ATH WITH startup usb key but WITHOUT TPM

Mike wrote:

1. Backup to cloud from a bitlocker encrypted disk in a win 7 pc without TPM and which relies on a USB startup disk to provide the bitlocker encryption key"; and then

2. Restore that backup from cloud to a new HDD in that same machine so that the HDD is bootable and all files are accessible.

I have tried quite hard to get this to work with no success. I backed up the whole disk using Acronis within Windows 7, and restored using Acronis Bootable Media. Although the restore completes OK, the target disk is unbootable. To check whether the HDD was accesssible I placed it in a USB caddy and connected that to a different Windows 7 PC, which was unable to read the drive and showed it as bitlocker encrypted. That cannot be the case because backing up from Acronis in windows would have created an unencrypted image in the cloud.

So I have an unencrypted target disk which won't boot and which windows thinks is encrypted, which limits what I can do with it in repair-bde and manage-bde. I have tried a repair-bde -recoverykey -nov without success.

Mike, please see KB document: 56619: Acronis True Image 2016: Compatibility with BitLocker which explains, albeit briefly, how ATIH 2016 can be used in BitLocker scenarios.

From your initial post, the part which worries me is "which relies on a USB startup disk to provide the bitlocker encryption key"

ATIH 2016 can only backup encrypted partitions by operating within the unencrypted data environment, where the encryption is invisible to the application, hence why the backup archive file is unencrypted.

If your Windows 7 system relies on a USB startup disk, then restoring the unencrypted backup may give a mismatch with what that startup disk is expecting, if that disk is intending to provide a key to decrypt a BitLocker encrypted drive.  The key point in the KB document above is that you need to reactivate encryption after recovery.

Steve, thanks for this. Could you elaborate on what kind of mismatch you mean?

As to reactivating encryption after recovery I think the Acronis article means that this sould be done from "Manage Bitlocker" in Windows. This is problematic for me because 1. I can't boot into windows on the target disk, and 2. If I put the target disk into a caddy I can't access it from a different windows machine. I also can't enable bitlocker from command line: if I run manage-bde -on that reports that the disk is locked. 

Mike, I am probably making assumptions here with regard to your relying on using a startup disk - can you boot your computer without that USB startup disk installed or connected?  If you can, then you should do so as any backup restored by ATIH will no longer be encrypted, and you would need to go through the steps to encrypt it again with BitLocker.

For example: How to Use a USB Key to Unlock a BitLocker-Encrypted PC 

From reading other posts in the forums, it seems that any backup should include all partitions on the source drive and these should all be restored back.

See also: https://kb.acronis.com/content/1734

To back up the system encrypted with BitLocker you will need to create an image from Windows

BitLocker will encrypt the data along with the file system structures, rendering the data unusable unless the right key is entered during the boot process, thus protecting valuable data.

Taking a backup with Acronis

In order to take a successful backup (image) of a BitLocker encrypted system, please use the Acronis software in Windows. Do not attempt to use the bootable media, since it will not recognize the partition, and it will initiate a sector by sector copy, which will bring issues after restoring it.

The data read during the backup from Windows will be unencrypted, since Windows will decrypt all the data on the fly.

Restoring the data

If you want to restore the entire system (bare metal restore), please boot from the media and restore all the data. Everything will work fine, with the pecularity that the data will be unencrypted. If you want to have it encrypted, please turn on BitLocker once you boot the restored system.

See also a post from an earlier version of Acronis: https://forum.acronis.com/forum/16985#comment-64825 where a user did successfully backup and restore an encrypted drive.

Steve, the source drive is encrypted, and requires the usb bitlocker startup key to boot up. The target drive should be unencrypted (the one I restored to) but in any case will not boot with or without the startup usb key.

Searching on the web there seem to be some folks who have successfully backed up and restored bitlocker encrypted disks, so I think that if ATH has a problem it is only with respect to my scenario: where there is no TPM module, and where the encryption key is held on a USB key.

I have asked Acronis for a definitive answer on this but so far haven't received one.

Mike... when using bitlocker, you can/must only take the full disk image in Windows where the image is already decrypted.  If you restore that image, it will also be decrypted.   You then need to encrypt with bitlocker again.

There is no way to image the system while encrypted (well, you can, but because the data is encrypted, Acronis will only backup jibberish) and therefore a restore will not be possible with a software solution backup.  

This is by design of bitlocker encryption.  If a software application could easily backup encrypted data, then you can bet that it would be easy to decrypt that data and get to the content of the data and that's exactly what bitlocker is designed to prevent.

Although bitlocker requires teh USB key (bilocker key) to boot into Windows, it is not required to boot into other offline bootable recovery media (Acronis).  You should be able to use your system onetmie boot or boot override menu to boot straight into Acronis to perform a system restore - I'd recommend formatting the disk before though - just in case. 

Sorry Bobbo but if I understand you correctly then I believe what you've written is not quite right. When the ATI Windows application backs up bitlocker encrypted files to the cloud it backs them up unencrypted.

Mike, yes, if the machine is decrypted first, that is correct.  If full disk encryption with bitlocker is being used, the moment you are at the logon prompt, the machine is already fully decrypted.  You then run your cloud backup so it is backing up unecrypted data.  You can then encrypt that data as it's backing up to the Cloud, but this is Acronis encryption and not bilocker encryption.  

If you are backing up your machine while encrypted, Acronis cannot restore it.  To test this theory, take a full disk image of your machine without decrypting first.  Go straight into your Acronis offline recovery media by using your one-time boot menur or boot override menu.  After the image is complete, then, boot into Windows (hence, your machine is decrypted at this point).  Now, double click on the backup .tib file you just made and try to navigate the contents.  Or, add the backup .tib file in Acronis and attempt to restore files/folders out of it.  It's not going to work.  

Again, if any application was capable of reading the content of your "encrypted data" while the data was encrypted, that would defeat the puropse of having encryption in the first place.

So, after re-reading your thread, it sounds like you are backing up strictly to the cloud from witin Acronis (bitlocker would be decrypted at this point in time) and then are using the bootable media to restore the files to another disk and want it to be bootable?  

If so, this should be doable..

1) Remove the original hard drive and replace with the new one on the exact same SATA connector.

2) Boot your Acronis bootable recovery media.  However, here is where you may be hitting your trouble.  If your OS is a legacy/MBR install, you need to boot the recovery media in Legacy/MBR mode.  If your OS is UEFI/GPT install, you need to boot the recofery media in UEFI mode. 

Please see this thread post with screenshots for reference.  Using your onetime boot menu or boot override menu at the bios start (often times F12, F1 or Esc, but varies from system to system), you should be able to boot in the correct mode.  This is important during the recovery as it will determine how the drive is partitioned when the restore takes place.

Why?  An older legacy/Bios image can theoretically be converted to GPT/UEFI during the restore process and be bootable.  This allows people to take advantage of the benefits of newer UEFI/GPT systems.  If you boot the recovery media in MBR/legacy mode, it will attempt to restore the image in MBR/Legacy mode and if you boot the recovery media in UEFI mode, it will attempt to restore the image in UEFI/GPT mode. It is best to keep the restore the same as the original in most instances - it reduces compounded probelms.  Also, you can only convert MBR/Legacy to GPT/UEFI but can never go UEFI to MBR.  Sometimes converting MBR/Legacy to GPT/UEFI also results in non-bootable system (although, I've had great success with it).  

Long story short:  1) to avoid uncessary headaches and limit factors that might make your restore non-bootable, stick to booting your recovery media in the same manner as the OS was originally installed.  2) Do not try to boot your system after the restore, with both the original drive and the restored drive, you need to remove the original and put the recovered one in the originals place and verify the OS boots before connecting the original back on another connector. 3) If you have followed 1 and 2 and are absolutely sure that you restored a full disk image (with all original paritions) and still are not able to boot, try using your original Windows installation or recovery disk and do a system "repair" and see if that fixes the boot issue.  

Thanks for this Bobbo, I appreciate it. Unfortunately, I have done all of the above and it just doesn't work. I think the fairly exhaustive trials I have made and the responses from Acronis so far indicate that it isn't possible.  I will simply conclude that:

Acronis True Image Home 16 cannot:

1. Backup to cloud using ATIH (windows) from a bitlocker encrypted disk in a win 7 pc without TPM and which relies on a USB startup disk to provide the bitlocker encryption key; and then

2. Restore that backup from cloud using ATIH (bootable media) to a new HDD in that same machine so that the HDD is bootable and all files are accessible.

Unless anyone out there has managed to do exactly that I think that to avoid confusing further readers we should close this thread. Thanks all for your help on this.

Mike

Mike, at some point I'll get around to testing to try and validate or verify this behavior or not.  Other threads have shown better luck with resoring full disk images from the cloud when first copying the backup image to the system in Windows (letting it download completely first) and then doing the restore locally with that data.  The default bootable media is pretty sparse in form and usability and may be using generic drivers that prevent or hinder network connectivity at times - that's purely a guess.  

I see I forgot the link for the bootable media screenshots above too, so just wanted to post here and will update my earlier post to reflect it too.  

For now though, as you stated, we can probably leave this thread as be until someone else can troubleshoot the same scenario and repeat the behavior or show that it is possible.