Comprehensive data protection for all workloads
Post Reply
neilp
Novice
Posts: 9
Liked: 1 time
Joined: Jan 11, 2019 7:00 pm
Full Name: neil pedrosa
Contact:

[FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by neilp »

Hi All,
I would like to request a feature request for File Level Restores for BitLocker Encrypted Volumes. Can this be a priority? We are encrypting our VMs with bit locker and need a way to do file level restores ( non agent) for our encrypted VMs.
Thanks in advance.
-N
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by HannesK »

Hello,
Can this be a priority?
not really... because that would break security / encryption. I mean, one of the use cases of in-guest encryption is protection against malicious backup admins...
and need a way to do file level restores ( non agent) for our encrypted VMs.
that's possible since the invention of instant VM recovery about 10 years ago ;-) We call it "universal restore".

Best regards,
Hannes
Egor Yakovlev
Veeam Software
Posts: 2536
Liked: 680 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by Egor Yakovlev »

Hi Neil.
Main idea of bitlocker is to encrypt data in case someone(backup admin or a hacker) moves/copies machine disks. So it is a tradeoff: higher security vs granular restore options.
Technically, as a workround, you can add guest processing scripts in Veeam job (Guest Processing page - Advanced) that will unlock bitlocker volumes while we trigger VM snapshot, and lock them after. Not very gentle and might be quite time consuming depending on vm size, however you will get both of two worlds : bitlocker enabled VMs in production and bitlocker disabled VMs in backup.
/Cheers!
rschols
Novice
Posts: 8
Liked: 4 times
Joined: Sep 09, 2016 1:12 pm
Contact:

Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by rschols »

Dear HannesK,
HannesK wrote: Feb 18, 2020 6:43 am not really... because that would break security / encryption. I mean, one of the use cases of in-guest encryption is protection against malicious backup admins...
The person that is assigned the task of file recovery, must by definition have the authority to access that file. So we must assume they have the password or some other way to unlock Bitlocker.

Of course the filesystem must be in the backup file in encrypted condition. But when the recovery procedure is started, the bitlocker password can be typed in or key file provided.
HannesK wrote: Feb 18, 2020 6:43 am that's possible since the invention of instant VM recovery about 10 years ago ;-) We call it "universal restore".
Currently it takes us 45 - 60 mins to restore a single file from a bitlockered VM
We need to do
- Instant vm recovery with network disconnected
- log on with local admin account and take ownership of needed files in guest filesystem
- add a small virtual disk to the system, initialise it in the guest os, format
- copy files we need to temp vdisk
- shut down vm and copy vdisk over to another vm (prone to human error)
- mount temp vdisk within the guest OS and copy files over
- unmount temporary disk and delete (prone to human error)
- stop the instant recovery

This requires quite a lot of skill and permissions, and can only be assigned to a senior engineer.

What is needed, is an easier way to recover files. It doesn't have to be a File Level Restore, if that is too difficult to build. (I don't know if Microsoft publishes/documents the correct way to un-bitlocker a disk)

But anything to make the above insane list of steps shorter and somehow manageable would be a real help.

Data-at-rest encryption is the norm rather than exception these days. The above list of steps (which I have found on this forum some time ago) could at best be called a workaround, not a normal method of operation.

Best regards,
Robert Schols
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by HannesK »

Hello,
it's okay that we disagree about security and encryption strategies - I will not go into that further.

But for the restore process... if you need to do that regularly, then I would automate and / or simplify. One option would be using virtual lab. With that, you can login to the machine with RDP and even copy small amount of files directly (RDP is not really fast, I know).

with classic IVMR I would do the following
1) powershell script doing the IVMR and add a disk to the VM (maybe even a pre-formatted disk to avoid that manual step)
2) do the manual copy of the files
3) powershell script that does the disk connect / disconnect / shutdown stuff

What I did not try, but also might work: mount the encrypted backup directly to the server with instant VM disk recovery. Then mount the encrypted volume and copy the files. Not sure whether this maybe works even without entering the bitlocker recovery key as it is the original machine...

Best regards,
Hannes
rschols
Novice
Posts: 8
Liked: 4 times
Joined: Sep 09, 2016 1:12 pm
Contact:

Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by rschols »

Hi HannesK,

I appreciate the very quick reply.

I think your virtual lab suggestion will reduce the number of steps and can work in some cases. I will try.

The scripting seems relatively complex. It needs to talk to vmWare, Veeam and Microsoft guest OS, so that's 3 different APIs. Maintaining this is more trouble than it solves.

I did actually try mounting the encrypted disk directly to another machine. It doesn't work -- vmWare throws an error. It will not allow me to add a disk on the Veeam NFS datastore to any other server. (Yes, I had the instant VM shut down at that moment so the .vmdk wasn't locked. :wink: )
If this could be made to work somehow, that would certainly be good enough to solve the whole issue.

A better way would be if the FLR utility could present the raw disk to the windows OS running the FLR utility (which it partially already does) and then we can unlock the bitlockered drive there.

neilp's request remains valid in my opinion. FLR was developed for a reason: Veeam product management must at some point have decided that an easy way to restore files is valuable to users.

Best,
Robert
HannesK
Product Manager
Posts: 14287
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: [FEATURE REQUEST] File level restore for BitLocker Encrypted Volumes

Post by HannesK »

It doesn't work -- vmWare throws an error.
hmm, it sound like a misunderstanding. did you do "instant disk recovery"? https://helpcenter.veeam.com/docs/backu ... ml?ver=100

Image


yes, the request for alternative bitlocker FLR is valid.

As part of Veeam product management, I can just say: currently there are not plans for a feature like that for the reasons mentioned above. But yes, take your request as noted 👍
Post Reply

Who is online

Users browsing this forum: MartinO, xzvf and 184 guests