Comprehensive data protection for all workloads
Post Reply
pierluigid
Novice
Posts: 4
Liked: never
Joined: Jan 04, 2016 2:29 pm
Contact:

VBR 9.5 and Bitlocker encryption

Post by pierluigid » Sep 07, 2017 2:53 pm

Hi
I have a Windows Server 2008 R2 (VM) where I've just created a new volume (D:) and I have encrypted this volume with Bitlocker.
I've seen that a VBR backup job (full active) run without problem BUT if I try to do a Restore Guest files I can't find the D: drive.
VBR 9.5 backup seems to ignore this D: encrypted drive.
I've found an article : Veeam Endpoint Backup: BitLocker support (https://www.veeam.com/blog/veeam-endpoi ... pport.html )
Perfect, this is what I was looking for ... but I need it into VBR and not Veeam Agent .
No others info found on internet ... Can someone tell me something about this ?

Many thnaks in advance.
Pierluigi

foggy
Veeam Software
Posts: 17391
Liked: 1443 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by foggy » Sep 07, 2017 3:21 pm

Hi Pierluigi, it doesn't ignore the encrypted disk, it just cannot make sense of it due to not having the Bitlocker keys, hence, FLR is not available. However, Instant VM Recovery should work flawlessly in this case.

pierluigid
Novice
Posts: 4
Liked: never
Joined: Jan 04, 2016 2:29 pm
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by pierluigid » Sep 11, 2017 8:47 am

Hi Foggy
You are right. Instant VM recovery and also restore virtual disks works fine.
But would be nice to have all the possibilities that Veeam Agent has, as reported in the above link.
Do you know if these possibilities will be integrated in VBR asap ?
Many thanks.
Pierluigi

foggy
Veeam Software
Posts: 17391
Liked: 1443 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by foggy » Nov 17, 2017 2:42 pm

Not ASAP or in the short term. Veeam B&R is an image-based solution, while Veeam Agent runs directly on the server and thus has access to the keys.

Gostev
SVP, Product Management
Posts: 23602
Liked: 3112 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by Gostev » Nov 17, 2017 4:35 pm

In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?

jrwilmoth040707
Service Provider
Posts: 56
Liked: 2 times
Joined: Apr 07, 2015 1:53 pm
Full Name: James Wilmoth
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by jrwilmoth040707 » Oct 17, 2018 1:47 am

foggy wrote:
Nov 17, 2017 2:42 pm
Veeam B&R is an image-based solution
While that is true, no Veeam customer out there wants to have the mere ability to restore an image. There are an abundance of image-based solutions that offer bare metal recoveries. Veeam also offers many additional restore options, hence the ability to choose the specific type of restore for the need. If we cannot offer quick file-level restore options to clients with BitLocker encrypted disks, I would like to know what other types of restores are unavailable to us.

Gostev
SVP, Product Management
Posts: 23602
Liked: 3112 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by Gostev » Oct 17, 2018 11:07 am

If FLR is not possible, then no other granular restore option will be available either.

jrwilmoth040707
Service Provider
Posts: 56
Liked: 2 times
Joined: Apr 07, 2015 1:53 pm
Full Name: James Wilmoth
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by jrwilmoth040707 » Oct 20, 2018 5:13 pm

While not having this ability at this time is an acceptable answer, not working towards having it is an unacceptable answer. Well, I guess all we can do is hope then. Or start looking for another solution that will provide granular backup and restore for BitLocker encrypted disks.

We only have one client who has decided (as of this past week) to go all out in meeting HIPAA requirements, and apparently it is non-negotiable according to the AM. So when the day comes that they want us to restore a single file that someone deleted off the file server, we will have to basically restore the entire disk and attach it back to the file server in order for it to be decrypted, I guess. If you are aware of easier, less painful ways, please do tell. If more clients start wanting this, we will definitely have to hunt another solution.

mamosorre84
Enthusiast
Posts: 73
Liked: 6 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

[MERGED] Veeam B&R and Windows Bitlocker

Post by mamosorre84 » Nov 08, 2018 11:44 am

Hello,

does Veeam B&R 9.5 support FLR restore from encrypted disks?

I've read the documentation and I've found only info about Veeam agent..

Thank you

Marco

DGrinev
Veeam Software
Posts: 1425
Liked: 165 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: Veeam B&R and Windows Bitlocker

Post by DGrinev » Nov 08, 2018 11:51 am

Hello Marco,

Nope, you cannot use FLR for encrypted disks, but you can initiate instant VM recovery or volume restore.
Please review this thread for additional information. Thanks!

Trelor
Influencer
Posts: 16
Liked: 3 times
Joined: Apr 27, 2015 6:02 pm
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by Trelor » Nov 08, 2018 2:18 pm 1 person likes this post

I have no idea if this will help but I use bit-locker for backups on rotated hard drives with a prejob script that mounts the drive and a post backup script that locks the drives. It is not the best solution since the keys are kept somewhere; but they are secure on our server I will not share how :) . The problem that I was having is even with the auto unlock it would fail sometimes causes a slew of issues.

Code: Select all

#Veeam Runs This Bat file: MountRotatedDrives.bat
@ECHO OFF
C:\Windows\System32\schtasks.exe /Run /TN "MountRotatedDrives"

#Scheduled Task
<Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>-File C:\Scripts\MountRotatedDrives.ps1 -WindowStyle Hidden</Arguments>
    </Exec>
  </Actions>

#MountRotatedDrives.ps1
#Create the hashtable for the drives ( Drive color: {VolumeID,Recovery Password} )
$driveList=@{}
$driveList["Black"] = @{}
$driveList["Black"]["id"] = 'hard drive id'
$driveList["Black"]["pw"] = 'bitlocker recovery password'

$driveList["WhiteGray"] = @{}
$driveList["WhiteGray"]["id"] = 'hard drive id'
$driveList["WhiteGray"]["pw"] = 'bitlocker recovery password'

$driveList["BlackGray"] = @{}
$driveList["BlackGray"]["id"] = 'hard drive id'
$driveList["BlackGray"]["pw"] = 'bitlocker recovery password'

#Loop through the drives until one unlocks
$BackupDriveLetter = "F:" 
$DriveletterExists = Test-Path -Path $BackupDriveLetter 
If (-not ($DriveletterExists)) {
	foreach ($drive in $($driveList.keys)) {
		$isMounted = $false;
		$id = $($driveList.$drive.item('id'))
		$mountResponse = (cmd /c "mountvol F:\ \\?\Volume{$id}\") | Out-String
		if($mountResponse -notlike "The parameter is incorrect.*") {
			Start-Sleep -s 5
			$pw = $($driveList.$drive.item('pw'))
			$unlockResponse = (cmd /c "manage-bde.exe -unlock F: -RecoveryPassword $pw") | Out-String
			break
		}
	}
}

mamosorre84
Enthusiast
Posts: 73
Liked: 6 times
Joined: Oct 24, 2016 3:56 pm
Full Name: Marco Sorrentino
Location: Ancona - Italy
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by mamosorre84 » Nov 09, 2018 10:38 am

Hello Dmitry,

I understand the situation about FLR for encrypted disks.

But if I have a domain controller with not encrypted system disk (C:\) and an encrypted secondary disk (E:\), can I use active directory object restore from Veeam B&R?

If I try to do it I receive this error: "Error: Loaded mount is not found".

Thanks

Marco

DGrinev
Veeam Software
Posts: 1425
Liked: 165 times
Joined: Dec 01, 2016 3:49 pm
Full Name: Dmitry Grinev
Location: St.Petersburg
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by DGrinev » Nov 09, 2018 11:16 am

Hello Marco,

You should be able to do this if nothing was changed during deployment, since the DB and GPO files must be located on system disk C: by default.
However, if you are facing some issues, don't hesitate to contact the support team and let them take a closer look. Thanks!

ejenner
Expert
Posts: 181
Liked: 22 times
Joined: Mar 23, 2018 4:43 pm
Full Name: EJ
Location: London
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by ejenner » Nov 12, 2018 10:14 am

Gostev wrote:
Nov 17, 2017 4:35 pm
In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?
Maybe you'd provide the key as you press the restore button? So it backs up the encrypted data... it only decrypts when you want to restore and you provide the key at that point?

nmdange
Expert
Posts: 394
Liked: 91 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: VBR 9.5 and Bitlocker encryption

Post by nmdange » Nov 12, 2018 3:13 pm

Gostev wrote:
Nov 17, 2017 4:35 pm
In theory, we might be able to get the keys during application-aware guest processing... but I wonder if this is actually possible, as it would sounds like a terrible security hole for the Bitlocker, no?
If the machine has a bitlocker recovery password, a local administrator can retrieve it via PowerShell running (Get-BitlockerVolume).KeyProtector. It's not really a security hole because while the VM is running, that same local admin could turn off bitlocker, copy all the data off the unlocked drive, etc.
ejenner wrote:
Nov 12, 2018 10:14 am
Maybe you'd provide the key as you press the restore button? So it backs up the encrypted data... it only decrypts when you want to restore and you provide the key at that point?
This would be a good alternative, so the recovery key can be provided even when not doing application-aware processing.

Post Reply

Who is online

Users browsing this forum: Google [Bot], Majestic-12 [Bot] and 24 guests