David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small. I specialise in Windows Intune and SBS 2008.
This blog is purely the personal opinions of David Overton. If you can't find the information you were looking for e-mail me at admin@davidoverton.com.

To find out more about my Windows Intune BOOK - Microsoft Windows Intune 2.0: Quickstart Administration click here

To find out more about my SBS 2008 BOOK - Small Business Server 2008, Installation, Migration and Configuration click here

How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
David Overton's Blog

Buy my books

Windows Intune:Quickstart Administration


This is the RAW book (Read as Written).
Click here for more information
Buy or pre-order today

SBS 2008 - Installation, Migration and Configuration

Small Business Server 2008 – Installation, Migration, and Configuration

Buy today in book or e-book form

Request a Review Copy

Twitter

Syndication

Hi,

someone asked in the forums how if the backups on SBS 2008 and Windows Server 2008 were encrypted and the answer is no, even if the drives being backed up are BitLocker protected (more details here).  However you can get encrypted backups with a bit of effort.  To do this you will need to at least BitLocker enable your removable drives and optionally your system disk.  I used the information at http://blogs.msdn.com/askdavid/archive/2007/06/08/enabling-bitlocker-on-removable-drives-usb-flash-drives-usb-hard-drives.aspx as a guide to putting together what I needed to do, so many thanks David Chandra for this.  This same process can also be used on Windows Vista

 

There are a couple of snags however and you need to work out which scenario you wish to have (if you have a TPM chip then option 2 & 3 can be replaced with entering a key into the TPM prompt:

  1. encrypt just the backup disks you will need to run a script each time a volume is added back to the system
  2. encrypt the system disk and the backup disks and you will need a USB key or key information to be entered every time you reboot the server
  3. encrypt the system disk and the backup disks, but store the system unlock information unencrypted on the server so you do not have to enter decryption information every time.

 

Given the choices above the steps are as follows (they build from option 1 through to option 3):

  1. Option 1
    1. Add BitLocker to the server
    2. Encrypt the Backup Hard Disks
    3. Add an unlock script
  2. Option 2
    1. Prepare the system disk for BitLocker encryption
    2. Encrypt the system
  3. Option 3
    1. Store the unlock key on the boot partition for automatic use

 Option 1 (encrypting the backup disks)

You will need to repeat the steps below (excluding adding Bitlocker to the system) for each disk you want to encrypt.  You can do this to an existing disk or a new disk.

0000 - Find Add Roles

Add Bitlocker role

To start this task we need to add the BitLocker role to SBS 2008.  While BitLocker is built into Windows Server 2008 it is not installed.  To install it start Server Manager from the Start Menu and then scroll the right hand window down until you can find

0001 - Enable Feature in SBS 2008 In the list of roles that can be added, select the BitLocker role and continue through the wizard until BitLocker is available
0002 - give the backup drive a letter To be able to easily BitLocker the drive we need to add a drive letter.  Run the command diskmgmt.msc to start the Disk Management tool.  Find the Backup disk and right click on it and select Change Drive Letter and Paths.
0003 - assign a drive letter - step 1 You will notice that the disk, which present and used does not have a drive letter, so we need to change this.  Press the Add button to add a drive letter that we can easily refer to in the command lines.
0003 - assign a drive letter - step 2 Pick the next available drive letter and press OK.  In my example the drive letter is "E:".  In all the command lines below replace E: with the right drive letter for your system.
0004 - get status and then bitlocker backup drive Open and administrative Command Prompt from the start menu and check the title bar says Administrator Command Prompt.  Check that the disk is ready for encrypting with the command script manage-bde.wsf -status. Note this has to be run from \Windows\System32.
0005 - encrypted - note key info Time to encrypt the disk and save the recovery keys.  I'm going to save them to C:, but they can be saved to any disk in the system except the one being encrypted.
Type script manage-bde.wsf -on E: -recoverykey C: -recoverypassword.
You will see several pieces of information including the disk ID, the file name for the recovery key file and the numeric password should you not have these to hand.  You will need to make a note of this information, but do NOT store with the drive.

To create an unlock command, enter the command below replacing <recovery key file> with the filename from your output.  The filename for the command in my example is c:\unlock_backup_disk3.cmd and you should change it to be appropriate to your system.
echo cscript c:\windows\system32\manage-bde.wsf -unlock E: -recoverykey <recovery key file> > c:\unlock_backup_disk3.cmd
0006 - encrypted - status at 21 and 100 percent The disk will now begin encrypting and depending on how much data is stored on it, may take some time.  You can check the status with the command cscript c:\windows\system32\manage-bde.wsf -status as shows in the screen shot until the disk is 100% encrypted.
0006 - remove E drive If you intend on encrypting the system disk then you can remove the drive letter.  The backup will still work if the drive has a drive letter, but it will now show up in the SBS Console and Computer windows, but should not be modified in any way.

 

Option 2 & 3 (encrypting the system disk and enabling automatic unlocking of the USB drives)

0007 - download the prep tool Download preparation tool from Microsoft at http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=320b9aa9-47e8-44f9-b8d0-4d7d6a75add0 and then install the tool.
0007 - encrypt main drive

Start the tool from the Start Menu - it is under Accessories, System Tools, BitLocker and is called BitLocker Drive Preparation Tool.

As is always the case when making major changes to a system ensure you have a backup of the system.

Press Continue to start the tool.

0009 - prep completed The tool will shrink your system drive and create a small S: drive which will contain the boot files.  Once it is complete, press Finish.
 0010 - restart You will need to restart your computer to continue the preparation.  Press Restart Now to do so.
 0012 - enabled Once you have rebooted and logged back in the tool will continue.  Once it is finished, press Close to exit the tool.
Your drives are now prepared to be encrypted.
 0013 - start main OS encryption To encrypt the system disk enter the command below.  I put a recovery key on the backup disk (which is encrypted) and also onto another disk to enable system start up. 

For the system to start up it will need an unencrypted file system with the startup key present.  You can either chose to put this onto the S: drive which is less secure as removing the boot disk will provide someone with all the encryption keys or if you wish for your system to be more secure you can put this onto a removable USB drive. 
If your only desire was to encrypt the backups and have them automatically available when plugged into the server then this is fine.  If you want greater overall security then you should use the removable key method.  Note that to reboot the server this will be required, so automatic updates could cause a problem. 
Leaving this removable media in the system means that any would-be thief would still have the decryption means.

The command you need is:
cscript manage-bde.wsf -on C: -recoverykey E: -recoverypassword -startupkey S:

E:
is the removable media I'm backing the key up to and S: is the system disk.  Change S: to the startup usb key you will user to reboot the system with greater security.

Once again, mate a note of the key security information highlighted in the screen shot.
 0014 - enable auto unlock You can once again see the progress being made by the encryption by using the cscript manage-bde.wsf -status command.
0015 - disable and re-enable backup Finally, your SBS backup will no longer function correctly as the S: drive is not included in the backup set, but is a crucial part of the system backup.  You will need to Disable Backup and re-create it before the backup will work again.

When you are re-creating the backup, when selecting the target device it will claim it is going to format the backup target, but for me it did not and previous backups were still available.

This whole process took a while as I had in total about 100GB to encrypt, between the system disk and backups, but I now have secure backups.

 

Thanks


David


Posted Sun, Apr 26 2009 11:34 AM by David Overton

Comments

Anonymous wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Thu, Sep 3 2009 9:22 AM

Best backup software: PCNumen Backukp - http://www.pcnumen.com

Tibet Tour/Travel - http://www.visittibet.com

Jay Barr wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Tue, Mar 30 2010 1:19 AM

Any information available on restoration procedures?  If only the backups are encrypted so offsite copies are protected, what is the procedure to access the backup in the event of a total system failure requiring a full restore?  Can the recovery console access a BitLocker encrypted partition?

Thanks for a great writeup on the backup options.

David Overton wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Thu, Apr 1 2010 7:38 AM

Jay,

I've never tried to find out - bad me.  I'll see what I can do over the next week to experiment.

ttfn

David

Marc Klaassen wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Thu, Jun 24 2010 1:27 PM

Can the recovery console access a BitLocker encrypted partition?

Anonymous wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Mon, Nov 1 2010 9:31 PM

Awesome write up.  I spent all afternoon trying to figure this out.  Your site held the key.  Long Story Short: After you enable BitLocker, you have to run manage-bde.wsf to create the encrypted partitions.

Thanks a ton.

Patrick wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Tue, Jun 28 2011 3:58 PM

David,

Enlighting piece of experience shared there.

Have you ever came to the point of trying a bare metal restore from encrypted disks?

I really wonder how that went.

Thanks,

Patrick

Focused IT Blog wrote SBS 2011 Encrypted Backups to USB
on Wed, Aug 3 2011 12:26 PM

SBS 2011 Encrypted Backups to USB

bremboy79 wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Mon, Oct 3 2011 12:14 PM

thanks for this, altho only thing is bitlocker is under features, not roles

tm wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Wed, May 22 2013 2:58 PM

i have tried this method which seems to work with a drive letter, however in sbs2011 when you create a backup to disk it removes the drive letter. does anyone have any input on how to make this function with no drive letter?

David Overton wrote re: How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too
on Thu, May 23 2013 11:09 PM

Hi,

You can use a guid to identify the drive instead - from the docs:

Parameter List:

   Volume      Required. A drive letter followed by a colon,

               a volume GUID path or a mounted volume. Example: "C:",

               \\?\Volume{26a21bda-a627-11d7-9931-806e6f6e6963}\ or

               "C:\MountVolume"

To get the volume GUID, use this command in powershell:

Get-WmiObject -class Win32_Volume | select-object label, name, deviceID, capacity, freespace | format-list

Thanks

David

Add a Comment

(optional)  
(optional)
(required)  
Remember Me?

(c)David Overton 2006-13