BitLocker Encryption guide (2024)

BackupAssist requires an unlocked drive to backup, restore and recover data. An unlocked drive will lock itself again if the drive is removed or if the server it is connected to is restarted. A drive can only be unlocked for a restore or recovery by manually entering the password that was provided when the drive was encrypted.

Note: Even though the key will unlock the drive for the backup, the password is still needed to perform a recovery. You can not perform a recovery without the password.

Encryption key

When a drive is encrypted, BitLocker creates an encryption key for that specific drive. The key is saved to a USB flash drive, and used by BackupAssist to unlock that drive each time the backup job runs.

Because of server restarts and media rotations, it should be assumed that an encrypted drive is always locked when a backup job runs. For this reason – the USB flash drive containing the encryption keys should always be connected to the server when a backup job backs up to an encrypted destination.

The USB flash drive will contain an encryption key for each drive that is encrypted, and should be used to store the encryption keys for all backup jobs on that server. Each server backing up to encrypted drives should have its own USB flash drive.

Note: The USB flash drive containing the encryption key should never be stored with the encrypted drive.

Password

When you create a backup job with BitLocker selected, you will be asked to provide a password. This password can be used to manually unlock the drives that were encrypted by the backup job. The BitLocker password must conform to requirements specified by the group policy, which may include minimum and maximum length requirements.

When you enter a password to unlock a drive, it must be the password that the backup job used to encrypt the drive. BackupAssist cannot retrieve the password if it is lost or forgotten.If you change the password after having used it to prepare external drives – the new password will only apply to drives that are prepared after the password was changed. It is suggested that all drives are prepared again so that the new password is applied to all drives used by the backup job

Supported operating systems

Windows Server versions:

• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012

Windows Desktop versions ( BackupAssist 9.5.5 and later):

• Windows 10 Education, Pro, or Enterprise edition
• Windows 8.1 Professional or Enterprise edition

Backup types supported

Backup destinations supported

To install BitLocker on Window Server 2012 and later versions

1. Open Server Manager.
2. Select Add Roles and Features from the Manage menu.
3. Progress to the Features list under Select features.
4. Tick BitLocker Drive Encryption. Other roles and features required for Windows to use BitLocker will be automatically selected.
5. Select Add features.
6. Select Next
7. Select Install.

To install BitLocker on Window Server 2008 / Server 2008 R2

Note: BackupAssist support for the Windows Server 2008 and Windows Server 2008 R2 families, and Windows 7 and Windows 8, ended on May 1, 2020. To learn more, see Supported platforms

1. Open Server Manager.
2. Select the Add features option from the Features Summary Help menu.
3. Tick BitLocker Drive Encryption.
4. Select Install.

To install BitLocker on Windows Desktop

BitLocker is simply enabled by drive using an option in the Control Panel.

• For Windows 7, select Control Panel > BitLocker Drive Encryption.
• For Windows Desktop 8, 8.1 and 10, select Control Panel > System and Security > BitLocker Drive Encryption.

Note: After installing the BitLocker, Windows may require a restart before BitLocker can be used. If a reboot is required, it will indicated at the end of the install operation.

The Pre-requisites

• You must be using Windows Server for the BitLocker feature to appear.
• BitLocker must be installed, as explained in the previous section.
• Your backup destination must be an External drive or RDX drive.
• File Archiving also supports Flash drive destinations.
• A USB flash drive is required to store the encryption key.

The steps

Follow these steps to use BitLocker encryption when you create a backup job:

1. Destination Media

This step is where you select Enable BitLocker encryption.

The Enable BitLocker encryption option will:

• Appear if you are running BackupAssist on a Windows Server
• Be selectable when you select a supported removable drive as a backup destination.
• Be greyed-out if BitLocker is not installed.

This step is used to select the destination media and Bitlocker encryption.

The following two fields are used to provide BitLocker configuration information.

• BitLocker encryption key location: this is used to identify the USB flash drive that the BitLocker encryption key is saved to. You can use the Detect option to identify the drive, or use the drop down list to select the Drive letter that has been allocated to the USB flash drive.
• Password for encrypted backup drive: this field is where you enter the password that can be used to manually unlock any drive that was encrypted by this backup job.

Selecting Safely eject the hard drive after the backup has been completed, is a good way to lock the drive after the backup has been completed.

This step is used to prepare each of the drives that the backup job will use. By default, it will display drives based on the backup schedule.

When you select the Prepare button next to each drive, that drive will be labeled by BackupAssist and selected for BitLocker encryption.

• The encryption process will not start until the backup job has been created.
• It is recommended that you prepare all of your drives so that they can be encrypted.
• If the required drive is not encrypted when the backup job runs, the backup job will fail.

This is the final screen in the backup job creation process, and comes after you have named the backup job. If you have selected BitLocker Encryption, there will be a tick box for - Launch BitLocker encryption tool.

When you select Finish, the backup job will be created and the BitLocker encryption tool will automatically start and begin encrypting the drives that you Prepared in the Prepare media step.

• When you select Finish, the backup job will be created and the BitLocker encryption tool will open.
• When you select the start icon next to a drive that you prepared, and the encryption process will begin.
• If you deselect this box, the drives will not be encrypted.
• If the backup job runs and its drive has not been encrypted, the backup job will fail.

During the encryption process, the drive’s encryption key is saved to the USB flash drive and the password is assigned to the drive. The key will be saved as a hidden system file.

If you want to prepare more drives after the encryption process has finished, you can as follows:

1. Select the Jobs tab Manage menu.
2. Select the backup job and select Edit from the lower menu.
3. Select Prepare media from the job menu.
4. Select Prepare for each drive that you want to encrypt.
5. Select the BitLocker encryption tool using the link inside the window.

The BitLocker Encryption tool will open and begin the encryption process.

If you finish creating the backup job without encrypting the drives, you can open the BitLocker encryption tool by going to the Job tab's Manage menu, opening the backup job and selecting Prepare media from the top menu. This will open the Prepare media dialog, which contains a link to the BitLocker encryption tool.

The BitLocker encryption tool can run in the background after BackupAssist has been closed. The encryption process will tell you how much has been encrypted and how long the process will take. You can encrypt more than one drive at a time, reducing the total time required to encrypt your set of prepared drives.

The encryption tool has 4 action buttons, which will become available when the drive is attached:

• Refresh and display any new drives that have been attached
• Start an encryption process that has been paused
• Pause the encryption process.
• Eject the removable drive. You cannot eject a drive that is being encrypted.

Note: If you do not resume a paused encryption, the drive will be partially encrypted. A partially encrypted drive can still be accessed in Windows but it cannot be used as a backup destination for a BitLocker job. To decrypt the encrypted part of the drive, open BitLocker from the Windows Control Panel, select the drive and click Turn off BitLocker.

Note: If you have previously encrypted a drive using the Windows BitLocker UI, you must unlock the drive before preparing (encrypting) the drive using BackupAssist.

Using the password.

If the encryption key is not detected, you will be prompted for the password when the restore job tries to access the backup. Entering the password will allow you to access the data as long as the password is the one that was assigned when the drive was encrypted. For example, if you are using the Integrated Restore Console, you will be prompted to enter the password when you select Restore at the very last step.

Using the encryption key

To unlock an encrypted drive using the key, connect the USB flash drive to the server running BackupAssist. BackupAssist will use the key to unlock the drive that you are restoring from. You will not be prompted to do anything other than the normal restore steps.

How long the encryption process takes depends on:

• The size of the drive
• The performance of the drive and the server
• The operating system you are using
• How much data is on the drive (for Windows 2012 and later)

If you are using Windows 8 or Windows Server 2012 and later, BitLocker will only encrypt the used space. It does not encrypt unused disk space or disk space containing deleted files. This makes the process very fast when there is not much data on the drive.

Encryption time examples

The below table provides examples for how long the encryption process could take in different scenarios, using sensible estimates.

Windows Server 2012 and later

Windows Server 2008

To learn more, see the Microsoft BitLocker FAQ

This message will have no impact on your backup job. You do not need to enter the password as long as you have the USB flash drive with the encryption key attached.

Because this is a Windows security pop-up, and because it needs to be allowed to appear for encrypted drives that are not managed by BackupAssist, it’s important to understand how the message applies to BackupAssist.

• If you see this message, you can select Cancel and ignore it. Your backup job will not be affected because the encryption key will be used to unlock the drive.
• If you enter the password into the pop-up and tick Automatically unlock on this computer from now on, the pop-up will not appear again. However, this means that the drive will be automatically unlocked every time it is attached. For security reasons, we recommended that you use the encryption key on the USB flash drive to unlock the drive rather than have it auto unlock.
• Using the encryption key means the drive is only unlocked while the backup job is running. The key unlocks the drive when the backup starts and, if you have the drive set to eject, it will be locked again when the drive ejects at the end of the backup job.
• Using the password auto unlock means the drive will be unlocked for as long as it is attached to the server.