Backup of Bitlocker and VeraCrypt encrypted partitions
Hello.
I would like to be able to use the Cyber Protect / True Image Boot PE to backup my Bitlocker or VeraCrypt partitions.
This is currently not possible in True Image 2021 and also probably not in Cyber Protect boot USB drive.
This would require that you would add the Microsoft Bitlocker libraries and also the VeraCrypt libraries in the boot USB image that we use to boot the Acronis software.
As for the implementation, as soon as the drive to backup or to restore the data to, has a BitLocker encryption, it would ask for the 8x6 (48) characters of the BitLocker private key. Once entered properly, the disk would be accessible and operations could be performed properly. You should also leave the option to read the BitLocker public key from an external USB drive, from the default text file generated by BitLocker to save the private key, this way it would make it very easy to decrypt the drive.
The same should be done for the VeraCrypt encrypted partitions, you can get the Open Source libraries from their website.
For VeraCrypt it is even more convenient because it is not a private key but a simple password that you have to enter, which is quickly typed, and will give full access to the drive to be able to backup it. There would be no password backup solution for this, only keyboard password for the input.
Of course, the same should be done for the restore process, where we would enter the private key or password of the partition that we created before, exactly the same way, and then the drive is fully and normally accessible for the Acronis software to do the restore process. We must be able to choose if we want to restore the backup to an existing encrypted partition, which would be wiped from its data before, or if we just want to create a new unencrypted partition, that we can encrypt with BitLocker or VeraCrypt afterwards.
As nowadays laptops are more and more used, their data need to be protected by disk encryption to make sure that if you loose your computer, the thief won't have access to your data. But backups still need to be conducted properly and quite often, especially of the filesystem through a full USB booted Acronis software to make sure all is backuped well.
Currently, I have to decrypt my whole filesystem with BitLocker before using Acronis boot USB to do the backup, and re-encrypt afterwards. It is heavy to do so, and also the SSD drive needs a lot of writes for that operation, which wears it a lot for each backup done, and reaches it TBW max limit much faster. This would avoid this long, heavy and inefficient step, still keeping the highest level of data security with backups properly done.
I hope you can add this support to your next version of Cyber Protect USB version.
Hello Steve,
Thank you very much for this advice and solution.
I will try that but will need some time.
But can you please tell me where I need to place this VeryCrypt.xml file?
Also how should I use it: first run the created bootable ISO on the computer and then run VeraCrypt and decrypt the drive as usual, and then run Acronis software, correct?
Is this adding a new button at the bottom in the launch bar?
If I understand properly, this would even allow to use the VeraCrypt source drive to be backuped and also the destination of the .tib backup could be a VeraCrypt drive, correct?
Regarding BitLocker partitions, would it mean that I can open the Windows Explorer from the bootable media and select the drive and decrypt the drive through the classic BitLocker interface, and enter the 48 characters private key to decrypt it, and also afterwards run Acronis software to work normally on the partitions?
Would it be possible to add the VeraCrypt app by default in the next release so that we already have the app on hand? I think this is a kind of software that is required to cover all user's needs without any surprise because it is missing, increasing compatibility and support for all disk configurations by default.
Would it be possible to provide a simple already-made ISO file with all that included, that you could provide with the selling of the Acronis software for example, or from our account to download it, or maybe with other ways to enter the licence? I mean to avoir having to create it ourselves manually.
Thank you.
But can you please tell me where I need to place this VeryCrypt.xml file?
The quick answer is that the file can be anywhere you want as you need to import the XML content into the MVP Assistant tool in order to add VeraCrypt as an extra application. Thus you first need to extract the MVP Assistant tool on your system. On my main PC I have the tool extracted and run from my D:\MVPA folder.
Also how should I use it: first run the created bootable ISO on the computer and then run VeraCrypt and decrypt the drive as usual, and then run Acronis software, correct?
Is this adding a new button at the bottom in the launch bar?
Yes, you create the bootable rescue media using the tool then boot that media into a modified Windows PE OS environment. Within that environment there is a task bar where buttons are placed by the tool to allow the various applications to be launched.
If I understand properly, this would even allow to use the VeraCrypt source drive to be backuped and also the destination of the .tib backup could be a VeraCrypt drive, correct?
I would assume yes but have not tested doing this.
Regarding BitLocker partitions, would it mean that I can open the Windows Explorer from the bootable media and select the drive and decrypt the drive through the classic BitLocker interface, and enter the 48 characters private key to decrypt it, and also afterwards run Acronis software to work normally on the partitions?
I don't believe that you can access BitLocker via the PE equivalent file manager to Explorer but you can use the manage-bde command line tool from a terminal window / command prompt.
Would it be possible to add the VeraCrypt app by default in the next release so that we already have the app on hand? I think this is a kind of software that is required to cover all user's needs without any surprise because it is missing, increasing compatibility and support for all disk configurations by default.
Would it be possible to provide a simple already-made ISO file with all that included, that you could provide with the selling of the Acronis software for example, or from our account to download it, or maybe with other ways to enter the licence? I mean to avoir having to create it ourselves manually.
The MVP tool is authored by MVP BrunoC who is doing all the programming effort as an Acronis user, so his key intention is to provide a tool that doesn't require a lot of ongoing support or new development, hence the use of XML files that users can create themselves and which can be shared via the forums, i.e. like the VeraCrypt.XML file I have shared in this topic. The XML can include a URL for where the application can be downloaded by the rescue media tool during the create process, and which can be updated by users when new versions of apps are made available.
Acronis would need a Microsoft license to be able to distribute their Windows PE code which would add extra cost that users would have to pay in the longer term, hence again why this media is created by users on their own systems where they have their own Microsoft license for Windows.
Thank you very much for this full explanation Steve and your great support!
I hope VeraCrypt could still be included in a next Linux version of acronis bootable media, and possibly a free Bitlocker library if it exists into it so that we could read/write to those drives.