Skip to end of metadata
Go to start of metadata

Macrium Reflect can be used to image, restore and clone volumes encrypted with Microsoft BitLocker encryption. Unlocked BitLocker encrypted volumes are presented to the OS in the ‘clear’, that is, they appear like any other file system. When creating a disk image that includes an unlocked BitLocker volume, the image will contain the file system in an unencrypted state. This has the advantage that intelligent incremental images are possible and also reduces the image size considerably. Unused clusters aren’t backed up and the unencrypted data will more readily compress.

Because BitLocker file systems are unecrypted in Macrium Images you may want to consider using the built-in AES encryption provided with Macrium Reflect for your image files..


When restoring a volume protected by BitLocker, there are three possible outcomes: 

IconDescription

1. BitLocker Live restore/clone.

BitLocker state is preserved for the restored/cloned partition and the volume is unlocked.

2. BitLocker Encrypted restore/clone
The volume is restored/cloned in a BitLocker locked state and can be unlocked using the source volume password (or TPM chip).

No Icon3. BitLocker Removal restore/clone
The file system is restored/cloned in the clear and BitLocker must be manually re-enabled on the restored/cloned volume to maintain encryption protection. 

Icon

For images created after Macrium Reflect v7.1.2722 the restore outcome is indicated in the Restore Wizard with an Icon shown on the target disk after copying partitions or using Drag and Drop



 BitLocker Live Restore/Clone

Outcome: Rapid Delta Restore/Clone of the source file system on top of the existing unlocked BitLocker volume.

A live restore/clone will happen if the target file system is BitLocker unlocked, is the same volume as the source volume and is the same size. In this case the BitLocker encryption state of the file system is preserved after restoring/cloning. When restoring a system partition the system will boot normally using the TPM protector key or password to decrypt the system volume. 

The Restore/Clone Wizard will show the 'Unlocked Padlock' icon for both the source and target partition indicating a Live Restore/Clone.

Note: If the image was created with v7.1.2722 or earlier the source partition will not show a BitLocker icon.

In the example below an image of Unlocked Drive C is being restored to the original unlocked drive

During a 'Live Restore',  the Partition Type will be shown as 'BitLocker Unlocked' along with 'Live Restore' in the restore dialog


After restoring/cloning, Windows Explorer will show the drive with the open padlock icon


To restore to an unlocked BitLocker system drive your Windows PE rescue media must contain BitLocker components, and for auto restore, must be set to 'Auto unlock BitLocker drives'. For more information see:   Adding BitLocker support to Windows PE
It's also possible to manually unlock drives using 'manage-bde' commands from within Windows PE. For more information see: Microsoft Technet - manage-bde



 BitLocker Encrypted Restore/Clone

Outcome: The restored or cloned file system will be in a BitLocker encrypted state and can be unlocked after restoring or cloning.

Image Size

An image of a locked BitLocker encrypted volume will be approximately the same size as the entire imaged file system. The file system cannot be read so unused space cannot be omitted and encrypted data does not readily compress.


An image or clone of a locked BitLocker encrypted volume can be restored or cloned to *any available position on the target disk.

*the following exceptions apply to the restored location. 

  1. The source encrypted volume cannot be restored or cloned to a 'legacy' logical drive in an Extended partition unless the source was also a logical drive.
  2. The source encrypted volume cannot be restored or cloned to a Windows Dynamic volume. Dynamic volumes do not support BitLocker encryption. 


In the example below an image of a BitLocker locked partition (E:) is being restored to a different location on disk. 

This partition could be restored to *any position and would still retain its BitLocker locked stated after restoring. 


The text 'Encrypted Restore' will be shown in the restore/clone dialog


After restoring/cloning the drive can be unlocked by right clicking in Windows Explorer



BitLocker Removal Restore/Clone

Outcome: The entire file system is restored in the clear and BitLocker must be manually re-enabled on the restored/cloned file system..

BitLocker encryption used to encrypt the source file system will be removed if the target file system did not originate from the same format command, is a different size or is not BitLocker unlocked


In the example below a BitLocker Unlocked system disk is being restored to an empty disk:

The restore/clone outcome is shown with no BitLocker icon on the restored partition when 'Copy selected partitions' is clicked.

The restore/clone dialog will display a warning message to indicate a BitLocker Removal restore when the 'Next' button is clicked:

Note: Images created using Macrium Reflect v7.1.2722 or earlier will not show this warning message or the source BitLocker icon. In this case it isn't possible for Macrium Reflect to detect that the original volume was BitLocker encrypted.

The text 'Removal Restore' will be shown in the restore dialog




After restoring. BitLocker must be re-enabled. 


Follow the wizard prompts to re-encrypt the drive.


Re-create your Windows PE rescue media

Note: After re-encrypting you will also need to re-create your rescue media to ensure that auto-unlock continues to function. Adding BitLocker support to Windows PE



  • No labels