Comprehensive data protection for all workloads
Post Reply
pierluigid
Novice
Posts: 4
Liked: never
Joined: Jan 04, 2016 2:29 pm
Contact:

VBR 9.5 and Bitlocker encryption

Post by pierluigid »

Hi
I have a Windows Server 2008 R2 (VM) where I've just created a new volume (D:) and I have encrypted this volume with Bitlocker.
I've seen that a VBR backup job (full active) run without problem BUT if I try to do a Restore Guest files I can't find the D: drive.
VBR 9.5 backup seems to ignore this D: encrypted drive.
I've found an article : Veeam Endpoint Backup: BitLocker support (https://www.veeam.com/blog/veeam-endpoi ... pport.html )
Perfect, this is what I was looking for ... but I need it into VBR and not Veeam Agent .
No others info found on internet ... Can someone tell me something about this ?

Many thnaks in advance.
Pierluigi
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by foggy »

Hi Pierluigi, it doesn't ignore the encrypted disk, it just cannot make sense of it due to not having the Bitlocker keys, hence, FLR is not available. However, Instant VM Recovery should work flawlessly in this case.
pierluigid
Novice
Posts: 4
Liked: never
Joined: Jan 04, 2016 2:29 pm
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by pierluigid »

Hi Foggy
You are right. Instant VM recovery and also restore virtual disks works fine.
But would be nice to have all the possibilities that Veeam Agent has, as reported in the above link.
Do you know if these possibilities will be integrated in VBR asap ?
Many thanks.
Pierluigi
foggy
Veeam Software
Posts: 21069
Liked: 2115 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by foggy »

Not ASAP or in the short term. Veeam B&R is an image-based solution, while Veeam Agent runs directly on the server and thus has access to the keys.
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by Gostev »

In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?
TitaniumCoder477
Veteran
Posts: 315
Liked: 48 times
Joined: Apr 07, 2015 1:53 pm
Full Name: James Wilmoth
Location: Kannapolis, North Carolina, USA
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by TitaniumCoder477 »

foggy wrote: Nov 17, 2017 2:42 pm Veeam B&R is an image-based solution
While that is true, no Veeam customer out there wants to have the mere ability to restore an image. There are an abundance of image-based solutions that offer bare metal recoveries. Veeam also offers many additional restore options, hence the ability to choose the specific type of restore for the need. If we cannot offer quick file-level restore options to clients with BitLocker encrypted disks, I would like to know what other types of restores are unavailable to us.
Gostev
Chief Product Officer
Posts: 31459
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by Gostev »

If FLR is not possible, then no other granular restore option will be available either.
TitaniumCoder477
Veteran
Posts: 315
Liked: 48 times
Joined: Apr 07, 2015 1:53 pm
Full Name: James Wilmoth
Location: Kannapolis, North Carolina, USA
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by TitaniumCoder477 »

While not having this ability at this time is an acceptable answer, not working towards having it is an unacceptable answer. Well, I guess all we can do is hope then. Or start looking for another solution that will provide granular backup and restore for BitLocker encrypted disks.

We only have one client who has decided (as of this past week) to go all out in meeting HIPAA requirements, and apparently it is non-negotiable according to the AM. So when the day comes that they want us to restore a single file that someone deleted off the file server, we will have to basically restore the entire disk and attach it back to the file server in order for it to be decrypted, I guess. If you are aware of easier, less painful ways, please do tell. If more clients start wanting this, we will definitely have to hunt another solution.
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

[MERGED] Veeam B&R and Windows Bitlocker

Post by mamosorre84 »

Hello,

does Veeam B&R 9.5 support FLR restore from encrypted disks?

I've read the documentation and I've found only info about Veeam agent..

Thank you

Marco
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Veeam B&R and Windows Bitlocker

Post by DGrinev »

Hello Marco,

Nope, you cannot use FLR for encrypted disks, but you can initiate instant VM recovery or volume restore.
Please review this thread for additional information. Thanks!
Trelor
Enthusiast
Posts: 47
Liked: 15 times
Joined: Apr 27, 2015 6:02 pm
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by Trelor » 1 person likes this post

I have no idea if this will help but I use bit-locker for backups on rotated hard drives with a prejob script that mounts the drive and a post backup script that locks the drives. It is not the best solution since the keys are kept somewhere; but they are secure on our server I will not share how :) . The problem that I was having is even with the auto unlock it would fail sometimes causes a slew of issues.

Code: Select all

#Veeam Runs This Bat file: MountRotatedDrives.bat
@ECHO OFF
C:\Windows\System32\schtasks.exe /Run /TN "MountRotatedDrives"

#Scheduled Task
<Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>-File C:\Scripts\MountRotatedDrives.ps1 -WindowStyle Hidden</Arguments>
    </Exec>
  </Actions>

#MountRotatedDrives.ps1
#Create the hashtable for the drives ( Drive color: {VolumeID,Recovery Password} )
$driveList=@{}
$driveList["Black"] = @{}
$driveList["Black"]["id"] = 'hard drive id'
$driveList["Black"]["pw"] = 'bitlocker recovery password'

$driveList["WhiteGray"] = @{}
$driveList["WhiteGray"]["id"] = 'hard drive id'
$driveList["WhiteGray"]["pw"] = 'bitlocker recovery password'

$driveList["BlackGray"] = @{}
$driveList["BlackGray"]["id"] = 'hard drive id'
$driveList["BlackGray"]["pw"] = 'bitlocker recovery password'

#Loop through the drives until one unlocks
$BackupDriveLetter = "F:" 
$DriveletterExists = Test-Path -Path $BackupDriveLetter 
If (-not ($DriveletterExists)) {
	foreach ($drive in $($driveList.keys)) {
		$isMounted = $false;
		$id = $($driveList.$drive.item('id'))
		$mountResponse = (cmd /c "mountvol F:\ \\?\Volume{$id}\") | Out-String
		if($mountResponse -notlike "The parameter is incorrect.*") {
			Start-Sleep -s 5
			$pw = $($driveList.$drive.item('pw'))
			$unlockResponse = (cmd /c "manage-bde.exe -unlock F: -RecoveryPassword $pw") | Out-String
			break
		}
	}
}
mamosorre84
Veeam Legend
Posts: 336
Liked: 34 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by mamosorre84 »

Hello Dmitry,

I understand the situation about FLR for encrypted disks.

But if I have a domain controller with not encrypted system disk (C:\) and an encrypted secondary disk (E:\), can I use active directory object restore from Veeam B&R?

If I try to do it I receive this error: "Error: Loaded mount is not found".

Thanks

Marco
DGrinev
Veteran
Posts: 1943
Liked: 247 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by DGrinev »

Hello Marco,

You should be able to do this if nothing was changed during deployment, since the DB and GPO files must be located on system disk C: by default.
However, if you are facing some issues, don't hesitate to contact the support team and let them take a closer look. Thanks!
ejenner
Veteran
Posts: 636
Liked: 100 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by ejenner »

Gostev wrote: Nov 17, 2017 4:35 pm In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?
Maybe you'd provide the key as you press the restore button? So it backs up the encrypted data... it only decrypts when you want to restore and you provide the key at that point?
nmdange
Veteran
Posts: 527
Liked: 142 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by nmdange »

Gostev wrote: Nov 17, 2017 4:35 pm In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?
If the machine has a bitlocker recovery password, a local administrator can retrieve it via PowerShell running (Get-BitlockerVolume).KeyProtector. It's not really a security hole because while the VM is running, that same local admin could turn off bitlocker, copy all the data off the unlocked drive, etc.
ejenner wrote: Nov 12, 2018 10:14 am Maybe you'd provide the key as you press the restore button? So it backs up the encrypted data... it only decrypts when you want to restore and you provide the key at that point?
This would be a good alternative, so the recovery key can be provided even when not doing application-aware processing.
YouGotServered
Service Provider
Posts: 170
Liked: 51 times
Joined: Mar 11, 2016 7:41 pm
Full Name: Cory Wallace
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by YouGotServered »

We too had this issue, but found that using v10's Instant Disk Recovery feature to mount the disk to the original VM and unlock it to copy files out that way was a good and faster workaround than booting the whole VM from an Instant VM Recovery.

We did run into an issue - the bitlockered drive was created on 2016. We originally mounted the drive to a 2019 Utility server, and while Windows recognized the drive as a BitLocker protected drive, it did not let us unlock the drive at all. We had to mount it to the original 2016 VM to be able to unlock it. I'm not sure if that's due to a BitLocker versioning limitation between versions, but that's what happened with us.

Ideally, being able to unlock and browse within Veeam is still the best solution, but this seems to work just fine for now :)
rbrambley
Veeam Software
Posts: 481
Liked: 57 times
Joined: Jun 16, 2009 1:23 pm
Full Name: Rich Brambley
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by rbrambley »

I know this is an old thread, but the recent reply made me realize that now the Veeam Agent for Windows is probably the best solution for Bitlocker protected volumes

https://helpcenter.veeam.com/docs/agent ... tml?ver=40
Post Reply

Who is online

Users browsing this forum: No registered users and 300 guests