How is an unlocked BitLocker volume restored encrypted?

[jamieburchell]

I've been testing entire computer backups and Bare Metal restores with Veeam Agent for Windows on a BitLocker encrypted system. I expected to see my restored computer unencrypted since the backup was created from an unlocked drive when Windows was running, but it seems the volume was still encrypted and had the same recovery keys. I note from the docs that encrypted volume restores to original locations remain encrypted. How does that work?

I tested a different scenario where I ATA Secure Erased the drive and performed the restore and the restored volume was unencrypted and required re-encrypting and new keys.

[Dima P.]

Hello Jamie,

BitLocker keys are controlled by the hardware (TPM module) and Windows operating system, when restoring the data to original location we obey the Windows rules, keeping the volume as-is with all the settings preserved and populate it with the data from the backup. Possibly another vendor somehow recreates the volume from scratch and that causes the mentioned issue. Thank you!

[jamieburchell]

Hi Dima

But how is the restored volume still encrypted after the restore? Is the BitLocker volume data stored encrypted and unlocked or unencrypted in the Veeam backup?

[jamieburchell]

I think the restored data was being encrypted at rest on the BitLocker enabled volume during the restore process due to BitLocker support within the Veeam Recovery Media and the destination volume being unlocked. When I nuked the drive with a SATA Secure Erase there were no existing volumes and so this didn't happen.

[Dima P.]

But how is the restored volume still encrypted after the restore?

If you are not removing the original volume but populate it with the data from the backup there is no 'volume state' change.

Is the BitLocker volume data stored encrypted and unlocked or unencrypted in the Veeam backup?

Unencrypted, otherwise it's not possible to restore it. During backup the volume must be unlocked otherwise the job fails.

I think the restored data was being encrypted at rest on the BitLocker enabled volume during the restore process due to BitLocker support within the Veeam Recovery Media and the destination volume being unlocked. When I nuked the drive with a SATA Secure Erase there were no existing volumes and so this didn't happen.

Correct, we do not encrypt the data. The volume is unlocked so we can add new content to the volume, while Windows with BitLocker engine does the encryption. Here is the detailed KB: BitLocker Encrypted Volumes Support

[jamieburchell]

Brilliant, thanks!