Overview
Many protected systems have some type of encryption enabled to enhance the security of their data. This article will discuss how x360Recover interacts with various encryption cases.
Windows Bitlocker and other full disk encryption services
NOTE: x360Recover fully supports backup and recovery of Windows systems using Bitlocker and other full disk encryption services so long as the volumes are unlocked during the backup process. We recommend that you enable automatic unlocking of Bitlocker encrypted volumes to ensure they are available for backup.
Bitlocker (and other full disk type encryption platforms) perform encryption at a very low level, (beneath the operating system disk storage layer.) Such disks appear to be unformatted drives with random data - until they are ‘unlocked’ by the encryption service.
Microsoft Windows volumes are first unlocked (decrypted) by Bitlocker before being presented to the operating system and mounted by the filesystem drivers (like NTFS.) Microsoft’s backup infrastructure and Volume Shadowcopy Services (VSS) interact with the volume above the encryption layer.
What this means for the backup agent is that Bitlocker-encrypted volumes are only mountable and accessible for backup in an unlocked, (decrypted) state. Volumes protected by Bitlocker must be unlocked for backups to be performed. Otherwise, the volume will be inaccessible and skipped for backup, triggering either a backup failure or a missing volume alert.
Bitlocker key points to consider
- Bitlocker-protected volumes are always protected in an unencrypted state on the backup server
- Bitlocker protected volumes must be unlocked to be available for backup
Recommended: Enable Auto Unlock for all Bitlocker protected volumes
- When recovering a protected system, disks will be restored without encryption enabled
Recommended: Re-enable Bitlocker for volumes after completing a restore
- x360Recover cannot recover lost Bitlocker keys or passphrases
- File and Folder recovery of Bitlocker encrypted volumes will return unencrypted files and folders
Linux full disk encryption
Similar to Windows Bitlocker, Linux LUKS disk encryption is applied underneath the block storage device layer. Encrypted disks are ‘unlocked’ and mounted as unencrypted volumes during runtime. The x360Recover Agent for Linux can read and backup only the unlocked virtual block devices. Unlike Windows, there is no easy or convenient way to re-encrypt a Linux system after it has been recovered from backup.
Linux key points to consider
• Linux LUKS protected volumes are always protected in an unencrypted state on the backup server
• When recovering a protected system, disks will be restored without encryption enabled
• x360Recover cannot recover disk encryption settings on Linux systems
• File and Folder recovery of Linux LUKS encrypted volumes will return unencrypted files and folders
Microsoft Encrypted Filesystem (EFS)
Unlike disk-level encryption mechanism, the Microsoft Encrypting Filesystem feature provides encryption at the file level within the mounted volume. File data is stored on disk in an encrypted format inside the underlying block device. In this case the agent does backup each encrypted file in an encrypted state, and such files will be unreadable outside of the protected system they belong to.
Microsoft Encrypted Filesystem (EFS) key points to consider
• Each individual file is encrypted separately and stored as normal block data within the filesystem
• The agent will backup the underlying filesystem blocks, including each encrypted file in its encrypted state
• Encryption and decryption are handled by the Application API layer within Windows, which sits above the underlying block management and Volume Shadowcopy Services layers
• If the EFS encryption is configured locally on the protected system (and not as part of an Active Directory domain with central encryption key management enabled) then ONLY the original protected system will be able to read and decrypt the files
• If the EFS encryption is configured as part of an Active Directory domain with central encryption key management enabled, then EITHER the original protected system OR another protected system within the Active Directory domain with Administrator user permissions will be able to read and decrypt the files
• Encrypted files will be downloaded in encrypted form when recovering from backup and must be saved and opened on a machine with the correct EFS keys and permissions to decrypt the files
• x360Recover backs up EFS keys and permissions only in the form of a full system backup (i.e. you must fully restore an entire system or virtually restore the protected system to have access to files and folders encrypted by Microsoft EFS.
SUPPORT | 720-204-4500 | 800-352-0248
- Contact Axcient Support at https://partner.axcient.com/login or call 800-352-0248
- Have you tried our Support chat for quick questions?
- Free certification courses are available in the Axcient x360Portal under Training
- Subscribe to Axcient Status page for updates and scheduled maintenance
1813