Bitlocker, Acronis encryption, and Surface pro 4 best practice?
I just purchased Acronis, I wanted backup software that claimed to be compatible with bitlocker.
I created an Acronis secure zone on the main partitition, then used bitlocker to encrypt drive C.
Q1: Acronis says I should "exclude" the secure zone from bitlocker, but there was as far as I can see no way to do that; bitlocker either encrypts the drive or it doesn't; it does not give you options to exclude any part or section of the drive. Is this because the Acronis secure zone is a separate partition and therefore not part of drive C?
Q2: Is it good practice when using bitlocker to then have Acronis encrypt the backup? Or is this better avoided? As Acronis decrypts the bitlocker drive as it backs up and requires you to re-enable bitlocker once a backup has been restored, it seems the best/only way to encrypt backup data, but it adds another step which might case the backup to fail?
q3: There are a number of posts about problems with Surface Pro 4s with Acronis 2015/2016... have these issues been fixed for the 2017 release?
Hi Steve, thanks for the info.
I decrypted the bitlocker drive, created a new ASZ on a USB drive, and tried to do a backup. Worked fine except for one thing - at no point did it give me the option to encrypt the data on the ASZ. Did I miss something?
Geoffrey, if you are running with an existing backup task to the ASZ then the ecryption (password protection) option is only available when the task is first created and before being executed for the first time, after that point it cannot be changed.
See screenshot below from one of my encrypted backup tasks showing the settings in the Advanced page tab.
Geoffrey, did you specify a password for ASZ when you were creating it? If yes, then it is intended behavior that password-protection and encryption options are hidden in backup task configuration screen. In other words you can encrypt backups only once: either using per-backup protection or by setting a universal password for the entire Secure Zone.
Regards,
Slava
Initially, I created the ASZ without password protection. Then I went back in and selected password protection. Now when I attempt to access the ASZ tool or create a backup, it asks for the password. However, it still does not give me any options for encryption anywhere (the Advanced screen simply does not have the option as shown by Steve.)
Should I delete the ASZ and create a new one selecting password protection first?
Thanks for all the help!
Geoffrey
Geoffrey, see the ATIH 2017 User Guide: Acronis Secure Zone protection which shows the only options for securing the ASZ using a password but without being able to specify what level of encryption can be used.
If you leave the ASZ without a password, then you can use the Password & Encryption settings for your backup task instead where you have more control. Note; if you click on Save as default on the Advanced page tab, then it will save the same password & encryption settings for all new tasks being created.
Geoffrey, I would recommend you deleting Acronis Secure Zone completely and using per-task encryption and password:
1) open the Tools tab - click Acronis Secure Zone - Remove - Next - Proceed - OK
2) open Windows Start menu, type diskmgmt.msc, locate the horizontal stripe that represents your external disk, which should be shown as "Unallocated" with a black stripe above it (as opposed to blue color of partitioned disk space). Right-click it - New Simple volume - Next - Next - Next. Open the drop-down menu "Allocation unit size" and select the maximum value (in my case I have 64K, in your case the maximum value available could be higher: 128K or more). Type a label in the "Volume label" field, e.g. "Backups", click Next and Finish. The idea here is to optimize the performance of the disk volume for writing and reading backups which are usually big files. Reading and writing .TIB files in larger chunks (64K for example) is quicker than in smaller parts (in my case the default allocation unit size was 4K)
3) configure a new backup task, choosing the new created disk volume as the destination. Password and encryption settings should be available under Advanced tab. All the .TIB files created by this task in the future will be protected by the set password and encryption
Now if someone steals the external drive, he/she won't be able to open .TIB files and access backup contents without knowing the password that you have set. Encryption ensures that every bit of the entire file is encrypted and the password-protection cannot be circumvented by using any kind of "backdoor" to .TIB file contents.
Regards,
Slava
OK, I deleted the ASZ and sure enough, I can encrypt the backup to the USB drive now. However, does this mean I can now use bitlocker on the main drive and it will work successfully, decrypting the data out of bitlocker and then re-encrypting it using Acronis encryption? When I restore, will it run into problems due to bitlocker?
The instructions for using bitlocker suggest using an ASZ. Now, to encrypt the data, I have had to delete the ASZ and use an standard formatted drive instead.
Geoffrey, as I advised previously, when you create your Acronis backups from within Windows for a drive with BitLocker enabled, you are doing so where Acronis does not see any encryption so there is no process of decrypting that Acronis needs to perform. When you have set a password / encryption for the backup file, then this is applied as the file is written to the external backup USB drive.
Where are you seeing instructions to use ASZ with bitlocker support?
Steve, the user guide says this:
-------------------
Under some conditions, Acronis Backup is compatible with the following disk-level encryption software: Microsoft BitLocker Drive Encryption McAfee Endpoint Encryption PGP Whole Disk Encryption.
To ensure reliable disk-level recovery, follow the common rules and software-specific recommendations.
Common installation rule
The strong recommendation is to install the encryption software before installing Acronis Backup.
The way of using Acronis Secure Zone
Acronis Secure Zone must not be encrypted with disk-level encryption. This is the only way to use Acronis Secure Zone: 1. Install encryption software; then, install Acronis Backup. 2. Create Acronis Secure Zone. 3. Exclude Acronis Secure Zone when encrypting the disk or its volumes.
-----------------------
I have created a backup to a USB drive that now gives me per-backup encryption. Can I now turn bitlocker on the main drive (C) and it will successfully create a backup on the USB drive (F) that uses Acronis encryption, and then successfully restore from this? I was unable to find a way to "exclude" the ASZ on the main disk.
If an ASZ is unnecessary for this process, then I should be able to not use the USB drive at all but simply encrypt to my NAS drive instead. But if I do this, again, my question is: Will a backup made from a bitlocker drive (C) that is encrypted by Acronis to the NAS drive successfully restore to the original?
Still confused by this process.... it seems like ASZ is completely unneccessary when backing up a bitlocker drive, but the instructions indicate it can be done. I was trying to follow what seemed to be the most secure practice...
Geoff
Geoff, you look to be quoting from the user guide for the Acronis Backup product and not Acronis True Image which may be where some confusion is coming from. There is no such passage as you quoted in the ATIH 2017 user guide.
Your encrypted USB backup should be perfectly fine to allow you to recover from the Acronis bootable Rescue Media as this will recognise that the .tib file is protected by a password and encryption and challenge you to provide that password by which to decrypt the file and allow its contents to accessed.
You can store your password / encrypted backup file in whatever location you wish, including your NAS or the Acronis Cloud etc.
I am no expert on using BitLocker but from what I understand it encrypts the whole drive not just selected partitions which would be needed in order to exclude the ASZ partition if on the same drive.
Thanks for the clarification, Steve. I was looking at the wrong user help file.
So I have now created a backup on the NAS and on the USB drive. I've encrypted it using Acronis encryption. I created a bootable rescue media (flash drive).
Theoretically, I should now be able to bitlocker drive C, and make backups of that to NAS and USB. The data being backed up would be unencrypted by bitlocker, but encrypted by Acronis.
If the system crashes, I can use the bootable rescue media flash drive to access Acronis TI, then use the USB drive to recreate the original drive C. (I will need to use the USB drive so that the system can see it before network connections are restored.) It will NOT be bitlockered. Once it is restored, I simply have to turn bitlocker on again.
Does that sound about right?
I'm simply trying to set up a system so I have an encrypted hard drive AND an encrypted backup. I'm fine with having to reset bitlocker after a system restore.
Geoff, yes that is correct.
See KB 56619: Acronis True Image: compatibility with BitLocker which essentially says the same thing.
Thanks!
Geoff
One (hopefully final) question:
If bitlocker needs to be suspended before doing a backup, is there a way to do that automatically in the backup process? There is a section for pre/post operation commands that can be entered. Can you suspend bitlocker via command line in that process?
OK, I found that there is a command line structure to suspend/enable bitlocker: from a command prompt with Admin access, the following commands work:
manage-bde -protectors -disable c: (c being the drive) suspends bitlocker
manage-bde -protectors -enable c: .... resumes bitlocker.
Can anyone tell me whether or not this will work as a pre.post operation in Acronis? I'm concerned because it requires administrative access from the command line. When I tested it on a regular command line, I got an error. When running as command line (Admin) it worked.
However, entering the info into the pre-operation section of TI and testing it gave me a failure.
Help appreciated.
I got it to successfully execute the command.
command: manage-bde.exe
do not select working directory
-protectors -disable C: in the arguments line
This suspends bitlocker. You can confirm with the Bitlocker Manager menu.
-protectors -enable C: in the arguments line
This resumes it.
I will test a full backup with this now. I have it set to produce an error and stop if it fails to execute the command.
Backups to USB and NAS drives successful!
Geoff, just to clarify here, when you have BitLocker enabled and are booted into Windows where Acronis is being run, then there is no need to suspend BitLocker as Acronis does not see any encryption at that point, as any other applications wouldn't either.
It is only when you are trying to run Acronis from outside of Windows that would be a problem with BitLocker active as then Acronis would not see the drive or partitions correctly.
If you take a look at the MVP Tool - Custom ATI WinPE Builder in my signature, this can also include BitLocker support into a WinPE USB Rescue Media stick if it is required.
Steve, the KB article you posted says this:
"Acronis True Image is compatible with BitLocker hence can back up and restore partitions encrypted by BitLocker.
Install Acronis True Image on your computer and configure a backup task to back up encrypted disks. You need to unlock the disk (use Suspend protection option for that) before backing up."
That seems to unequivocally say that bitlocker should be suspended before any backup. Am I missing something here?
Geoff
Geoff, I believe that the KB is a little misleading as when you are working within Windows, then BitLocker is unlocked to allow you access otherwise Windows itself wouldn't be able to work. I do not believe that you need to actually suspend protection in order to make the backup when doing this from the Acronis application running within Windows.
Perhaps the easiest way of proving this is to try it out and see if Acronis presents any messages about not being able to access the drive or partitions due to them being encrypted?
OK Steve, thanks for the info.
I'm going to remove the pre/post operation commands so that bitlocker is not suspended.
My understanding (and I'm often wrong :) ) is that bitlocker encrypts data to the drive when writing, and decrypts when reading. It's fully transparent and the only effect is of course to lower performance, as the processor is invoking an additional stage in every read/write process. A backup made with bitlocker running on the drive should be reading unencrypted data, and then encrypting it via TI as it writes the backup. The only issue is that any restore from backup will recreate the data in unencrypted form so that a full restore will be restoring a disk that has bitlocker turned off, and all any user has to do is finish the process, and then turn on bitlocker. If I suspend bitlocker before backup, it seems possible (?) that the backup would then be coping data from the drive encrypted by bitlocker in the write process but NOT decrypted when reading, because bitlocker is suspended, and that could cause problems.
Does that sound right?
Geoff, your Acronis backup will be of unencrypted data from the Windows drive unless you then use the Acronis option to set a password and encrypt the backup file as it is written to your backup drive.
Beyond this, I have no personal experience of using BitLocker so cannot advise on how suspending BitLocker would affect things here?