16985: Problems with Restore of system partition on Win7 64bit with bitlocker!

16 replies [Last post]
Christian Herm
Offline
Beginner
Joined: 2010-12-13
Posts: 4

Hey all,

i have a question regarding to Acronis True Image Home 2011 and the restore on a Win7 64bit systempartition with bitlocker encryption.

I took a onlinebackup yesterday from my systempartiton saved it on a USB external Hard Drive (not encryptet)
Today i tryed to restore the backup and i had following problems.

First of all Acronis prepared the image in Windows and prompted for a reboot to restore.
I rebooted my machine and to my surprise, Windows started again without restore of the backup.

I tryed it again and again and every time it happend the same. The last time i tryed it i saw a short message like MBR3....... prompted on preboot screen for a split second.
I tryed following:

I made a new backup of my systempartition and saved it to another external HD.

But again, windows made a reboot and started again without restore.

Does anyone have a idea why this not work?

Regards

Christian

Pat L
Offline
Acronis MVP Volunteer
MVP
Joined: 2010-11-30
Posts: 7849

Did you have a look at this?

http://kb.acronis.com/content/1734

I don't know how the online backups differ from the local backups, but it looks like you have to restore using the bootable media. You will get an unencrypted disk after restore. You will have to turn bitlocker back on.

__________________

Win 8.1 Pro x64 SSD + Software RAID 0 - ATI 2014 6614

Christian Herm
Offline
Beginner
Joined: 2010-12-13
Posts: 4

Hey,

thanks for your reply.

Yes i read this, but i only want to restore one partition and there the kb says this:

If you want to restore only one partition of a multi-partitioned disk, please restore it from Windows. Restoring it from the bootable media may make the restore partition undetectable for Windows.

So thats exactly what i do but it doesn´t work.

Any other ideas?

MudCrab
MudCrab's picture
Offline
Acronis MVP Volunteer
MVP
Joined: 2009-08-15
Posts: 4304

The MBR error means that the loader can't find the files. This is probably happening because the drive is encrypted. When you run TI in Windows, TI sets the MBR code and points to the TI files on the drive -- everything looks fine because the data is not encrypted. When the computer reboots, the MBR code can't find the files and reverts to a normal boot.

Have you tried booting to the TI CD? It's probably the only way it will work. I'm not sure how/if this will affect any other partitions encrypted on the same drive (I haven't tested it). Hopefully, they are backed up too.

__________________

MudCrab's Website

Drive Notify ~ Schedule your backups without being required to keep your backup drive connected.

Christian Herm
Offline
Beginner
Joined: 2010-12-13
Posts: 4

Hey,

well this semms to be the problem. Acronis TI writes some data on the HardDisk for PreBoot Application of Acronis, but and therfore you are right, at system boot, Acronis can´t read the files because they are cryptet. So thats seem to be a problem.

Yes i tryed to boot with TI Boot CD and there im able to restore the partiton, but than the http://kb.acronis.com/content/1734 says the right thing. It will be restore the drive uncrypted.
The problem is, that i can´t see the right partiton, i only see some "unsuported partitions" so it isn´t easy to hit the correct partition.

Is there any way to tell TI Boot CD to load the BitLocker Key? Or is there an other way to restore?

Am i the first person how tries to restore the systempartition on a bitlocker encrypted system?

Regards

Christian

MudCrab
MudCrab's picture
Offline
Acronis MVP Volunteer
MVP
Joined: 2009-08-15
Posts: 4304

I have been doing some general encrypted imaging tests, but nothing with BitLocker so far. It really doesn't seem to be an easy or straightforward procedure. Trying to figure out what works and what doesn't requires a lot of testing. On top of that, I suspect that the different encryption programs don't all function the same (what works for one may not for another, etc.).

In my testing with TrueCrypt, the partitions would show up correctly as partitions, but the details are unknown (no formatting, labels, etc.). You would need to select the correct partition by location and/or size. I recommend having everything important backed up just in case something goes wrong (this includes all the partitions on the drive).

__________________

MudCrab's Website

Drive Notify ~ Schedule your backups without being required to keep your backup drive connected.

Mark Wharton
Mark Wharton's picture
Offline
Acronis MVP Volunteer
MVP
Joined: 2009-08-15
Posts: 1715

I've been doing some testing on BitLocker encrypted partitions and it isn't easy to recover them unless Windows is running. Microsoft does provide some limited ability to work with BitLocker encrypted partitions from a WinPE environment; i.e. if you boot the PC from a Windows 7 install DVD. In WinPE you cannot access a BitLocker encrypted partition using a password like you can in Windows; instead you need to enter the full 48-digit BitLocker recovery key. I doubt that many third-party software utilities are BitLocker aware.

__________________

Acronis TI 10, TI 2011, TI 2013, DD 10, DD 11 user
Amateur Radio K0LO

The Sand
The Sand's picture
Offline
Regular Poster
Joined: 2009-08-21
Posts: 133

I am getting ready for BitLocker, but wanted to see how Acronis handles it. I have posted on this before, but received no answers.

I will be using BitLocker without a TPM - I am not sure if that matters, but wanted to mention it. When you read Bitlocker data - it recommends putting the HDD first in boot order, I can see why, that is a good idea in regard to security, but I am obviously not going to do it as I wouldn't be able to boot the rescue media. I am actually glad to hear Mark, using a WinPE, was unable to access a BitLocker encrypted partition without having the 48 digit recovery key (this makes me feel a little better about having the boot order be CD first. I mean why bother with all of this security if somebody can boot and read the data anyway.)

I only do full disk backups and full disk restores. After reading the limited Acronis material - it appears that with BitLocker enabled, I would do a full disk backup from Windows, and a full disk restore from the rescue media.

Acronis says this will work... but has anybody actually done this and succeeded???

Also, with BitLocker, if you decide you don't like it or want it, when you decrypt and disable it - does anybody know if the partition structure goes back to what is was before you enabled BitLocker (since after enabling, it changes the partitions.) Will decrypt/disable "reset" the partitions like BitLocker was NEVER enabled???

Because I was thinking a possible way around Acronis image backups/restores with BitLocker would be to decrypt/disable BitLocker beforehand - then run a backup.... but backup is only half the story... in regard to restore, to disable BitLocker beforehand might not be possible if the system is in a bad state. Making this whole workaround stupid.

Really, I am just trying to find somebody/anybody that has been successful with BitLocker and Acronis. I don't want to be a guinea pig here...

Thanks,
Sandy

Pat L
Offline
Acronis MVP Volunteer
MVP
Joined: 2010-11-30
Posts: 7849

Sandy,

If your disk is of any consequent size, you will not find it practical to decrypt and reencrypt the disk for each backup. For a 500GB disk, it takes several hours to get through one pass.

I have encrypted/decrypted disks several times and I find it (surprisingly) reliable.

I personally don't use BitLocker on my system disk, but I use EFS encrypted files on my personal content files on another partition. I was previously using TrueCrypt, but Bitlocker is much more integrated and transparent with Windows.

I never tried to backup a Bitlocker encrypted drive. I use one to sync my content files to a backup disk as a redundant backup that I take to the office.

__________________

Win 8.1 Pro x64 SSD + Software RAID 0 - ATI 2014 6614

Mark Wharton
Mark Wharton's picture
Offline
Acronis MVP Volunteer
MVP
Joined: 2009-08-15
Posts: 1715

Sandy:

Pat is correct - when you encrypt a partition, the encryption routine writes scrambled data to every sector on the partition and this can take a long time. So it isn't practical to turn encryption on and off frequently unless you are very, very patient. These are some of the reasons that made me decide against encrypting entire partitions with BitLocker.

My only current use for BitLocker is to encrypt a USB flash drive that contains personal data using BitLocker to Go. That has been working for me without issue for the past 3 months.

Sorry, but I don't know the real answers to your questions about backing up and restoring encrypted partitions with ATI - I've never tried it. My hunch is that if you create your backup in Windows then it should behave like any other normal backup. When you restore from the Acronis boot environment, I suspect that the partition would be restored as unencrypted and that you would then need to encrypt the disk again after restoration. But these are only hunches.

__________________

Acronis TI 10, TI 2011, TI 2013, DD 10, DD 11 user
Amateur Radio K0LO

The Sand
The Sand's picture
Offline
Regular Poster
Joined: 2009-08-21
Posts: 133

Thanks for your feedback on this...

Acronis states that when you restore it's unencrypted - thus a re-encrypt would be necessary - making restoring not something you would want to do often, based on your input of how long encrypting can take.

When TI takes a backup from Windows it sounds like it is doing so unencrypted as well (if you have 60GB's of data on a 250GB drive, it should just backup up the unencrypted 60GB's like usual) - hopefully that means the backups won't take any longer than without BitLocker. But like Mark, that is just a hunch.

I have also pondered about whether or not to do this... the question is, can quick and effective backup/disaster recovery exist alongside WDE???

Once again, thanks for your input on this!
Sandy

Christian Herm
Offline
Beginner
Joined: 2010-12-13
Posts: 4

Hi Sandy,

so i tried it several times to backup and restore my whole system which is encrypted with BitLocker!
When you do a full system restore...it works. But if you try to make a hot image, or try tom backup only one
partition.....it will not work proper. Because there are two ways to make a image. The first is online when windows is running.
This works but if you try to restore it (systempartition) you will be fooled. Acronis Pre Loader doesn't know the encrypted partitions.

So summary:

Backup whole system with all partitions and disk online or offline...no problem with backup and restore.w
Backup single partition which is not the system partition, online ok, but not offline.... restore online ok but problems with restore offline.
Backup single partition which is the system partition, online ok, offline fail. restore doesn´t work online. System has to reboot and offline you can't restore.

I hope i could helped you.

Best regards Christian

The Sand
The Sand's picture
Offline
Regular Poster
Joined: 2009-08-21
Posts: 133

Hi Christian,

Thanks so much for taking the time to post your results with BitLocker. I have searched the Acronis forum and do run into threads regarding restore failures due to BitLocker. I want a successfully outcome here - so to know what worked for somebody else is tremendously helpful!

Thanks again!! : )

Sandy

The Sand
The Sand's picture
Offline
Regular Poster
Joined: 2009-08-21
Posts: 133

Last night I had to restore a full disk backup made from the rescue media 2 months ago, before I started BitLocker. I went ahead and “suspended” BitLocker (not decrypted) then booted from the rescue media and restored. Everything went fine. I wanted to post what works in regard to BitLocker and Acronis… I searched quite a bit before I installed BitLocker to see how well it would go with Acronis and there just isn’t that much information out there. I still have yet to restore a backup made while BitLocker is enabled – that will be my next restore. I will post how that goes as well…

What was odd, as I said, I made this backup before I enabled or had anything to do with BitLocker, before I changed the settings in gpedit.msc to run BitLocker without a TPM - to use a start-up key. I expected to have to redo those settings. I did not have to. I also did not have to make new start up keys. I did have to save/print a new recovery key – that did change. So even a restore back did not wipe out certain settings… weird. After I restored, I enbabled BitLocker and it re-encrypted again – that was all I had to do.

Sandy

GroverH
GroverH's picture
Offline
Forum Hero
Joined: 2009-08-15
Posts: 8390

Sandy,
I have not used BitLocker but since you did a disk restore, that means you also restored the BitLocker partition so your data partition and your bitlocker partition remained matched--or that is how I would understand.

The Sand
The Sand's picture
Offline
Regular Poster
Joined: 2009-08-21
Posts: 133

Hi Grover,

I BitLocked my C Drive which has my data and the OS on it. I had not changed the partitions since the last full disk backup (before I enabled BitLocker). Using advice from Christian above, thankfully everything went fine.

Sandy

The Sand
The Sand's picture
Offline
Regular Poster
Joined: 2009-08-21
Posts: 133

With BitLocker enabled, I made a full disk backup while in Windows, which I don't like - I prefer to use the rescue CD for full disk backups, but from the rescue CD I would imagine it would have to be sector by sector since it would see the data as encrypted - and that would take forever. Before BitLocker I ran full disk backups from the rescue CD and it would take about 1 hour 20 minutes. With BitLocker enabled, from within Windows, the full disk backup took 1 hour 30 minutes. Not bad, only 10 minutes difference.

Before I restored back the backup I made I suspended BitLocker, I don't know if that is needed or not, I just felt safer doing that. Then I restored that same full disk backup from the rescue CD and it took 20 minutes (same as before I used BitLocker)... then I had to enable BitLocker again, make start up keys again, save the recovery key again, and re-encrypt. But this machine has a i7 920XM processor, thus re-encrypting is not bad.

So things are working well with Acronis and BitLocker enabledaled on my OS C: drive.

I hope this helps people if they search for info, as I know I was desperately looking for any guidance with Acronis and BitLocker...

Sandy