Jump to content
kidziti

Bitlocker and Retrospect 17

Recommended Posts

I have Retrospect 17 on a Windows 10 Professional desktop, which is also backing up a Windows Home laptop and a NAS that is being used as a file server. I am considering upgrading the laptop to Windows 10 Pro so that I can take advantage of Bitlocker encryption. Windows Home does not have Bitlocker which is the only reason I would upgrade. And the 10 Pro desktop is not yet configured for Bitlocker. So at present, the encryption is not yet employed anywhere in my network. Before I pull the trigger and buy/install 10 Pro, I want to be sure that using Bitlocker won't create headaches with my automatic nightly Retrospect scripts. Any experience or thoughts?

Lee

Share this post


Link to post
Share on other sites

kidziti,

You may not be aware that we have a Search function in these Forums, used via the oval box towards the upper-right corner of the Web page.   Just remember to click "use all search terms" if that's what you want.  Clicking on the magnifying-glass icon gives a more complete set of search options.

Using it, I found that this 2013 post seems to be the most complete answer to a BitLocker problem an administrator encountered with Windows 8.  In the OP's post at the end of the thread, I suspect he/she meant to type  "now" instead of "not" in "I am not able to access C:."  Nobody seems to have posted concerning BitLocker on Windows 10.

Share this post


Link to post
Share on other sites

Yes - as far as search functions, they are the first line of action for me in any technical forum. In fact, I rarely post because often times my questions are answered already with a simple search. However, in this case I simply don't trust that a single thread about Bitlocker compatibility between Windows 8 and Retrospect 8 from seven years ago will necessarily be true with Windows 10 and Retrospect 17. As you have noted, nobody seems to have posted about Bitlocker and Windows 10. Hence that is precisely why I posted my question. Compatibility issues do arise occasionally between different OSes and software versions, and this would not be the first time I upgraded myself out of some functionality. Investing the time and money to change my OS only to find problems with Retrospect and Bitlocker is a situation I am hoping to avoid. Anyone who has Bitlocker set up on a 10 Pro OS and reports having no problems with a recent version of Retrospect will be my green light.

Share this post


Link to post
Share on other sites

kidziti,

The OP in the 2013 thread I linked to in my preceding post, sjacobs, made this March 2015 post regarding his/her then-recent installation of Windows 10.  I would describe his/her tone as "happy as a clam".  He/she says "Both of these are remote clients - I run the the backups from a separate Windows box and use remote clients for all of the computers that I need to back up. So I am never doing any local backup."  There is no indication he/she had to disable BitLocker, so I don't think you have to worry about any problems with your soon-to-be Windows 10 Pro laptop.

In December 2016 sjacobs reported problems backing up a CentOS Linux machine using the 64-bit Linux Client and a Proactive script.  He/she said "This is my only Linux client - all other clients are Win clients - and do not exhibit this same issue. So I am sure it must be something peculiar to the Linux environment on this machine...".  He/she hasn't posted to these Forums since then, so I don't know if he/she's still using Retrospect and looking at them.  You could try sending him/her a Message; please post here on what he/she says about using Retrospect with BitLocker on Windows 10.

The cumulative Release Notes for Retrospect Windows 17.0 don't show any fixes that seem related to Windows 10, much less BitLocker.  But I'm a Mac administrator, so I may not know what I'm talking about.😀  FWIW, there's supposed to be a new release of Retrospect 17 coming out within a few days.

P.S.: The cumulative Release Notes for Retrospect Windows show Client certifications for various releases of CentOS starting in September 2017, so the chances are sjacobs filed a Support Case and is still a Retrospect user.

Edited by DavidHertzberg
P.S.: Because the engineers soon started certifying the Linux Client for CentOS, the chances are sjacobs is still a Retrospect user

Share this post


Link to post
Share on other sites

Thanks, David. I must admit I'm a bit surprised to see such a dearth of discussion here in the forum over the past several years regarding Bitlocker and Retrospect. Retrospect is marketed for people that are perhaps a bit more technically oriented and serious about data security. And that is why I'm surprised at the lack of discussion on this topic, since I would imagine the kind of technogeek that would have a data security program like Retrospect would certainly data-encrypt their drives (and Bitlocker owns that game pretty much for the Windows crowd).

The best explanation, perhaps, is that there are simply no issues between Retrospect and Bitlocker worth discussing, and I'm just more anxious about it than most :o .

I'll probably do the upgrade based on everything so far. Thanks for focusing on my question like you have. That's been very helpful.

Lee

Share this post


Link to post
Share on other sites

I am using Retrospect 17 with 4 Windows 10 Pro machines that have Bitlocker encryption enabled and I didn't encounter any issues with backups. Bitlocker encryption works on a much lower level so I think Retrospect and Retrospect client are completely unaware that Bitlocker is enabled.

Only thing to consider is that the files that Retrospects writes to the backup sets are unencrypted. So if you are worried about that you need to encrypt the backup set as wel.

Share this post


Link to post
Share on other sites
7 hours ago, Hofstede said:

I am using Retrospect 17 with 4 Windows 10 Pro machines that have Bitlocker encryption enabled and I didn't encounter any issues with backups. Bitlocker encryption works on a much lower level so I think Retrospect and Retrospect client are completely unaware that Bitlocker is enabled.

Only thing to consider is that the files that Retrospects writes to the backup sets are unencrypted. So if you are worried about that you need to encrypt the backup set as wel.

Hofstede,

If the Retrospect Engine and Client "are completely unaware that Bitlocker is enabled", then all files on the Backup Set surely are encrypted.  So why use Retrospect's encryption facility to double-encrypt them?  I'm a Mac administrator, so maybe there's something I don't understand about BitLocker.

Share this post


Link to post
Share on other sites

Bitlocker encrypts the file when written to disk. It decrypts the file when read from disk. So if any program (including Retrospect) reads the file from disk it is unencrypted. So the Backup sets contain files that are unencrypted.

To be clear: I am not talking about the backup set files themselves.

Share this post


Link to post
Share on other sites

My only caveat would be regarding how you leave your laptop pending those "automatic nightly backups". If you shut it down or hibernate and use some scheduled startup mechanism just prior to the backup window, obviously it'll fail unless you are there to enter your BitLocker key 🙂 If you just leave it on (you can log out) and walk away, you should be fine.

Share this post


Link to post
Share on other sites

That is not correct, if you start the computer without logging in, Retrospect can still backup just fine. 
During Windows startup the disk is already unlocked by Windows, otherwise Windows wouldn’t be able to start. 

You really only need the Bitlocker key if you need to recover Windows if it fails to start or if you want to access the data on the disk from other hardware (e.g. when your computer fails and you put the disk in another computer).

 

 

Share this post


Link to post
Share on other sites
On 4/25/2020 at 8:51 AM, Hofstede said:

That is not correct, if you start the computer without logging in, Retrospect can still backup just fine. 
During Windows startup the disk is already unlocked by Windows, otherwise Windows wouldn’t be able to start. 

 

Which means that all a thief needs to do to get round BitLocker protection is... nothing? That doesn't sound right.

There must be *some* authentication mechanism -- how strong that is, and whether it would effect Retrospect in the outlined situation, will depend on how OP sets up BitLocker. Requiring a PIN at startup, a USB key, biometrics, maybe the device has a TMP and he's chosen to auto-unlock (which sounds like what you're doing), perhaps the data to be backed up is on an encrypted non-system partition, etc, etc.

With so many options, I wouldn't blindly trust Retrospect (or *any* backup software) to work as expected in any situation where the main admin-level user isn't logged in and active. So while I may have overstated the problem, because I'm used to systems which *do* require active user authentication after startup, OP should test and make sure he gets what he wants.

Share this post


Link to post
Share on other sites

All individual files on the disk are stored encrypted.

- after Windows has booted up to its login screen thief still has to login. Without login he cannot access anything.

- If the thief puts the disk in another computer he needs the BitLocker key to read or change files on the disk.

- If the thief boots the computer from USB stick he needs the Bitlocker key to read or change files on the disk.

 

Retrospect can backup the computer through Retrospect client without a human user actively being logged in. That’s because Retrospect Client is running in the background under a standard Windows account (Local System) and that account can read files.

So of course you should have set a password on the Retrospect Client to prevent someone accessing the unencrypted files through the Retrospect API.

 

 

Share this post


Link to post
Share on other sites

Again -- you're assuming "Transparent operation mode" (auto-unlock). If OP is using "User authentication mode" (pre-boot PIN or password), "USB Key mode" (pre-boot hardware authentication), or a combination that includes either or both of those mechanisms then what you describe will not happen and user intervention will be required.

Most people don't use anything other than "Transparent operation mode" so, as we've said, OP should be OK regardless of his backup methodology. But OP and any others reading this should be aware that if their security requirements are more stringent (or they're running hardware that doesn't support "Transparent operation mode") then there may be problems with RS access following an unattended boot/restart.

As always, something as important as a backup routine should be checked under operational conditions -- I'm sure we all have stories where things should have worked but, for whatever reason, didn't!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×