Protecting systems with encryption - x360Recover

Written By Tami Sutcliffe (Super Administrator)

Updated at July 22nd, 2024

Overview

Many protected systems have some type of encryption enabled to enhance the security of their data. This article will discuss how x360Recover interacts with various encryption cases.

Windows Bitlocker and other full disk encryption services

NOTE: x360Recover fully supports backup and recovery of Windows systems using Bitlocker and other full disk encryption services so long as the volumes are unlocked during the backup process. We recommend that you enable automatic unlocking of Bitlocker encrypted volumes to ensure they are available for backup.

Bitlocker (and other full disk type encryption platforms) perform encryption at a very low level, (beneath the operating system disk storage layer.) Such disks appear to be unformatted drives with random data - until they are ‘unlocked’ by the encryption service. 

Microsoft Windows volumes are first unlocked (decrypted) by Bitlocker before being presented to the operating system and mounted by the filesystem drivers (like NTFS.) Microsoft’s backup infrastructure and Volume Shadowcopy Services (VSS) interact with the volume above the encryption layer.

What this means for the backup agent is that Bitlocker-encrypted volumes are only mountable and accessible for backup in an unlocked, (decrypted) state. Volumes protected by Bitlocker must be unlocked for backups to be performed. Otherwise, the volume will be inaccessible and skipped for backup, triggering either a backup failure or a missing volume alert.

Bitlocker key points to consider

  • Bitlocker-protected volumes are always protected in an unencrypted state on the backup server
  • Bitlocker protected volumes must be unlocked to be available for backup

Recommended: Enable Auto Unlock for all Bitlocker protected volumes

  • When recovering a protected system, disks will be restored without encryption enabled

Recommended: Re-enable Bitlocker for volumes after completing a restore

  • x360Recover cannot recover lost Bitlocker keys or passphrases
  • File and Folder recovery of Bitlocker encrypted volumes will return unencrypted files and folders


Linux full disk encryption

Similar to Windows Bitlocker, Linux LUKS disk encryption is applied underneath the block storage device layer. Encrypted disks are ‘unlocked’ and mounted as unencrypted volumes during runtime. The x360Recover Agent for Linux can read and backup only the unlocked virtual block devices. Unlike Windows, there is no easy or convenient way to re-encrypt a Linux system after it has been recovered from backup.

Linux key points to consider

    Linux LUKS protected volumes are always protected in an unencrypted state on the backup server

    When recovering a protected system, disks will be restored without encryption enabled

    x360Recover cannot recover disk encryption settings on Linux systems

    File and Folder recovery of Linux LUKS encrypted volumes will return unencrypted files and folders




Microsoft Encrypted Filesystem (EFS)

Unlike disk-level encryption mechanism, the Microsoft Encrypting Filesystem feature provides encryption at the file level within the mounted volume. File data is stored on disk in an encrypted format inside the underlying block device. In this case the agent does backup each encrypted file in an encrypted state, and such files will be unreadable outside of the protected system they belong to.

Microsoft Encrypted Filesystem (EFS) key points to consider

    Each individual file is encrypted separately and stored as normal block data within the filesystem

    The agent will backup the underlying filesystem blocks, including each encrypted file in its encrypted state

    Encryption and decryption are handled by the Application API layer within Windows, which sits above the underlying block management and Volume Shadowcopy Services layers

    If the EFS encryption is configured locally on the protected system (and not as part of an Active Directory domain with central encryption key management enabled) then ONLY the original protected system will be able to read and decrypt the files

    If the EFS encryption is configured as part of an Active Directory domain with central encryption key management enabled, then EITHER the original protected system OR another protected system within the Active Directory domain with Administrator user permissions will be able to read and decrypt the files

    Encrypted files will be downloaded in encrypted form when recovering from backup and must be saved and opened on a machine with the correct EFS keys and permissions to decrypt the files

    x360Recover backs up EFS keys and permissions only in the form of a full system backup (i.e. you must fully restore an entire system or virtually restore the protected system to have access to files and folders encrypted by Microsoft EFS.




SUPPORT | 720-204-4500 | 800-352-0248


1813