ATI2021 and interaction with Bitlocker

Robert, if you create a full Disks & Partitions backup from within Windows using ATI 2021 then the backup image will not be encrypted by BitLocker as this would have been 'unlocked' when ATI was accessing the disk drive(s).  There is no need to suspend BL before doing the backup as it should be automatically unlocked when you sign in to Windows.

Any attempt to recover the above backup started from within Windows will fail simply because the Linux temporary environment that is used by ATI does not have any ability to work with BL encrypted drives or even allow them to be unlocked.

If you create the 'Simple' WinPE version of the rescue media, then this will automatically include support for BL, which in turn will allow you to manually unlock the encrypted drive / partitions from the rescue environment using a command prompt window.

You will need to either enter the BL key or password in the rescue environment but if you include this on the rescue media it does provide a potential security exposure if that media is stolen etc.

The use of TPM and BitLocker should not alter the mechanism needed to unlock the drive when using the ATI rescue media.

To migrate to a larger drive you should use Backup & Recovery not using cloning. 

Turning off BitLocker in Windows does not affect TPM which is controlled in the BIOS settings.

See below for more detail on unlocking BL from the ATI rescue media.

If you create the 'Simple' version of the ATI 2021 rescue media, and do this on Windows 10 Pro which has BitLocker support, then this is included in the rescue media but there are some steps that are needed in order to access a BitLocker encrypted drive in the rescue environment.

When you boot into the rescue environment, you will see a black Command prompt window along with the main ATI 2021 application window.  You need to close the ATI 2021 window in order to have access to the command prompt in the black window.

Now, you can use the BitLocker commands to identify and unlock your encrypted drive before relaunching the ATI 2021 application again using "X:\Program Files\Acronis\TrueImageHome\trueimage_starter.exe"

See the following data captured from my own system booted from the ATI 2021 Simple rescue media with an encrypted drive connected.

X:\windows\system32>wpeinit

X:\windows\system32>"X:\Program Files\Acronis\TrueImageHome\trueimage_starter.exe"
Terminate batch job (Y/N)? n

X:\windows\system32>manage-bde -status

BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[Data Volume]

    Size:                 200.83 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

Volume D: [SSD-Data]
[Data Volume]

    Size:                 263.29 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

Volume L: [Label Unknown]

[Data Volume]

    Size:                 Unknown GB
    BitLocker Version:    2.0
    Conversion Status:    Unknown
    Percentage Encrypted: Unknown%
    Encryption Method:    AES 128
    Protection Status:    Unknown
    Lock Status:          Locked
    Identification Field: Unknown
    Automatic Unlock:     Disabled
    Key Protectors:
        Password
        Numerical Password

Volume H: [Data]
[Data Volume]

    Size:                 114.10 GB
    BitLocker Version:    None
    Conversion Status:    Fully Decrypted
    Percentage Encrypted: 0.0%
    Encryption Method:    None
    Protection Status:    Protection Off
    Lock Status:          Unlocked
    Identification Field: None
    Automatic Unlock:     Disabled
    Key Protectors:       None Found

X:\windows\system32>manage-bde -unlock L: -password
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Enter the password to unlock this volume:
The password successfully unlocked volume L:.

X:\windows\system32>dir L:
 Volume in drive L is Seagate250gb
 Volume Serial Number is 1052-D550

 Directory of L:\

07/11/2020  00:08    46,379,683,840 MyBackup(1).tibx
05/11/2020  00:51    45,030,981,632 MyBackup.tibx
               2 File(s) 91,410,665,472 bytes
               0 Dir(s)  158,538,076,160 bytes free

X:\windows\system32>"X:\Program Files\Acronis\TrueImageHome\trueimage_starter.exe"

X:\windows\system32>

The above shows the unlocking of an external USB HDD after first closing the main ATI application panel to reveal the command prompt window hidden behind it, then later relaunching ATI after doing the unlock by entering the password manually at the prompt given.

Thank you Steve for the detailed response which I will digest and then try and put into practice.

Can you please confirm whether the fact that I have BL enabled with both the use of the TPM and a PIN makes any difference to your advice.

Also, when you mention using the Password do you mean the BL Recovery Key or the BL PIN, which are different.

Robert

Robert, I would suggest taking a read through webpage: A beginner's guide to BitLocker, Windows' built-in encryption tool - to see if this will help answer some of your questions.

I don't use BitLocker other than for occasional testing purposes and don't have TPM etc.

You should use / read the help available for BitLocker as shown below:

PS D:\powershell> manage-bde -unlock /?
BitLocker Drive Encryption: Configuration Tool version 10.0.19041
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

manage-bde -unlock Volume
                    {[{-RecoveryPassword| -rp} NumericalPassword] |
                    [{-RecoveryKey|-rk} PathToExternalKeyFile]}
                    [{-Certificate|-cert} {-cf PathToCertificateFile|
                                           -ct CertificateThumbprint} {-pin}]
                    [{-Password|-pw}]
                    [{-ADAccountOrGroup|-sid} [{SID|domain\user|domain\group}]
                    [{-ComputerName|-cn} ComputerName]
                    [{-?|/?}] [{-Help|-h}]

Description:
    Allows access to BitLocker-encrypted data with a recovery password,
    recovery key, certificate, or password.

Parameter List:
    Volume      A drive letter followed by a colon, a volume GUID path or
                a mounted volume. Example: "C:",
                \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or
                "C:\MountVolume"
    -RecoveryPassword or -rp
                Provide a recovery password to unlock the volume.
    -RecoveryKey or -rk
                Provide an external key file to unlock the volume.
    -Certificate or -cert
                Query the local user certificate store for a BitLocker
                certificate to unlock the volume.
    -Password or -pw
                Prompt for a password to unlock the volume.
    -ADAccountOrGroup or -sid
                Attempt to unlock the volume using a SID-based Identity
                protector.
    -ComputerName or -cn
                Runs on another computer. Examples: "ComputerX", "127.0.0.1"
    -? or /?    Displays brief help. Example: "-ParameterSet -?"
    -Help or -h Displays complete help. Example: "-ParameterSet -h"

Examples:
    manage-bde -unlock -?
    manage-bde -unlock e: -RecoveryPassword ...
    manage-bde -unlock e: -RecoveryKey "f:\File Folder\Filename"
    manage-bde -unlock e: -Certificate -cf "c:\File Folder\Filename.cer"
    manage-bde -unlock e: -pw
    manage-bde -unlock e: -sid
PS D:\powershell>

I face a lot of issue with BL and decided to decrypt my system. ATI2021 is not able to support BL imho.

Dietmar P wrote:

I face a lot of issue with BL and decided to decrypt my system. ATI2021 is not able to support BL imho.

Hello Dietmar,

Acronis True Image is compatible with BitLocker with certain limitations that depend on the current status of BitLocker protection of the disk.  Disks that are encrypted by BitLocker and are in locked state are not available for any operation by Acronis True Image, except for being overwritten when recovering an Entire PC, disk or partition backup in disk/partition mode using Acronis Bootable Media. Here we have the detailed information on the BitLocker support https://kb.acronis.com/content/56619 

62662: Acronis True Image and BitLocker FAQ might also be helpful. 

I have found that if I want to restore an ATI backup onto a Bitlocker encrypted drive then the best way to do this is to unlock Bitlocker and then decrypt it through Command Prompt after booting with the bootable media.

This seems logical but I wonder whether this is necessary or whether there is a way of getting ATI to restore to the drive without doing this.

Comments welcomed.

Hi RF,

It's only necessary to unlock the drive using the command prompt from the rescue media. You don't need to decrypt it.

Thank you Mustang.

I have tried merely unlocking the drive as described above by Steve and then restarting ATI and carrying out a restore.

Unfortunately, just as the restore process is about to start the system requires a reboot.  This results, at least in my case, in restoration process failing as I suspect the reboot locks the drive again and so ATI cannot write to it.

I assume that this does not occur when you restore your system image to a Bitlocker encrypted drive.  Please confirm.

Totally decrypting the drive is slower but not the end of the world.

I just was interested to know whether the program is designed to work when the OS drive has been unlocked but not decrypted.