Bitlocker and Retrospect 17

[kidziti]

I have Retrospect 17 on a Windows 10 Professional desktop, which is also backing up a Windows Home laptop and a NAS that is being used as a file server. I am considering upgrading the laptop to Windows 10 Pro so that I can take advantage of Bitlocker encryption. Windows Home does not have Bitlocker which is the only reason I would upgrade. And the 10 Pro desktop is not yet configured for Bitlocker. So at present, the encryption is not yet employed anywhere in my network. Before I pull the trigger and buy/install 10 Pro, I want to be sure that using Bitlocker won't create headaches with my automatic nightly Retrospect scripts. Any experience or thoughts?

Lee

[DavidHertzberg]

kidziti,

You may not be aware that we have a Search function in these Forums, used via the oval box towards the upper-right corner of the Web page.   Just remember to click "use all search terms" if that's what you want.  Clicking on the magnifying-glass icon gives a more complete set of search options.

Using it, I found that this 2013 post seems to be the most complete answer to a BitLocker problem an administrator encountered with Windows 8.  In the OP's post at the end of the thread, I suspect he/she meant to type  "now" instead of "not" in "I am not able to access C:."  Nobody seems to have posted concerning BitLocker on Windows 10.

[kidziti]

Yes - as far as search functions, they are the first line of action for me in any technical forum. In fact, I rarely post because often times my questions are answered already with a simple search. However, in this case I simply don't trust that a single thread about Bitlocker compatibility between Windows 8 and Retrospect 8 from seven years ago will necessarily be true with Windows 10 and Retrospect 17. As you have noted, nobody seems to have posted about Bitlocker and Windows 10. Hence that is precisely why I posted my question. Compatibility issues do arise occasionally between different OSes and software versions, and this would not be the first time I upgraded myself out of some functionality. Investing the time and money to change my OS only to find problems with Retrospect and Bitlocker is a situation I am hoping to avoid. Anyone who has Bitlocker set up on a 10 Pro OS and reports having no problems with a recent version of Retrospect will be my green light.

[DavidHertzberg]

kidziti,

The OP in the 2013 thread I linked to in my preceding post, sjacobs, made this March 2015 post regarding his/her then-recent installation of Windows 10.  I would describe his/her tone as "happy as a clam".  He/she says "Both of these are remote clients - I run the the backups from a separate Windows box and use remote clients for all of the computers that I need to back up. So I am never doing any local backup."  There is no indication he/she had to disable BitLocker, so I don't think you have to worry about any problems with your soon-to-be Windows 10 Pro laptop.

In December 2016 sjacobs reported problems backing up a CentOS Linux machine using the 64-bit Linux Client and a Proactive script.  He/she said "This is my only Linux client - all other clients are Win clients - and do not exhibit this same issue. So I am sure it must be something peculiar to the Linux environment on this machine...".  He/she hasn't posted to these Forums since then, so I don't know if he/she's still using Retrospect and looking at them.  You could try sending him/her a Message; please post here on what he/she says about using Retrospect with BitLocker on Windows 10.

The cumulative Release Notes for Retrospect Windows 17.0 don't show any fixes that seem related to Windows 10, much less BitLocker.  But I'm a Mac administrator, so I may not know what I'm talking about.😀  FWIW, there's supposed to be a new release of Retrospect 17 coming out within a few days.

P.S.: The cumulative Release Notes for Retrospect Windows show Client certifications for various releases of CentOS starting in September 2017, so the chances are sjacobs filed a Support Case and is still a Retrospect user.

Edited April 22, 2020 by DavidHertzberg
P.S.: Because the engineers soon started certifying the Linux Client for CentOS, the chances are sjacobs is still a Retrospect user

[kidziti]

Thanks, David. I must admit I'm a bit surprised to see such a dearth of discussion here in the forum over the past several years regarding Bitlocker and Retrospect. Retrospect is marketed for people that are perhaps a bit more technically oriented and serious about data security. And that is why I'm surprised at the lack of discussion on this topic, since I would imagine the kind of technogeek that would have a data security program like Retrospect would certainly data-encrypt their drives (and Bitlocker owns that game pretty much for the Windows crowd).

The best explanation, perhaps, is that there are simply no issues between Retrospect and Bitlocker worth discussing, and I'm just more anxious about it than most  .

I'll probably do the upgrade based on everything so far. Thanks for focusing on my question like you have. That's been very helpful.

Lee

[Hofstede]

I am using Retrospect 17 with 4 Windows 10 Pro machines that have Bitlocker encryption enabled and I didn't encounter any issues with backups. Bitlocker encryption works on a much lower level so I think Retrospect and Retrospect client are completely unaware that Bitlocker is enabled.

Only thing to consider is that the files that Retrospects writes to the backup sets are unencrypted. So if you are worried about that you need to encrypt the backup set as wel.

[DavidHertzberg]

7 hours ago, Hofstede said:

I am using Retrospect 17 with 4 Windows 10 Pro machines that have Bitlocker encryption enabled and I didn't encounter any issues with backups. Bitlocker encryption works on a much lower level so I think Retrospect and Retrospect client are completely unaware that Bitlocker is enabled.

Only thing to consider is that the files that Retrospects writes to the backup sets are unencrypted. So if you are worried about that you need to encrypt the backup set as wel.

Hofstede,

If the Retrospect Engine and Client "are completely unaware that Bitlocker is enabled", then all files on the Backup Set surely are encrypted.  So why use Retrospect's encryption facility to double-encrypt them?  I'm a Mac administrator, so maybe there's something I don't understand about BitLocker.

[Hofstede]

Bitlocker encrypts the file when written to disk. It decrypts the file when read from disk. So if any program (including Retrospect) reads the file from disk it is unencrypted. So the Backup sets contain files that are unencrypted.

To be clear: I am not talking about the backup set files themselves.

[Nigel Smith]

My only caveat would be regarding how you leave your laptop pending those "automatic nightly backups". If you shut it down or hibernate and use some scheduled startup mechanism just prior to the backup window, obviously it'll fail unless you are there to enter your BitLocker key 🙂 If you just leave it on (you can log out) and walk away, you should be fine.

[Hofstede]

That is not correct, if you start the computer without logging in, Retrospect can still backup just fine. 
During Windows startup the disk is already unlocked by Windows, otherwise Windows wouldn’t be able to start. 

You really only need the Bitlocker key if you need to recover Windows if it fails to start or if you want to access the data on the disk from other hardware (e.g. when your computer fails and you put the disk in another computer).

 

 

[Nigel Smith]

On 4/25/2020 at 8:51 AM, Hofstede said:

That is not correct, if you start the computer without logging in, Retrospect can still backup just fine. 
During Windows startup the disk is already unlocked by Windows, otherwise Windows wouldn’t be able to start. 

 

Which means that all a thief needs to do to get round BitLocker protection is... nothing? That doesn't sound right.

There must be *some* authentication mechanism -- how strong that is, and whether it would effect Retrospect in the outlined situation, will depend on how OP sets up BitLocker. Requiring a PIN at startup, a USB key, biometrics, maybe the device has a TMP and he's chosen to auto-unlock (which sounds like what you're doing), perhaps the data to be backed up is on an encrypted non-system partition, etc, etc.

With so many options, I wouldn't blindly trust Retrospect (or *any* backup software) to work as expected in any situation where the main admin-level user isn't logged in and active. So while I may have overstated the problem, because I'm used to systems which *do* require active user authentication after startup, OP should test and make sure he gets what he wants.

[Hofstede]

All individual files on the disk are stored encrypted.

- after Windows has booted up to its login screen thief still has to login. Without login he cannot access anything.

- If the thief puts the disk in another computer he needs the BitLocker key to read or change files on the disk.

- If the thief boots the computer from USB stick he needs the Bitlocker key to read or change files on the disk.

 

Retrospect can backup the computer through Retrospect client without a human user actively being logged in. That’s because Retrospect Client is running in the background under a standard Windows account (Local System) and that account can read files.

So of course you should have set a password on the Retrospect Client to prevent someone accessing the unencrypted files through the Retrospect API.

 

 

[Nigel Smith]

Again -- you're assuming "Transparent operation mode" (auto-unlock). If OP is using "User authentication mode" (pre-boot PIN or password), "USB Key mode" (pre-boot hardware authentication), or a combination that includes either or both of those mechanisms then what you describe will not happen and user intervention will be required.

Most people don't use anything other than "Transparent operation mode" so, as we've said, OP should be OK regardless of his backup methodology. But OP and any others reading this should be aware that if their security requirements are more stringent (or they're running hardware that doesn't support "Transparent operation mode") then there may be problems with RS access following an unattended boot/restart.

As always, something as important as a backup routine should be checked under operational conditions -- I'm sure we all have stories where things should have worked but, for whatever reason, didn't!

[MrPete]

I'll add a bit more here about Bitlocker.

In my experience, MOST Windows users literally have no idea if Bitlocker is enabled or not.

That's actually a very serious problem, not unique to MS:

* In the interests of a combination of (ease of use) + ('good security'), the very fact of Bitlocker encryption and keys is 100% invisible to the average user.

* The key is stored (ONLY!) in their online Microsoft account. Which they may have no idea even exists.

* If/when their Windows 10 boot fails, the ONLY way to get into the recovery system on their computer, is using that key

* If their drive is partially failing, the ONLY way to access it with various low level tools, is using that key

* And if their drive is an embedded Nvme SSD, they are hardware-locked to it.

I had exactly this scenario a few days ago. The ONLY way to recover the key, was find a way to discern the user's MS account and password. Once we had that, I could go in and retrieve their key.

Once past everything, my first action (at their request) was to disable Bitlocker. They much prefer simplicity and reliable recovery, to the complexity of an encrypted drive they know nothing about.

😄

Edited August 20, 2020 by MrPete

[kidziti]

Yeah - I've given up on Bitlocker. I have no doubt it is iron-clad security, but a failure mode can be catastrophic as has happened in the limited time I used it. No-one could explain why I was suddenly locked out of the drive - and why the key did not work. Fortunately, everything was backed up, but it cost me an afternoon rebuilding the OS from scratch and getting my programs back on. I'm surprised that Bitlocker did not use Windows Hello - biometric access would have made it much more accessible and perhaps more stable as well.

[Nigel Smith]

On 8/20/2020 at 5:18 AM, kidziti said:

Yeah - I've given up on Bitlocker. I have no doubt it is iron-clad security, but a failure mode can be catastrophic as has happened in the limited time I used it. No-one could explain why I was suddenly locked out of the drive - and why the key did not work. Fortunately, everything was backed up, but it cost me an afternoon rebuilding the OS from scratch and getting my programs back on.

I'm constantly repeating similar to our Mac users. FileVault (macOS's similar feature) may be great for securing their files, but makes frequent usable backups even more important because a failed drive usually means the loss of the data on it. So we're on the fence whether to use it -- we have way more failed disks than lost/stolen laptops and work data isn't particularly sensitive/valuable so, in what is virtually a BYOD environment, it's up to the user whether they want the extra security for their personal stuff and if so they can take on extra responsibility for their backups.

[kidziti]

10 hours ago, Nigel Smith said:

I'm constantly repeating similar to our Mac users. FileVault (macOS's similar feature) may be great for securing their files, but makes frequent usable backups even more important because a failed drive usually means the loss of the data on it. So we're on the fence whether to use it -- we have way more failed disks than lost/stolen laptops and work data isn't particularly sensitive/valuable so, in what is virtually a BYOD environment, it's up to the user whether they want the extra security for their personal stuff and if so they can take on extra responsibility for their backups.

BYOD - Bitlock your own disaster?  

[MrPete]

Here is a mini-version of my own personal real nightmare:

- Had no idea my Surface Pro was bitlocker'd
- For simplicity, particularly while RS bare-metal restore was less-than-reliable, I often create simple full-partition-copies for any necessary hardware swaps

1) My Surface Pro built-in charge port died. Thus: had a few hours of battery left to do the needed copies. MS nicely would do a direct hardware swap at their service location an hour from me. By the time I got it to them late on a Sat evening, there were only a few minutes of battery life left. I asked about security policy w/ respect to wiping the embedded SSD. "We'll do that first thing tomorrow morning, before it gets sent in."

2) Drove home, ready to load up new Surface from my partition copies. Copied them in... and it would not boot. "Encrypted drive. Please provide bitlocker key."
3) A very late night, learned:
- My key for Surface A was in my online MS acct
- By restoring the entire partition, including the laptop name, they not-so-helpfully OVERWROTE the stored key online. NOT stored by MAC or any unique ID.
- I pulled literally EVERY string I have (I do have some good ones) and got "Sorry, NO there is no backup. No way to recover old versions of these files from our cloud"
- Much prayer for inspiration
4) Early Sun called relatives in the city up north, who woke up my nephew, who drove to the MS service site and was there before they opened. I had learned, and gave him, the exact command sequence to pull the key from the Surface, IF it was not yet wiped, and IF he could power it up and login.
5) He succeeded. It died a few seconds later.

What an exciting adventure!