BitLocker Best Practice Question
We are experimenting with BitLocker, and we are wondering how users of BitLocker with MSP360 do things. Particularly, we are wondering whether you all tend to leave the "Keep BitLocker" setting enabled or not. As I understand it, enabling the setting backs up the drive encrypted (in addition to MSP360's encryption), but limits the restore capabilities by keeping you from doing file restores.
So, who enables or disables the "Keep BitLocker" option, and why?
Thank you in advance for your input!
A few points.
use the Keep BitLocker option on system volumes if you're backing them up using image backup. VSS cannot be used with BitLocker and that can lead to system volume corruption.
If you back up a non-system volume using the Keep BitLocker option, then you end up backing up the entire volume - including unused space. That can greatly extend backup time and increase storage requirements (
imagine a 4 TB volume with 200 GB of used space and 3.8 TB of unused space
). That also means you cannot exclude folders for backup on the volume using that option as everything needs to be backed up
As you've noted, you cannot perform file-level restores from volumes using the Keep BitLocker option
can (and should)
use our AES-256 encryption during backup to protect the backups.
Unless you have a specific need to keep the BitLocker encryption, I would not keep it for backup.
Thank you David, this is very helpful.
Just thought I'd add to this as I have a ticket open at the moment for a related issue.
Even though there is mention above and here:
about not being able to do "File Restores" I have a different experience of file restores on "Keep Bitlocker" backups of Bitlocked system drives. I have tested a "file restore" from an Image Backup (block level) and successfully restored a .png file (from my c:\temp folder) from my block level image backup created of a Bitlocked Encrypted system drive (C:) using the "Keep Bitlocker" option. Also I had AES256 turned on. It seems some clarification is needed here.
Yes it will not let you exclude any files/folders if "Keep Bitlocker" is enabled so it will back up things like c:\pagefile.sys, C:\swapfile.sys & c:\hiberfile.sys which can added up to 10+GB of space required for full image backups. This also makes block level backups much bigger.
In this thread (
) it mentions pagefile.sys and Recycle bin being excluded automatically from the backups but this is not the case if "Keep Bitlocker" is enabled - hence larger backup storage being required. I'm not sure if any of the above files are even excluded even if "Keep Bitlocker" is disabled - maybe someone else can let me know.
When I went to do the restore it asked for my AES256 encryption key (success) and then for my Bitlocker (BL) key for which I gave my BL recovery key (success).
I can imagine corruption (confusion) may occur if the source drive bitlocker key changes between backups. I've not had any problems with restores when using "Keep Bitlocker" as long as you have your BL recovery keys!
I agree with not having "Keep Bitlocker" enabled unless you have a specific reason - the only reason I can think of is if you have tonnes of storage/fast network/fast internet!
The best I can see at the moment is to have "Keep Bitlocker" disabled and to exclude c:\pagefile.sys, C:\swapfile.sys & c:\hiberfile.sys to keep backup storage requirements to a minimum for image backups.
I'm currently using version
Further testing reveals that if "Keep Bitlocker" is disabled for a system volume for an image based backup then the files c:\pagefile.sys, C:\swapfile.sys & c:\hiberfile.sys do indeed get excluded automatically for an image based backup which is good news for keeping your storage requirements as low as possible. It seems though that the option "Keep Bitlocker" is enabled by default so you have to remember to disable it when you create or deploy a backup job.
I'm still using version
Sign in or register to add a comment.
Add a Comment
Welcome to MSP360 (CloudBerry) Forum!
MSP360 Managed Backup
Microsoft SQL Server
Microsoft SQL Server
MSP360 Remote Desktop
Newbie Here. Trouble viewing entire desktop of remote PC and question about menus
6.3.1 question about handling BitLocker encryption
Newbie question: how do I connect to a remote computer?
Newbie Question on Setting up Glacier backup
Terms of Service
Useful Hints and Tips
Created with PlushForums
© 2021 MSP360 (CloudBerry) Forum