anything substantially important in that drive. ATI should not force users to make separate backups for the regular partitions (regular backup) and Bit Locker partitions (sector-by-sector). It should figure this out itself automatically and create a single backup file without the user having to provide any sort of instructions. Although, if it sees that a partition is a Bit Locker partition and it is unencrypted at the time of the backup, it would be nice if ATI warns the user that the Bit Locker should be re-locked for the purposes of the backup. I hope someone from Acronis is reading this.
Thanks.
I agree with Pasan's comments about an unecrypted image. I also don't think the recovery CD idea will work either since when I boot my computer it boots into the TPM and I have to enter a PIN as an unlock key. This mode is supposed to provide boot protection - so I don't think it will work.
What I can also add to this is that many companies (mine included) are requiring data encryption of their employees laptops to prevent data loss, theft, and leaks. This is now the condition for my laptop which uses the hardware TPM with BitLocker. My company does not provide backup services and I am left to back up the data on my own. (It is ironic that they go to lengths to protect the data but don't worry about backing up the data - but that is a discussion for another time). So I hope Acronis won't tell me the answer is to use their industrial grade product. I can not afford that - remember I am doing this on my own.
I too hope Acronis can see the handwriting on the wall and figure out a solution. I find it hard to believe that my company is the only one doing this. And my company is not a small business - it is big in supplying transportation products.
Note that you can encrypt the image that you would do from Windows, so it is protected as an encrypted TIB file. Therefore there is no security issues. Just use the archive encryption of Acronis.
It is when you restore it that the restored disk becomes not encrypted.
For, I guess, understandable reasons, Microsoft doesn't provide third party integration to the bitlocker encryption system, although it lets partners and customers review the code (per wikipedia).
I don't know of any backup software, aside from Microsoft Backup, that can integrate with the Bitlocker security system. Your best option is to backup the content inWindows when it is logically decrypted and encrypt the archive.
Hello Everyone,
Thank you for your posts and your detailed explanation Pat.
Just in case, here is an article that explains how our software works with encryption software.
I have forwarded your feedback to our Development team via Acronis Customer Listening system. We really appreciate your time taken to share your feedback with us.
Please let us know if there is anything else we can do for you.
Thank you.
Hello all,
Thank you for your reports.
David,
Could you please confirm that you are speaking about the Clone option, not about the Backup feature? You can backup encrypted partition from within Windows.
Pasan,
Either way, this feature needs to be introduced to ATI soon, since it is not ideal to have to do different types of backups for different partitions. For example, I tried to do a full system backup yesterday, and ATI complained that it couldn't access my Bit Locker drive, which was encrypted at the time. I unencrypted it for the purposes of the backup since I didn't have anything substantially important in that drive. ATI should not force users to make separate backups for the regular partitions (regular backup) and Bit Locker partitions (sector-by-sector). It should figure this out itself automatically and create a single backup file without the user having to provide any sort of instructions. Although, if it sees that a partition is a Bit Locker partition and it is unencrypted at the time of the backup, it would be nice if ATI warns the user that the Bit Locker should be re-locked for the purposes of the backup.
We will check what we can do in this case and will update the thread.
Thank you.
PS
Pat,
Thanks a lot for your help.
I just got it back, ignore my last message...
Hi, I'm having the same issue. I would like to clone (not backup) my windows 10 disk. I have been using Acronis (True Image Cloud build 6581) to do this for a long time but now I get the error message "Unable to continue operation that requires a reboot, because a volume encrypted with BitLocker has been detected. Please use Acronis bootable media". But I tried Acronis bootable media and that does not work either. Is clone disk possible with a disk encrypted with BitLocker?
Dave
David, you cannot do a clone of an encrypted disk drive simply because all clones have to be performed outside of Windows and using Acronis Rescue Media. The rescue media had no knowledge or ability to work with encrypted drives.
See KB document: 56619: Acronis True Image: Compatibility with BitLocker for more information.
Ok, got it. Thanks.
Just curious.... Anyone know why after all these years of people asking for it, Acronis still hasn't come up with a complete solution to the issue of working with encrypted drives? Is it a licensing issue that they don't want to pay for or something simple like that?
With encrypted drives no really being an option any more (not for a while) it's becoming a non option to recommend or use them. And it would really be great to use their new continuous cloning option if it would work with encrypted drives.
FWIW it's 2019.02.24 and while in windows 10 pro I launched Acronis v2018 (latest updated build on 2019.02.23) clone drive tool to clone my ADATA 500GB M.2 SSD internal in my laptop to a blank SAMSUNG EVO 1TB M.2 SSD that I installed in an external USB 3.0 m.2 enclosure.
After the cloning to the new blank M.2 SSD was completed I shut down my laptop, removed the original ADATA 500GB M.2 SSD and installed the SAMSUNG EVO 1TB M.2 SSD in the laptop, turned it on and everything booted up just fine and as far as I can tell the SAMSUNG EVO 1TB M.2 SSD is protected by the original cloned bitlocker key, etc.
I used Acronis to clone because the Samsung drive migration tool failed multiple times and Acronis 2018 did the cloning in less than 30 minutes which I thought was fairly fast for a usb3.0 cloning method.
BTW: I'm not sure when this KB https://kb.acronis.com/content/1734 was written (why don't people date their KBs?) but it must be old as it says the KB applies to:
Acronis Backup 12.5Acronis Backup 12Acronis Backup 11.7Acronis Backup 11.5
and they say cloning doesn't work with Acronis on drives with bitlocker but mine with Acronis clone tool v2018 seems to have worked just fine.
They go on to say that Acronis backups on bitlocked drives it's best to backup using Acronis in windows and not on from a boot media.
Hope my experience and information on this helps people. Cheers! :) Bruce.
Thanks! I'll check it out.
I've always booted from my Recovery USB when creating a Clone, just thought it might eliminate potential hiccups. But even thought the KB says you can not Clone and encrypted drive, I'll give it a try through Windows.
Bruce, the key point in your post above is the following:
FWIW it's 2019.02.24 and while in windows 10 pro I launched Acronis v2018 (latest updated build on 2019.02.23) clone drive tool to clone my ADATA 500GB M.2 SSD internal in my laptop to a blank SAMSUNG EVO 1TB M.2 SSD that I installed in an external USB 3.0 m.2 enclosure.
After the cloning to the new blank M.2 SSD was completed I shut down my laptop, removed the original ADATA 500GB M.2 SSD and installed the SAMSUNG EVO 1TB M.2 SSD in the laptop, turned it on and everything booted up just fine and as far as I can tell the SAMSUNG EVO 1TB M.2 SSD is protected by the original cloned bitlocker key, etc.
Your clone was performed using the Acronis Active Clone feature, which in turn uses the Microsoft VSS snapshot service to capture the data on the source drive.
Because Active Clone was used, BitLocker encryption was unlocked on the source drive, so was not an issue in the process.
If you attempted the clone process using the Acronis Rescue Media then the KB document still fully applies as the media has no support for any form of encryption being used.
Thanks very much Steve for explaining that helpful info! I did notice that on the new drive after I booted up the laptop bitlocker was off and I had to turn on bitlocker and run it again to protect my new drive so THAT is important to know to run bitlolcker again after cloning! Bruce
Bruce, yes, you are correct that the target drive for the clone would show as unencrypted because BitLocker was unlocked in Windows and thus the new drive will also be unlocked. The same applies to Acronis backups made from Windows that these too are unlocked (in terms of BitLocker) and therefore you should use the Advanced Options to set Password encryption for the backup image, or else store the backup on an encrypted drive (but which is unlocked to allow ATI to use it!).
Thanks Steve very much for the excellent information! I'll follow your advice! :) Cheers!
So basically after a quick test and reading the posts today.... Acronis is still MAJORLY flawed or has a MAJOR BUG, pick your preferred position.....
I'll go back to my original comment.... In this day and age there is NO reason that Acronis should promote (or maybe even offer) it's Clone option if it cannot deal with encryption. Bitlocker or some other viable alternative. To think it's acceptable to make a NON encrypted clone of an ENCRYPTED drive might be consider criminal by a lot of legal types.
They have to get on board and work out a licensing agreement with Bitlocker or someone, OR, create a viable encryption protocol that the experts will accept so that cloned drives will be an actual CLONE. Right now they are making a bootable file copy of your drive that anyone that grabs it (when they grab your bag or actually break into your home) can just plug into any computer and start perusing through your files.
It has been pointed out that you can MANUALLY go in and turn on the Bitlocker encryption... So why doesn't Acronis do this as part of the Clone process???
Sorry to vent, but again, Acronis has claimed to be a premiere backup solution for years.... But encryption has been a requirement for a LOT of individuals and organizations for years. But they've done nothing to address this.
PeteMC wrote:
Right now they are making a bootable file copy of your drive that anyone that grabs it (when they grab your bag or actually break into your home) can just plug into any computer and start perusing through your files.
PeteMC, I would suggest that you look around and see if you can find any other clone product that can do what you want. Acronis is not responsible for your home security arrangements and protection of assets - that is the home owners bag to carry.
The only other method of cloning that can potentially handle encrypted drives would be a hardware disk duplicator, i.e. a dual dock cloning station where a physical bit by bit copy is made and where the drive sizes need to be identical or the target larger than the source.
There are other programs that offer a Sector by Sector cloning option. I haven't tested to see if they properly handle Bitlocker encrypted drives. I'll leave that up to you. Here's some I found:
1. Macrium Reflect
2. AOMEI Backupper
3. AOMEI Partition Assistant
4. EaseUS ToDo Backup
Acronis does not offer the Sector by Sector option for cloning. They do offer that option for Backup and Restore. You may want to test that route instead of using cloning.
It would be fantastic if Acronis or other clone software could make a clone copy with the Bitlocker and key intact but I'm not technically experienced enough in that arena to know how difficult that would be to program and / or if doing so would introduce problems and cloning failures, etc. I do know the following:
1. Acronis v2018 (for me) was able to make a working bootable clone of my 512GB bitlocked drive whereas Samsung drive migration failed every time for unknown reasons.
2. After I installed the new cloned drive in my laptop and booted to Windows 10 pro I immediately ran Manage Bitlocker to check the Bitlocker status and noticed it was turned off and so I turned it back on, ran bitlocker again and saved my bitlocker unlock key in an offline external thumb drive to be placed in a safety deposit box.
3. I'd recommend anyone using any cloning software to clone an encrypted drive to immediately after cloning their drive to verify that the newly cloned drive's encryption is still on and working and if not do the encryption again.
Thanks to everyone who replied with helpful advice on this important topic! Cheers :)
Bruce, thanks again for your comments and observations which will be helpful to other users.
One of the core issues with attempting to backup or clone an encrypted drive is that it is impossible to tell what type of drive formatting has been used nor what combinations of characters might be encountered when reading the drive content.
An encrypted drive may show as if it is not formatted at all, or the encrypted data read from the drive may suggest an incorrect partitioning or formatting scheme.
Doing a backup or clone of a non-encrypted or unlocked encrypted drive is going to be safer, more reliable and quicker than trying to do this where the drive is fully encrypted.
All your points are valid. But that's why I've said for years that Acronis needs to partner with someone so that they can create a valid encrypted clone without issues.
Pick one (maybe 2) leaders and go with them. Most people will not have a problem of using the encryption Acronis would be recommending if they are a valid choice.
Pete, I understand your points but you need to make them to Acronis directly by using the Feedback tool in the ATI GUI. I (and all the MVP's) and just users like yourself who volunteer their time helping in these forums.
Been there, done that....
Even called when TI2019 came out to see if they had added the functionality yet
My two cents... encryption is there to protect the data - period. If applications could easily read the content of data on an encrypted disk and easily replicate that data elsewhere to another, well, then what's the point of encryption in the first place? If nothing else, that application has the potential to becomes a vector for circumventing the encryption process and no company wants to be responsible for a data breach as a result. Plus, if it was that easy, then why bother with encryption at all then?
When you get down to the sector-by-sector level, technically it is possible to clone or at least backup and recover with encryption enabled AND ACTIVE, because it's not reading the data, but just applying the same 1 or 0 at each sector across the entire disk to the other disk. However, in practice, it sometimes works and sometimes not - even with the physical disk duplicator's.
Could Acronis offer to do a sector by sector clone with rescue media - probably. As Mustang points out, some other competitor's do offer this already, but that will be up to those who need/want this to test out for now since it's not offered in Acronis at present. Do many people want this or need this, probably not (just my guess). Home users tend to like compression and space saving features and like that we can backup up just the used data to save time. Do some people want the option to clone an encrypted disk sector-by-sector, yes, I'd say probably so. The question is whether or not it's popular enough or cost-effective enough to add in. Personally, for $35, I'd use the hardware clone method like Steve recommended if this was something I needed in my environment on a regular basis and that's exactly why I bought one a few years ago. It works (worked anyway, have't done it in quite some time) pretty well, but did not result in a fully bootable OS 100% of the time - usually, but not always.
As for the comment about legality of cloning an encrypted drive in an unecrypted state... that's not what's happening. The second you boot into the Windows OS, the Bitlocker key is provided via TPM or password and that data is no longer encrypted... you can't argue this, that disk is now ALREADY in an UN-encrypted state. Anyone with physical access (or remote via a file share or something like that) to that machine could now get that data off of it. As such, when a clone is run from within the live Operating System (which again is now unecnrypted) via a third party tool (be that Acronis or a competitor), you are cloning unencrypted data to unencrypted data. That means, if that is the OS disk, the data being cloned will be unencrypted and will require that it be encrypted again.
Want to test this? Then just copy and paste some data from your "encrypted" drive to an external USB and plug that into another PC. I bet you can see that data just fine. :)