Acronis and BitLocker?
Is there any detailed documentation on using ATI with a BitLocker encryped drive? There is no mention of BitLocker in the users guide. Specifically:
1) Is the data that is backed up encrypted by BitLocker on the backup media?
2) Does ATI back up only the used space on a BitLocker Encrypted drive?
3) If the backed up data is encrypted by BitLocker, how do I restore to a new computer or hard drive?
4) Are there any other potential problems with using ATI with BitLocker?
Thanks.
I can confirm that it worked for me. I made the backup with Windows TI 2016 latest version. I did not disable bitlocker before. The backup is not encrypted and only data are backed up. With the WinPE media I made a sucessful restore.
Unfortunately I formatted after backup and before restore the normally hidden but now visible 128 Mbyte MSR reserved partition and bitlocker did not work any more. It was not possible to recover the MSR reserved partition with restore.
I am not sure that I understand the problem created by TI's failure to recreate the MSR. Were you unable to reenable BitLocker after the restore because BitLocker requires the MSR? Why did you restore with WinPE instead of the standard TI restore? Thanks for the information.
I just looked at the partitions on my C: drive and all I have is the primary partitions that is encrypted by BitLocker and the Lenovo recovery partition. There is no MSR partition. I am running Win 10 Pro 64 bit.
In my case Bitlocker uses the MSR partition with UEDI GPT. When I formattet MSR (this was my fault) bitlocker did not work anymore and revovery with TI did not bring the content of MSR back. This partition is hidden, that means you cannot see it with Windows tools. Maybe bitlocker works also without MSR in a different configuration, but not with me.
The standard partition set up of UEDI GPT is recovery, MSR, primary windows.
Restore was only possible in my case with WinPE including the necessary drivers. There may be other configurations where the rescue TI media is sufficient.
Thanks for the explanation. I checked and my system is BIOS so there is no MSR partition.
I have a different issue. My boot drive isn't encrypted but my data disks are. When I attempted to clone the boot drive ATI insisted it detected bootlocker and wouldn't clone my drive. I don't get it. Someone please explain why I can't clone an unencrypted drive.
TY
Bob, we have been able to reproduce this issue on our side as well: disk cloning tool requires all disks to be free of Bitlocker encryption, regardless of whether they are part of disk cloning operation or not. Thank you for bringing attention to that use case. As this particular issue is rarely reported by users overall, currently it has low priority.
Regards,
Slava
Ive got the same issue...please raise its priority.
Slava, just to be clear are you saying that ATIH cannot clone a bitlocker encrypted drive? If so please add that to https://kb.acronis.com/content/56619 as it is a significant shortcoming.
Regards,
Mike
Mike, ATIH cannot clone a bitlocker encrypted drive and this is already stated in KB 56619 as quoted below:
You cannot back up encrypted disks in Acronis bootable media.
Cloning can only be done from the Acronis bootable media, outside of the Windows OS, with the exception of using the F11 ASRM standalone linux environment.
The issue here which Slava was acknowledging is that cloning fails when there is a different bitlocker encrypted drive in the system when cloning one which is not encrypted. The work-around for this issue would be to disconnect that second encrypted drive while cloning and reconnect when completed.
Thanks for this Steve. I have tried extensively to clone a bitlocked drive and have failed. I raised my problem with the Acronis chat help who told me to use the bootable media. I explained that I had tried that too and that had also failed. The engineer went away to check her resources and sent me a mail saying that:
"I checked with my resource and would like to inform you that we cannot perform cloning with the bit-locker encrypted drive." As I had asked about bootable media I assumed the answer pertained to that.
I thought this was suprising which is why I commented on Slava's post.
Have you successully managed to clone a Bitlocker encrypted disk using the Acronis bootable media?
Mike, sorry but the clone wizard will not allow you to try to clone a Bitlocker encrypted disk using the rescue media, this was the point that Slava was acknowledging that the clone wizard detected Bitlocker on another drive and then refused to clone the unencrypted drive.
The supported method of backing up a Bitlocker encrypted drive is to do so using ATIH GUI from within Windows, where to the application no encryption is seen and the resulting backup archive image is also not encrypted.
The only other approach that could be tried here would be to make an entire disk sector-by-sector backup of a Bitlocker encrypted drive - this would have to copy every sector on the whole drive as Acronis would not be able to identify the drive contents (the data in the sectors being scrambled through encryption). Depending on the size of the drive, this would take some signifcant time to complete, and would require that the same approach be used to restore the backup data to a second drive of equal or larger size.
OK, I'll try it from within Windows. Does Bitlocker protection need to be suspended for it to work?
Mike, no, if you are doing the backup from within Windows, then as far as Acronis is concerned, there is no encryption active, so no need to suspend Bitlocker protection. You have already provided the necessary Bitlocker keys to allow Windows to be booted.
OK, got it. Regarding the other approach you suggested "make an entire disk sector-by-sector backup of a Bitlocker encrypted drive" am I right in thinking this would be a backup (rather than a clone) and that it would be run from the Bootable Media?
Mike, yes, the other approach would be a full backup and restore operation using the bootable media. Using ATIH in Windows is the simplest way to make the backup, will be much smaller in size but will be unencrypted unless you add a password before making the backup to protect the contents. If you restore the Windows backup then you would also need to reactivate Bitlocker again.
Thanks. Regarding my attempt to clone using ATIH within Windows this doesn't work. True Image provides the error message:
"Unable to continue operation.
Unable to continue the operation that requires a reboot, because a volume encrypted with BitLocker has been detected. Please use Acronis bootable media."
Pls see attached screenshot.
Any thoughts?
.......and regarding your suggestion to do a "full backup and restore operation using the bootable media", doing that sector-by-sector or otherwise doesn't work, causing the error message:
"Unable to back up a locked volume encrypted with BitLocker. Unlock the volume or turn off BitLocker and then try again. "
Pls see attached screenshot.
Mike, sorry - I guess we are going round in circles a little here - you cannot clone an encrypted drive.
You have only three options here:
- Remove Bitlocker from the drive to be cloned and perform the clone on the unencrypted drive.
- Forget using clone. Create a disk & partitions backup of the drive and then restore this backup to the target drive then re-encrypt the cloned drive when all is working successfully.
- Do a full disk sector-by-sector backup & restore using bootable rescue media to the target drive - this method is not recommended because encrypted sectors may show as bad to the software due to the patterns used by the encryption.
Thank Steve. Regarding (3) I think my screenshot filename ending 786 above shows that doesn't work. or have I misunderstood?
Mike, I am sure that you are correct here with regard to option 3.
OK, thanks Steve. I'll sign off now but in conclusion we seem to agree that:
1. Acronis cannot clone a Bitlocker encrypted drive. Period. And that's true for ATIH windows and for the bootable media.
3. Acronis can't do a sector-by-sector backup of a Bitlocker encrypted drive.
Cheers,
Mike
Mike, just one expansion of your first statement.
ATIH can achieve the same as doing a clone by doing a Backup & Restore, where the Backup is done within Windows and the Restore is done using the Rescue Media. Cloning cannot be done from within Windows as it requires the system being restarted to a standalone boot environment (ASRM or Rescue Media) and this cannot read a BitLocker encrypted drive to be able to do the clone.
Thanks again. Regarding doing a Backup and Restore instead of cloning, I'm afraid I can't do that either. Please see post #8 of https://forum.acronis.com/forum/122915.
I wish I was having more luck with this :(
Mike, are you doing the backup from within Windows - it needs to be done in Windows if you really want it to work. As Steve's earlier post shows, it may not be possible to do a sector-by-sector backup of an encrypted drive either as some fo the encrypted data may register as bad sectors because of the encryption algorithms.
If you are dead set on trying to clone or image a drive while it is encrypted, software is not the answer. You may want to try using a physical hard drive duplicator / clone caddy. Using one of these, as long as you clone an ecnrypted disk to the same size disk (can't change paritions or will result in a non-bootable disk), this usually works because the hard drive caddy just read 1's and 0's and doesnt' have any software in play so they can "usually" make an exact copy of a drive to another, even if encrytped. If you're up for buying hardware, for less than $35 this is a tool I'd recommend having in any IT arsenal. Plus, it doubles as a dual bay docking station and supports both 2.5" and 3.5" disks. The
downsides are:
1) extra cost for hardware - roughly $35
2) completely manual process which requires pulling the source drive from the PC each time you want to clone so may not be optimal for systems with non-removable drives or that are hard to get to the internal drives
3) USB 3.0 interface instead of direct SATA when used as a docking station. If you have usb 3.0 ports though, it's pretty fast as a dock. Cloning is SATA to SATA directly through the dock though when not attached to a computer.
4) when adding or removing a drive, must always power off (if you start with 2 and pull 1 while in use, the other drive will go offline too. If you start with 1 and put in another while it is online, the will both go offline)
upsides are:
1) can clone an encrypted hard drive (if source and destination are the same size)
2) clone is completely offline - does not require a computer - just AC power and 2 equal size disks
3) doubles as a dual hard drive docking station
4) supports 2.5" and 3.5" drives
Bobbo I appreciate you taking the time to comment but please read the earlier posts and you will see that I have tried to clone both from within Windows and from the bootable media. Neither work. This is my experience and Steve seems to concur that True Image cannot clone a bitlocker encrypted drive at all.
(I also appreciate your suggestion of a hardware alternative. However, there are software alternatives as well. I have now tried Macrium and their bootable media will clone an Bitlocker encrypted drive with no problem.)
Acronis support: please be kind enough to let me know if/when Acronis will be able to 1) clone and 2) backup/restore bitlocker encrypted disks.
Steve, Bobbo thanks for your help on this. I suggest we close this thread for now and hope Acronis responds.
Good night from London.
Mike,
If it works, it works and as long as you have a solution, that's what matters most.
I have not pesronally tried to clone a bitlockedred system with ACronis, but I believe that is indeed a limitation of this product. However, I have imaged encrypted drives and restored those images just fine on a few occassions when sector-by-sector is used so still usable for this purpose when I have had the need, although I usually go straight to the hard drive duplicator for these types of clones since I have one readily available.
I'll have to test more of the cloning at some point for my own experience though.
Bobbo, Steve,
I escalated the cloning issue with Acronis who confirm that neither Acronis ATIH 2016 nor the Acronis Bootable Media are able to clone a Bitlocker encrypted disk. They have said they will make this clear on the website.
I have also escalated the other issue (backup) and will let you know anything interesting that comes out of that.
Thanks, I discovered this process myself, the hard way by testing various methods on a sacrificial Win 10 machine and ATI 2017.
Using this method though, for sensitive data, there's one more option you need to add at the backup time: that is to turn on Encryption in the Backup Protection in the Advanced tab of the backup options panel. You really don't want to create/keep an unencrypted backup of an encrypted system which may contain sensitive information...
I love the turn of phrase about "issues after restoring" re the sector by sector method. But yeah, that's one way to think of a dead system (yeah I tried that too)! lol! So, please do the backup with the sector-by-sector checkbox deselected.
Cheers,
Paul
(tested with Windows 10 Pro 64 bit on a Lenovo Twist 3347CTO that has UEFI and TPM, Core i7, 8GB Ram, 250 GB SSD, and a 350 GB USB3 HDD for backup)
paulrob excellent point. Anyone using bitlocker or encyprtion should be encrypting their backups in Acronis as well. Otherwise, kind of defeats the purpose of encrypting your system if the backups are easily accessible and unprotected.
FYI, We've developed an MVP WinPE media creatation tool that enhances the media build. By using WinPE, we can inject our own custom drivers and if you're using Windows 10 ADK with the included IRST driver we provide, that should work on about 99% of all machines out there.
And... we've added the bitlocker packages, so you can boot your winPE, use command prompt to unlock (not decrypt, but unlock the drive) and then take your backup image "offline".
Link to the WinPE creator tool is listed below (you'll need to ensure you have Windows ADK installed - would recommend installing Win 10 ADK 1511 on any system running Win 7 or higher for the best driver support - it's also linked below).