Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
ilovecats
Novice
Posts: 4
Liked: never
Joined: Sep 09, 2015 7:16 pm
Contact:

Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by ilovecats »

VEB documentation clearly states the Bitlocker is supported as long as the volumes are unlocked at the time of backup.

As some of you may know, Since Windows 8/Server 2012, Microsoft started supporting a type of hardware Bitlocker encryption (also called eDrive), using compatible OPAL 2.0 complaint self-encrypted SSD's (most notably select Crucial and Samsung SSD models). This type of Bitlocker can be turned on/off instantly, as the encryption is handed off to the SSD's own controller, and incurs zero performance overhead penalty associated with traditional Bitlocker encryption.

To utilize this feature, certain requirements must be met. For example, the OS must be installed from scratch under pure UEFI. Clone drives/volumes are *not* able to have this feature enabled.

So my question is, does VEB handle this type of Bitlocker encryption without complications? The volumes apparently have to be unlocked at the time of backup, nothing special about that. However, if the backup is successful, later when it is restored to a new drive/volume, the encryption should be *lost* because of the eDrive requirements. The key issue here is, will the restoration still succeed, simply with the volume in encrypted state? Or will the operation fail because of the failure to meet the eDrive requirements?

Any clarifications/advice would be greatly appreciated!
ilovecats
Novice
Posts: 4
Liked: never
Joined: Sep 09, 2015 7:16 pm
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SE

Post by ilovecats »

Made a typo in the last question:

"The key issue here is, will the restoration still succeed, simply with the volume in unencrypted state? Or will the operation fail because of the failure to meet the eDrive requirements?"
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SE

Post by Dima P. »

Hello ilovecats,
To tell the truth, we’ve never tested such device. However, from what google tells - you should be able to use it with VEB as a target and a source since encryption is handled on a hardware level. Though, I am not sure about the Bare Metal Recovery.

I wonder, if you could test it and share the results with the community, of course if you have such device with encryption enabled :wink:
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

[MERGED] microsoft edrive SED hard drive

Post by asdffdsa6131 »

hello and thanks,

i plan to upgrade my laptop with a crucial mx500 SSD.
it is a SED - self encrypting hard drive that works with bitlocker.
i searched the forum about this and the only post i found was from 2015.
veeam-agent-for-windows-f33/bitlocker-h ... 30159.html

so my question is a basic one, how will veeam agent deal with bitlocker using hardware encryption, not the software encryption.

thanks much,
david
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by HannesK »

Hello,
I merged your question to the existing discussion. I expect the same: it just works and the backup will be unencrypted unless you enable encryption in the Veeam settings.

Once you have it running, feedback would be nice ;-)

Best regards,
Hannes
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by asdffdsa6131 »

As a user of the community edition of VBAR and Agent, i am glad to help any way I can.

I will report my findings soon.

Thanks,
David
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by Dima P. »

Hi David,

Things to consider:

1. From Improvements and fixes for September 24, 2019—KB4516071 (OS Build 16299.1420)
Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change.
2. Old but good read - Microsoft uses Bitlocker self-encrypting drives (SEDs)
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by asdffdsa6131 » 1 person likes this post

thanks, i am aware of that. did a lot of research into it.

i have decided that the idea that someone will steal my laptop, somehow get the exact hacked firmware for my drive and have the skill set to steal my data is not realistic.
sure, if someone had access to my hardware, they can hack the TPM chip itself!

that the chance is greater that someone can steal the software encryption keys versus that hardware approach.
more likely, that one of a billions of microsoft bugs and fundamental security flaws, will let someone steal the software encryption keys.
or another microsoft bug will corrupt that crypted data much as windows file systems are prone to file corruption.

most theft is from computers infected with spyware and whether encryption is software of hardware, would not matter
and then is ransomware....

even if they did hack my laptop, there is not much to find.
any valuable data would in a keepass database, they would have to find the .key file, which is hidden in the windows registry, generated on the fly when i open keepass.
anything valuable in emails, have already been deleted.
no passwords are saved in firefox.
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by asdffdsa6131 »

hi again,

i installed the new hard drive
reinstalled windows 10.20h2
install vagent using VBAR

i wanted to create a new backup repository and new backup job for it.
i created the backup repository.
I created the backup policy.
when i try to apply configuration, i get this
"3/5/2021 4:46:59 PM :: Skipping en07.local: workstation is already assigned to the backup policy ABP_EN07"
i disabled ABP_EN07.
but still i cannot apply the configuration of the new backup policy.
please help.
thanks
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by HannesK »

Hello,
deleting the second policy or switching to type "server" should solve the issue.

Best regards,
Hannes
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by asdffdsa6131 »

here is feedback with veeam agent 11 + vbar.

veeam agent backup works as expected.

restore is somewhat working.
--- works -> restoring individual files works
--- does not work -> instant restore, after several attempts, not working. and i have done a bunch of instant restores in the past.
--- works -> exported the disk as .vhdx and then manually create a hyper-v vm.

i have not tried to use an agent boot disk to to a bare metal restore to a hardware encrypted ssd.
in the next week or so, i will try that.

let me know what testing or further assistance i can provide.
HannesK
Product Manager
Posts: 14840
Liked: 3086 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by HannesK »

Thanks for sharing the test results.

hmm, strange that instant restore to Hyper-V doesn't work. I'm not sure whether it has anything to do with encryption.

Bare metal restore is the only "open" question, but that must work, too.
asdffdsa6131
Expert
Posts: 121
Liked: 24 times
Joined: Sep 30, 2018 9:03 pm
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by asdffdsa6131 »

not sure why the instant restore failed but the export disk worked.
i tried gen1, gen2, secure boot, no secure boot, TPM, no TPM and so on.

over the weekend, i will try to a bare metal to that SED and update this post
Dima P.
Product Manager
Posts: 14726
Liked: 1706 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Bitlocker Hardware Encryption (Microsoft eDrive) with SED

Post by Dima P. »

asdffdsa6131,
--- does not work -> instant restore, after several attempts, not working. and i have done a bunch of instant restores in the past.
Can you please share the screenshot of the error? Thank you in advance!
Post Reply

Who is online

Users browsing this forum: No registered users and 35 guests