BitLocker considerations

Topic

This article explains BitLocker Drive Encryption and its interaction with the Datto solution.

Environment

  • BitLocker Drive Encryption
  • Datto SIRIS
  • Datto ALTO
  • Datto NAS
  • Datto Endpoint Backup for PCs

Description

Overview

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately-decommissioned computers by encrypting the storage disks of the host.

Although not strictly required, most BitLocker installs make use of a special chip on the motherboard called a Trusted Platform Module (TPM). The TPM is designed to unlock your encryption key only after confirming that your bootloader program hasn’t been modified. When inside of a local virtualization, the TPM will no longer be accessible, so re-locking drives require you to adjust the group policy settings.

Datto cannot recover lost BitLocker keys or passphrases. BitLocker functions below the operating system layer. Datto cannot access or manipulate any BitLocker related files.

Interactions with the Datto Solution

  • Microsoft supports BitLocker on the bootable partition of virtual disks; however, there are some guidelines that apply to both physical and virtual machines that you should observe when deploying this type of protection. See Microsoft's reference article (external link) for details.
  • The Datto solution backs up data in its encryption state at the time of the backup. For example, if the data is backed up decrypted, then it will be restored decrypted. Machines protected by BitLocker are decrypted when they are in a booted state; because of this, full-system restores (such as USB Bare Metal Restore) of systems protected by BitLocker will result in the system being restored to an unencrypted state. To protect backups which require encryption, Datto recommends using encrypted agents,
  • Datto's Rapid Rollback restore feature is unable to work with drives encrypted by BitLocker, because drives that use this type of protection are in an encrypted state when the protected machine is booted into the Datto Utilities environment, preventing the Rapid Rollback environment from reading the disk and matching the data to the unencrypted backup.
  • Datto cannot recover lost BitLocker keys or passphrases.