Skip to main content

Acronis and Microsoft eDrive

Thread needs solution
Beginner
Posts: 1
Comments: 2

I'm thinking about encrypting my laptop. I want to use Microsoft eDive since it supports hardware encryption. I'm aware how-to install the system and I know which prerequisites are necessary.

But I'm not sure how to backup and restore such a system.

With eDrive active the OS needs to present an Authentication Key (AK) to get access to the drive.
Is Acronis able to do that?

To install a new OS the drive must be

•The drive must be in an uninitialized state.
•The drive must be in a security inactive state.
+ some other (UEFI, CSM disabled,…)

With the installation of the OS changes the drive state and takes over the key management.
Afterwards bitlocker can be activated.

Is it possible to backup and restore such a secure drive with Acronis?

Which steps are necessary to backup (i.e volume or drive backup) and restore (boot with rescue media or restore data within a running OS) such a drive.

 

0 Users found this helpful
Forum Hero
Posts: 70
Comments: 8346

I'm not familiar with eDrive, but we use McAfee Endpoint Encryption at work and we have no issues creating and restoring images with Acronis.  Once you've booted into Windows, I believe the disk is no longer encrypted (same with bitlocker too, unless you just bitlocker a folder or folders - in which case, once you have unlocked the drive it can be backed up). You can take an image or backup, just as easily as using Windows image backup.  

Where you might find issues, is restoring an image to a locked drive.  If you can't decrypt the drive first (lost key, corruption, etc), you would have to wipe the drive, restore the image and then encrypt the data again since the restored image would not be encrypted (as it was taken in an unencrypted state).

Forum Hero
Posts: 59
Comments: 9378

I suspect that edrive would not be supported in Acronis True Image.  Because of the hardware enabled requirements of such devices as True Image stands right now I think support is not present.

You should check with Acronis Support to confirm this.

Forum Hero
Posts: 70
Comments: 8346

Yes, to be sure, I'd check with Acronis and/or give it a test before really putting the disk into realworld use.  

The Microsoft EDrive is just using bitlocker encryption controlled by hardware to make it more efficient. Once the drive is unlocked, data can be imaged just fine.  In order to image or restore though, the drive must be unlocked - that's all.  That is why they say disk duplicators (physical cloning devices) won't work - since the disk will be encrypted during the entire process when trying that route.  

It should work as long as the backup is taken while the drive is unlocked (booted into Windows already).  Bitlocker is not active on the disk while Windows is in use.  We take images of encrypted drives with Windows Backup and/or Acronis all the time of Bitlockered systems and McAfee EDEP systems and can easily restore them, but the backup image has to be done while the system is booted into Windows.  

Likewise, when you push the image back, the drive must not be encrypted (yet) and this disk appears to the ability to disable bitlocker so it should be doable.  

https://technet.microsoft.com/en-us/library/hh831627.aspx

Configuring Encrypted Hard Drives as Startup drives

Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include:

  • Deploy from media: This deployment method involves installing Windows 8 or Windows Server 2012. from DVD media. Configuration of Encrypted Hard Drives happens automatically through the installation process.

  • Deploy from network: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell or the DISM command line tool. If this component is not present, configuration of Encrypted Hard Drives will not work.

  • Deploy from server: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the TCGSecurityActivationDisabled setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. For further information, see the Windows Assessment and Deployment Kit (ADK)and related release notes.

  • Disk Duplication: This deployment method involves use of a previously configured Windows 8 or Windows Server 2012. image and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using Windows 8 or Windows Server 2012.setup tools for this configuration to work. Images made using disk duplicators will not work.

More info about disabling bitlocker and/or turning it off too:

http://windows.microsoft.com/en-us/windows-vista/what-is-the-difference… 

Forum Hero
Posts: 70
Comments: 8346

There may be a caveat - apparently, if you restore an image and plan to turn e-drive back on again, you may have to wipe your drive and start from scratch according to this article.  It says there is no way of getting around reinstalling an OS when you enable the self encrypting hardare - I'm assuming this is accurate, but I have no experience with them.  I would think that the image would contain all of the necessary data and just encrypt itself again (that's how software encryption has typically worked when we recover images though). 

http://www.ckode.dk/desktop-machines/how-to-enable-windows-edrive-encry…

So yes, you should be able to take an image and yes you should be able to restore/recover it if you need to, but if you then plan to enable e-drive encryption again, you may be out of luck.  I'd be curious to know how it all goes though - if you can test and report back, that would be great.

Forum Hero
Posts: 70
Comments: 8346

You may want to consider not enabling e-drive functionality - according to Samsung... at least for their models, it's not reversible and if you ever plan to use this drive in another system - warranty replacement may be your only option...

http://forums.anandtech.com/showthread.php?t=2366848

Forum Hero
Posts: 59
Comments: 9378

I think it would be possible to backup your disk however recovery would be another issue altogether.  Because recovery of an OS system disk requires a computer to booted into an environment other than Windows it would be necessary to somehow get around the device SD to accomplish a recovery task.  I do not believe this possible at the current time but again check with the Support team.

Beginner
Posts: 1
Comments: 2

Thank you for your response.

eDive is an interesting solution but the restore of such a system is challenging.  

I decided to go for with the software based bitlocker encryption.  The CPU I have is able to provide AES-NI instructions, so I think this is the best choice in my situation.

Regular Poster
Posts: 0
Comments: 184

Hello, everyone.

As far as I know, True Image compatibility with eDrive SSDs has never been tested. In Windows it should make no difference whether the drive has hardware-based encryption or not. When dealing with bootable media, though, I'm not so certain. In theory the drive should be unlocked in the UEFI environment even before the machine boots into the True Image Bootable Media. However, I cannot confirm this with absolute certainty.