Backing Up BitLocker-Encrypted Volumes

BitLocker-Encrypted Volumes

CloudBerry Backup supports BitLocker-encrypted volume backups and restores.

What is BitLocker?

BitLocker is a volume encryption tool in Windows Enterprise and Ultimate versions. BitLocker differs from most other encryption approaches since it uses your Windows login to encrypt your data. BitLocker suits for standing against threats of data theft or disclosure from lost, stolen, or inappropriately decommissioned PC hardware.

To learn more about BitLocker, refer to the BitLocker section at docs.microsoft.com.

Backing Up BitLocker-Encrypted Volumes

The Keep BitLocker option is managed on the Select Partitions step of an image-based backup wizard.

If you have BitLocker-encrypted volumes, the Keep BitLocker check box is selected by default. If you leave this check box selected, the BitLocker-encrypted volume will be backed up as is.

Note that if you have system partitions encrypted with BitLocker, it is highly recommended not to use the BitLocker encryption to back them up. Instead, you can use the built-in encryption of Backup for Windows.

This recommendation comes because image-based backups can be corrupted if a partition is BitLocker-encrypted. For these partitions, VSS (Volume Shadow Copy) is not available. This can cause the following issues on restore: the operating system may not start properly and result in a BSOD message BAD_SYSTEM_CONFIG_INFO

For volumes that are not BitLocker-encrypted, the option is unavailable.

Note that the Bitlocker-encrypted partition backup dataset contains the whole partition and includes free space. For example, 2 GB partition with 50 MB occupied space will be of 2 GB size on backup storage. On the drawing below, the first backup is with the disabled Keep BitLocker option, second is with this option enabled.

If you deselect the Keep BitLocker check box, the volume will be backed up decrypted.

The decryption does not happen automatically, MSP360 Backup only performs checks of volume state. You have to provide one of the decryption credentials on the Windows side