VBR 9.5 and Bitlocker encryption

[pierluigid]

Hi
I have a Windows Server 2008 R2 (VM) where I've just created a new volume (D:) and I have encrypted this volume with Bitlocker.
I've seen that a VBR backup job (full active) run without problem BUT if I try to do a Restore Guest files I can't find the D: drive.
VBR 9.5 backup seems to ignore this D: encrypted drive.
I've found an article : Veeam Endpoint Backup: BitLocker support (https://www.veeam.com/blog/veeam-endpoi ... pport.html )
Perfect, this is what I was looking for ... but I need it into VBR and not Veeam Agent .
No others info found on internet ... Can someone tell me something about this ?

Many thnaks in advance.
Pierluigi

[foggy]

Hi Pierluigi, it doesn't ignore the encrypted disk, it just cannot make sense of it due to not having the Bitlocker keys, hence, FLR is not available. However, Instant VM Recovery should work flawlessly in this case.

[pierluigid]

Hi Foggy
You are right. Instant VM recovery and also restore virtual disks works fine.
But would be nice to have all the possibilities that Veeam Agent has, as reported in the above link.
Do you know if these possibilities will be integrated in VBR asap ?
Many thanks.
Pierluigi

[foggy]

Not ASAP or in the short term. Veeam B&R is an image-based solution, while Veeam Agent runs directly on the server and thus has access to the keys.

[Gostev]

In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?

[TitaniumCoder477]

Veeam B&R is an image-based solution

While that is true, no Veeam customer out there wants to have the mere ability to restore an image. There are an abundance of image-based solutions that offer bare metal recoveries. Veeam also offers many additional restore options, hence the ability to choose the specific type of restore for the need. If we cannot offer quick file-level restore options to clients with BitLocker encrypted disks, I would like to know what other types of restores are unavailable to us.

[Gostev]

If FLR is not possible, then no other granular restore option will be available either.

[TitaniumCoder477]

While not having this ability at this time is an acceptable answer, not working towards having it is an unacceptable answer. Well, I guess all we can do is hope then. Or start looking for another solution that will provide granular backup and restore for BitLocker encrypted disks.

We only have one client who has decided (as of this past week) to go all out in meeting HIPAA requirements, and apparently it is non-negotiable according to the AM. So when the day comes that they want us to restore a single file that someone deleted off the file server, we will have to basically restore the entire disk and attach it back to the file server in order for it to be decrypted, I guess. If you are aware of easier, less painful ways, please do tell. If more clients start wanting this, we will definitely have to hunt another solution.

[mamosorre84]

Hello,

does Veeam B&R 9.5 support FLR restore from encrypted disks?

I've read the documentation and I've found only info about Veeam agent..

Thank you

Marco

[DGrinev]

Hello Marco,

Nope, you cannot use FLR for encrypted disks, but you can initiate instant VM recovery or volume restore.
Please review this thread for additional information. Thanks!

[Trelor]

I have no idea if this will help but I use bit-locker for backups on rotated hard drives with a prejob script that mounts the drive and a post backup script that locks the drives. It is not the best solution since the keys are kept somewhere; but they are secure on our server I will not share how . The problem that I was having is even with the auto unlock it would fail sometimes causes a slew of issues.

Code: Select all

#Veeam Runs This Bat file: MountRotatedDrives.bat
@ECHO OFF
C:\Windows\System32\schtasks.exe /Run /TN "MountRotatedDrives"

#Scheduled Task
<Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>-File C:\Scripts\MountRotatedDrives.ps1 -WindowStyle Hidden</Arguments>
    </Exec>
  </Actions>

#MountRotatedDrives.ps1
#Create the hashtable for the drives ( Drive color: {VolumeID,Recovery Password} )
$driveList=@{}
$driveList["Black"] = @{}
$driveList["Black"]["id"] = 'hard drive id'
$driveList["Black"]["pw"] = 'bitlocker recovery password'

$driveList["WhiteGray"] = @{}
$driveList["WhiteGray"]["id"] = 'hard drive id'
$driveList["WhiteGray"]["pw"] = 'bitlocker recovery password'

$driveList["BlackGray"] = @{}
$driveList["BlackGray"]["id"] = 'hard drive id'
$driveList["BlackGray"]["pw"] = 'bitlocker recovery password'

#Loop through the drives until one unlocks
$BackupDriveLetter = "F:" 
$DriveletterExists = Test-Path -Path $BackupDriveLetter 
If (-not ($DriveletterExists)) {
	foreach ($drive in $($driveList.keys)) {
		$isMounted = $false;
		$id = $($driveList.$drive.item('id'))
		$mountResponse = (cmd /c "mountvol F:\ \\?\Volume{$id}\") | Out-String
		if($mountResponse -notlike "The parameter is incorrect.*") {
			Start-Sleep -s 5
			$pw = $($driveList.$drive.item('pw'))
			$unlockResponse = (cmd /c "manage-bde.exe -unlock F: -RecoveryPassword $pw") | Out-String
			break
		}
	}
}

[mamosorre84]

Hello Dmitry,

I understand the situation about FLR for encrypted disks.

But if I have a domain controller with not encrypted system disk (C:\) and an encrypted secondary disk (E:\), can I use active directory object restore from Veeam B&R?

If I try to do it I receive this error: "Error: Loaded mount is not found".

Thanks

Marco

[DGrinev]

Hello Marco,

You should be able to do this if nothing was changed during deployment, since the DB and GPO files must be located on system disk C: by default.
However, if you are facing some issues, don't hesitate to contact the support team and let them take a closer look. Thanks!

[ejenner]

In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?

Maybe you'd provide the key as you press the restore button? So it backs up the encrypted data... it only decrypts when you want to restore and you provide the key at that point?

[nmdange]

In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?

If the machine has a bitlocker recovery password, a local administrator can retrieve it via PowerShell running (Get-BitlockerVolume).KeyProtector. It's not really a security hole because while the VM is running, that same local admin could turn off bitlocker, copy all the data off the unlocked drive, etc.

Maybe you'd provide the key as you press the restore button? So it backs up the encrypted data... it only decrypts when you want to restore and you provide the key at that point?

This would be a good alternative, so the recovery key can be provided even when not doing application-aware processing.

[YouGotServered]

We too had this issue, but found that using v10's Instant Disk Recovery feature to mount the disk to the original VM and unlock it to copy files out that way was a good and faster workaround than booting the whole VM from an Instant VM Recovery.

We did run into an issue - the bitlockered drive was created on 2016. We originally mounted the drive to a 2019 Utility server, and while Windows recognized the drive as a BitLocker protected drive, it did not let us unlock the drive at all. We had to mount it to the original 2016 VM to be able to unlock it. I'm not sure if that's due to a BitLocker versioning limitation between versions, but that's what happened with us.

Ideally, being able to unlock and browse within Veeam is still the best solution, but this seems to work just fine for now

[rbrambley]

I know this is an old thread, but the recent reply made me realize that now the Veeam Agent for Windows is probably the best solution for Bitlocker protected volumes

https://helpcenter.veeam.com/docs/agent ... tml?ver=40