The Macrium Reflect knowledgebase has been upgraded.
Please go here for the latest information.

Knowledgebase

Home » Knowledgebase » Advanced Info » Understanding Disk encryption and Macrium Reflect
Popular Articles Latest Articles

Understanding Disk encryption and Macrium Reflect

Expand / Collapse
 

Understanding Disk encryption and Macrium Reflect

Disk encryption software is provided by Microsoft under the name Bitlocker. Various third party tools, such as TrueCrypt, McAfee SafeBoot and PGP Whole Disk Encryption offer similar functionality.

You can choose to encrypt your data in the following ways:en
1) System disk/partition encryption
2) Data partition/disk encryption
3) File based virtual disk

The method you choose impacts on how you can image, backup and restore your system or files.

  System Disk/Data Partition Encryption  File based virtual disk  
Windows/Reflect  Encrypted partitions are unencrypted on the fly, so applications, including Reflect will be presented with an unencrypted partition. The mounted virtual disk will not be recognised as a disk by Reflect. However, the virtual disk file will be imaged correctly when the containing partition is imaged, or it is included in a file and folder backup.

Note: You should unmount the virtual disk before the backup.
Image file contents By default, unencrypted - use Reflect encryption. If this image is restored, the restored partitions will be unencrypted. The virtual disk file is stored in its encrypted state. There is no need to use Reflect encryption.
Rescue CD Encrypted partitions will be displayed unformatted.

It is not possible to navigate the contents. They can be imaged, only in 'exact copy' mode.

The fix boot problems and redeploy functions will not work.		 It is not possible to mount virtual disk files with the rescue CD. However, they can be restored from a backup, if they become corrupted.
Booting off a restored system partition TrueCrypt:
If you restore a system partition using the rescue CD, it will be restored un-encrypted, TrueCrypt data volumes will be restored encrypted.

TrueCrypt volumes will boot, you can bypass the TrueCrypt bootloader authentication by pressing Esc and then select the boot partition by number.

TrueCrypt data volumes will need to be remounted.

Other Schemes:
This is likely to lead to a non-bootable system as the bootloader is configured for an encrypted partition. You can however use the Macrium CD to restore the Windows bootloader, meaning you will have a bootable unencrypted partition.

If you wish to image an encrypted partition that will be bootable on restore, you must take the image using the rescue CD. This can only be do in 'exact copy' mode, so will be slower than a normal image and will result in a larger file.		  

Products we have tested with Reflect:

 Product: Reflect V5
 PGP Whole Disk Encryption
Compatible
 TrueCrypt system disk encryption
 Compatible1
 Windows BitLocker

 Compatible 

Notes:
1) VSS only works on the disk containing your system partition. Therefore, if you have multiple disks, and use 'system encryption' on a disk not containing your active windows system partition, VSS snapshotting will fail. This will stop Reflect from creating an image of such disks. File and folder backups will still work. For more details, read this.

How to add TrueCrypt features to the rescue environment

This enables you to mount truecrypt encrypted disks and volumes in the Macrium Rescue Environment. It does not allow you to restore to an encrypted system disk or encrypt a system disk after a Macrium restore.

First, you will need to download the full Windows AIK or Windows ADK. You can download the PE 3.0 AIK, or the PE 4.0 ADK or PE 5.0 ADK directly from Microsoft. These downloads are over 1GB in size.

Once you have installed the AIK or ADK, you will need to locate the base Windows PE wim.


 32 bit 64 bit
Windows AIK (PE3.1) C:\Program Files\Windows AIK\Tools\PETools\x86\winpe.wim C:\Program Files\Windows AIK\Tools\PETools\amd64\winpe.wim
Windows ADK (PE4.0) C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim
Windows ADK (PE5.0) C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim

1) Run the Truecrypt installer, picking the extract option. You can choose the extract location - in the following example, they are extracted to c:\TrueCrypt.

2) Make a copy of your base wim - this will be your custom wim. Also create the folder C:\boot\Macrium\mount.

3) Mount the rescue environment WIM. From a command window (cmd.exe), type the following, ensuring you use the path to your custom WIM.

    dism /mount-wim /wimfile:"C:\PATH\TO\custom.wim" /index:1 /MountDir:C:\boot\macrium\mount

4) Copy the the files.

    xcopy /i c:\TrueCrypt "C:\boot\macrium\mount\Program Files\TrueCrypt"

5) Unmount the WIM file.

    dism /Unmount-Wim /MountDir:C:\boot\macrium\mount /Commit

6) Start up Reflect, and step through the rescue media creation wizard. When creating the PE Environment, select the "Custom Base WIM" option, and navigate to the path of the new custom wim.

If you have already created the rescue environment, you will have to click the "Rebuild" button on the final page of the wizard in order to bring up the relevant wizard page and select the custom wim.

7) Step through the wizard.

You can now boot into the rescue environment, either using the rescue media or Boot Menu option. To start TrueCrypt, from the PE command window (icon on left of Rescue toolbar), type

    "x:\program files\truecrypt\truecrypt.exe"

Select a file, or if disk/partition encryption is used select a device. Enter your password, (you may need to select the "mount partition using system encryption without pre-boot authentication"). Hit mount. The encrypted volume will appear as a new drive letter. Use PE Explorer to browse and copy files as required.

How to add Bitlocker features to the rescue environment

This enables you to mount bit locker encrypted disks in the Macrium rescue environment. It does not allow you to restore to an encrypted system disk or encrypt a system disk after a Macrium restore.

First, you will need to download the full Windows AIK or Windows ADK. You can download the PE 3.0 AIK, or the PE 4.0 ADK or PE 5.0 ADK directly from Microsoft. These downloads are over 1GB in size.

Once you have installed the AIK or ADK, you will need to locate the base Windows PE wim, and the cab file containing the WMI providers.


 32 bit 64 bit
Windows AIK (PE3.0) Wim C:\Program Files\Windows AIK\Tools\PETools\x86\winpe.wim C:\Program Files\Windows AIK\Tools\PETools\amd64\winpe.wim
Cab C:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\WinPE-WMI.cab C:\Program Files\Windows AIK\Tools\PETools\amd64\WinPE_FPs\WinPE-WMI.cab
Windows ADK (PE4.0) Wim C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim
Cab C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-WMI.cab C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab
Windows ADK (PE5.0) Wim C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\en-us\winpe.wim C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim
Cab C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-WMI.cab C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-WMI.cab

If you are using PE 4.0 or 5.0, you will also need the cab files containing the Enhanced Storage functionality and WMI Storage management components:

32 bit 64 bit
Windows ADK (PE4.0) C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-EnhancedStorage.cab C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-EnhancedStorage.cab
C:\Program Files\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-StorageWMI.cab C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-StorageWMI.cab
Windows ADK (PE5.0) C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-EnhancedStorage.cab C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-EnhancedStorage.cab
C:\Program Files\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs\WinPE-StorageWMI.cab C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\WinPE-StorageWMI.cab

When running the following commands, you will need to insert the paths relevant for your system.

1) Make a copy of your base wim - this will be your custom wim. Also create the folder C:\boot\Macrium\mount.

2) Mount your wim - this will take a couple of minutes. From a command window (cmd.exe), type the following, ensuring you use the path to your custom WIM.

    dism /mount-wim /wimfile:"C:\PATH\TO\custom.wim" /index:1 /MountDir:C:\boot\macrium\mount

3) Add the WMI package to your wim.

    dism /image:C:\boot\macrium\mount /add-package /packagepath:"c:\PATH\TO\WinPE-WMI.cab"

4) If you are using PE 4.0 or 5.0, add the EnhancedStorage and StorageWMI packages in the same way.

5) Unmount your your wim, this will take a couple of minutes.

    dism /Unmount-Wim /MountDir:C:\boot\macrium\mount /Commit

6) Start up Reflect, and step through the rescue media creation wizard. When creating the PE Environment, select the "Custom Base WIM" option, and navigate to the path of the new custom wim.

If you have already created the rescue environment, you will have to click the "Rebuild" button on the final page of the wizard in order to bring up the relevant wizard page and select the custom wim.

7) Step through the wizard.

You can now boot into the rescue environment, either using the rescue media or Boot Menu option. To Unlock a bitlocker volume, type

    manage-bde -unlock e: -recoverykey <key found in bk file>

Once unlocked, the partition appears in Reflect as a standard volume and can be imaged and browsed as such. If an image is restored, the volume becomes a standard (un-encrypted) volume. It can be re-encrypted when you boot back into windows.

Further information about the manage-bde command can be found at the following link. Be aware that not all the options work in the PE environment.

http://technet.microsoft.com/en-us/library/ff829849%28v=ws.10%29.aspx

Bitlocker and TPM

Bitlocker uses the Trusted Platform Module to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.  On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.

If TPM is used, then making any of the following changes to your system can prevent the protect disk or volumes from being decrypted.

  • Moving the BitLocker-protected drive into a new computer.

  • Installing a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Changing any boot configuration settings.

  • Changing the BIOS, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
As Reflect images your disk in the clear (with its own AES encryption protection advised), a Reflect image backup may be the only way of recovering your data.

For more details, please read BitLocker Drive Encryption : Frequently Asked Questions
Search terms
tag:backup
tag:image
tag:file
Details
Last Modified:27 Nov 2014

Last Modified By: Andrew

Type: Info

Article not rated yet.

Article has been viewed 48,021 times.

Options

Copyright Paramount Software UK Ltd 2006-2014, all rights reserved