-
- Influencer
- Posts: 19
- Liked: 3 times
- Joined: Jan 11, 2019 7:00 pm
- Full Name: neil pedrosa
- Contact:
[FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
Hi All,
I would like to request a feature request for File Level Restores for BitLocker Encrypted Volumes. Can this be a priority? We are encrypting our VMs with bit locker and need a way to do file level restores ( non agent) for our encrypted VMs.
Thanks in advance.
-N
I would like to request a feature request for File Level Restores for BitLocker Encrypted Volumes. Can this be a priority? We are encrypting our VMs with bit locker and need a way to do file level restores ( non agent) for our encrypted VMs.
Thanks in advance.
-N
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
Hello,
Best regards,
Hannes
not really... because that would break security / encryption. I mean, one of the use cases of in-guest encryption is protection against malicious backup admins...Can this be a priority?
that's possible since the invention of instant VM recovery about 10 years ago We call it "universal restore".and need a way to do file level restores ( non agent) for our encrypted VMs.
Best regards,
Hannes
-
- Product Manager
- Posts: 2581
- Liked: 708 times
- Joined: Jun 14, 2013 9:30 am
- Full Name: Egor Yakovlev
- Location: Prague, Czech Republic
- Contact:
Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
Hi Neil.
Main idea of bitlocker is to encrypt data in case someone(backup admin or a hacker) moves/copies machine disks. So it is a tradeoff: higher security vs granular restore options.
Technically, as a workround, you can add guest processing scripts in Veeam job (Guest Processing page - Advanced) that will unlock bitlocker volumes while we trigger VM snapshot, and lock them after. Not very gentle and might be quite time consuming depending on vm size, however you will get both of two worlds : bitlocker enabled VMs in production and bitlocker disabled VMs in backup.
/Cheers!
Main idea of bitlocker is to encrypt data in case someone(backup admin or a hacker) moves/copies machine disks. So it is a tradeoff: higher security vs granular restore options.
Technically, as a workround, you can add guest processing scripts in Veeam job (Guest Processing page - Advanced) that will unlock bitlocker volumes while we trigger VM snapshot, and lock them after. Not very gentle and might be quite time consuming depending on vm size, however you will get both of two worlds : bitlocker enabled VMs in production and bitlocker disabled VMs in backup.
/Cheers!
-
- Novice
- Posts: 8
- Liked: 4 times
- Joined: Sep 09, 2016 1:12 pm
- Contact:
Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
Dear HannesK,
Of course the filesystem must be in the backup file in encrypted condition. But when the recovery procedure is started, the bitlocker password can be typed in or key file provided.
We need to do
- Instant vm recovery with network disconnected
- log on with local admin account and take ownership of needed files in guest filesystem
- add a small virtual disk to the system, initialise it in the guest os, format
- copy files we need to temp vdisk
- shut down vm and copy vdisk over to another vm (prone to human error)
- mount temp vdisk within the guest OS and copy files over
- unmount temporary disk and delete (prone to human error)
- stop the instant recovery
This requires quite a lot of skill and permissions, and can only be assigned to a senior engineer.
What is needed, is an easier way to recover files. It doesn't have to be a File Level Restore, if that is too difficult to build. (I don't know if Microsoft publishes/documents the correct way to un-bitlocker a disk)
But anything to make the above insane list of steps shorter and somehow manageable would be a real help.
Data-at-rest encryption is the norm rather than exception these days. The above list of steps (which I have found on this forum some time ago) could at best be called a workaround, not a normal method of operation.
Best regards,
Robert Schols
The person that is assigned the task of file recovery, must by definition have the authority to access that file. So we must assume they have the password or some other way to unlock Bitlocker.
Of course the filesystem must be in the backup file in encrypted condition. But when the recovery procedure is started, the bitlocker password can be typed in or key file provided.
Currently it takes us 45 - 60 mins to restore a single file from a bitlockered VM
We need to do
- Instant vm recovery with network disconnected
- log on with local admin account and take ownership of needed files in guest filesystem
- add a small virtual disk to the system, initialise it in the guest os, format
- copy files we need to temp vdisk
- shut down vm and copy vdisk over to another vm (prone to human error)
- mount temp vdisk within the guest OS and copy files over
- unmount temporary disk and delete (prone to human error)
- stop the instant recovery
This requires quite a lot of skill and permissions, and can only be assigned to a senior engineer.
What is needed, is an easier way to recover files. It doesn't have to be a File Level Restore, if that is too difficult to build. (I don't know if Microsoft publishes/documents the correct way to un-bitlocker a disk)
But anything to make the above insane list of steps shorter and somehow manageable would be a real help.
Data-at-rest encryption is the norm rather than exception these days. The above list of steps (which I have found on this forum some time ago) could at best be called a workaround, not a normal method of operation.
Best regards,
Robert Schols
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
Hello,
it's okay that we disagree about security and encryption strategies - I will not go into that further.
But for the restore process... if you need to do that regularly, then I would automate and / or simplify. One option would be using virtual lab. With that, you can login to the machine with RDP and even copy small amount of files directly (RDP is not really fast, I know).
with classic IVMR I would do the following
1) powershell script doing the IVMR and add a disk to the VM (maybe even a pre-formatted disk to avoid that manual step)
2) do the manual copy of the files
3) powershell script that does the disk connect / disconnect / shutdown stuff
What I did not try, but also might work: mount the encrypted backup directly to the server with instant VM disk recovery. Then mount the encrypted volume and copy the files. Not sure whether this maybe works even without entering the bitlocker recovery key as it is the original machine...
Best regards,
Hannes
it's okay that we disagree about security and encryption strategies - I will not go into that further.
But for the restore process... if you need to do that regularly, then I would automate and / or simplify. One option would be using virtual lab. With that, you can login to the machine with RDP and even copy small amount of files directly (RDP is not really fast, I know).
with classic IVMR I would do the following
1) powershell script doing the IVMR and add a disk to the VM (maybe even a pre-formatted disk to avoid that manual step)
2) do the manual copy of the files
3) powershell script that does the disk connect / disconnect / shutdown stuff
What I did not try, but also might work: mount the encrypted backup directly to the server with instant VM disk recovery. Then mount the encrypted volume and copy the files. Not sure whether this maybe works even without entering the bitlocker recovery key as it is the original machine...
Best regards,
Hannes
-
- Novice
- Posts: 8
- Liked: 4 times
- Joined: Sep 09, 2016 1:12 pm
- Contact:
Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
Hi HannesK,
I appreciate the very quick reply.
I think your virtual lab suggestion will reduce the number of steps and can work in some cases. I will try.
The scripting seems relatively complex. It needs to talk to vmWare, Veeam and Microsoft guest OS, so that's 3 different APIs. Maintaining this is more trouble than it solves.
I did actually try mounting the encrypted disk directly to another machine. It doesn't work -- vmWare throws an error. It will not allow me to add a disk on the Veeam NFS datastore to any other server. (Yes, I had the instant VM shut down at that moment so the .vmdk wasn't locked. )
If this could be made to work somehow, that would certainly be good enough to solve the whole issue.
A better way would be if the FLR utility could present the raw disk to the windows OS running the FLR utility (which it partially already does) and then we can unlock the bitlockered drive there.
neilp's request remains valid in my opinion. FLR was developed for a reason: Veeam product management must at some point have decided that an easy way to restore files is valuable to users.
Best,
Robert
I appreciate the very quick reply.
I think your virtual lab suggestion will reduce the number of steps and can work in some cases. I will try.
The scripting seems relatively complex. It needs to talk to vmWare, Veeam and Microsoft guest OS, so that's 3 different APIs. Maintaining this is more trouble than it solves.
I did actually try mounting the encrypted disk directly to another machine. It doesn't work -- vmWare throws an error. It will not allow me to add a disk on the Veeam NFS datastore to any other server. (Yes, I had the instant VM shut down at that moment so the .vmdk wasn't locked. )
If this could be made to work somehow, that would certainly be good enough to solve the whole issue.
A better way would be if the FLR utility could present the raw disk to the windows OS running the FLR utility (which it partially already does) and then we can unlock the bitlockered drive there.
neilp's request remains valid in my opinion. FLR was developed for a reason: Veeam product management must at some point have decided that an easy way to restore files is valuable to users.
Best,
Robert
-
- Product Manager
- Posts: 14840
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes
hmm, it sound like a misunderstanding. did you do "instant disk recovery"? https://helpcenter.veeam.com/docs/backu ... ml?ver=100It doesn't work -- vmWare throws an error.
yes, the request for alternative bitlocker FLR is valid.
As part of Veeam product management, I can just say: currently there are not plans for a feature like that for the reasons mentioned above. But yes, take your request as noted
Who is online
Users browsing this forum: Google [Bot] and 45 guests