Macrium Reflect can be used to image, restore and clone volumes encrypted with Microsoft BitLocker encryption. Unlocked BitLocker encrypted volumes are presented to the OS in the ‘clear’, that is, they appear like any other file system. When creating a disk image that includes an unlocked BitLocker volume, the image will contain the file system in an unencrypted state. This has the advantage that intelligent incremental images are possible and also reduces the image size considerably. Unused clusters aren’t backed up and the unencrypted data will more readily compress.
When restoring a volume protected by BitLocker, there are three possible outcomes:
Icon | Description |
---|---|
1. BitLocker Live restore/clone. BitLocker state is preserved for the restored/cloned partition and the volume is unlocked. | |
2. BitLocker Encrypted restore/clone | |
No Icon | 3. BitLocker Removal restore/clone The file system is restored/cloned in the clear and BitLocker must be manually re-enabled on the restored/cloned volume to maintain encryption protection. |
Icon
BitLocker Live Restore/Clone
Outcome: A Rapid Delta Restore/Clone of the source file system on top of the existing unlocked BitLocker volume.
A live restore/clone will happen if the target file system is BitLocker unlocked, is the same volume as the source volume and is the same size. In this case the BitLocker encryption state of the file system is preserved after restoring/cloning. When restoring a system partition the system will boot normally using the TPM protector key or password to decrypt the system volume.
The Restore/Clone Wizard will show the 'Unlocked Padlock' icon for both the source and target partition indicating a Live Restore/Clone.
.
In the example below an image of Unlocked Drive C is being restored to the original unlocked drive
During a 'Live Restore', the Partition Type will be shown as 'BitLocker Unlocked' along with 'Live Restore' in the restore dialog
After restoring/cloning, Windows Explorer will show the drive with the open padlock icon
To restore to an unlocked BitLocker system drive your Windows PE rescue media must contain BitLocker components, and for auto restore, must be set to 'Auto unlock BitLocker drives'. For more information see: Adding BitLocker support to Windows PE
It's also possible to manually unlock drives using 'manage-bde' commands from within Windows PE. For more information see: Microsoft Technet - manage-bde
BitLocker Encrypted Restore/Clone
Outcome: The restored or cloned file system will be in a BitLocker encrypted state and can be unlocked after restoring or cloning.
Image Size
An image or clone of a locked BitLocker encrypted volume can be restored or cloned to *any available position on the target disk.
*the following exceptions apply to the restored location.
- The source encrypted volume cannot be restored or cloned to a 'legacy' logical drive in an Extended partition unless the source was also a logical drive.
- The source encrypted volume cannot be restored or cloned to a Windows Dynamic volume. Dynamic volumes do not support BitLocker encryption.
In the example below an image of a BitLocker locked partition (E:) is being restored to a different location on disk.
This partition could be restored to *any position and would still retain its BitLocker locked stated after restoring.
The text 'Encrypted Restore' will be shown in the restore/clone dialog
After restoring/cloning the drive can be unlocked by right clicking in Windows Explorer
BitLocker Removal Restore/Clone
Outcome: The entire file system is restored in the clear and BitLocker must be manually re-enabled on the restored/cloned file system..
BitLocker encryption used to encrypt the source file system will be removed if the target file system did not originate from the same format command, is a different size or is not BitLocker unlocked
In the example below a BitLocker Unlocked system disk is being restored to an empty disk:
The restore/clone outcome is shown with no BitLocker icon on the restored partition when 'Copy selected partitions' is clicked.
The restore/clone dialog will display a warning message to indicate a BitLocker Removal restore when the 'Next' button is clicked:
The text 'Removal Restore' will be shown in the restore dialog
After restoring. BitLocker must be re-enabled.
Follow the wizard prompts to re-encrypt the drive.
Re-create your Windows PE rescue media