We are experimenting with BitLocker, and we are wondering how users of BitLocker with MSP360 do things. Particularly, we are wondering whether you all tend to leave the "Keep BitLocker" setting enabled or not. As I understand it, enabling the setting backs up the drive encrypted (in addition to MSP360's encryption), but limits the restore capabilities by keeping you from doing file restores.
So, who enables or disables the "Keep BitLocker" option, and why?
You should not use the Keep BitLocker option on system volumes if you're backing them up using image backup. VSS cannot be used with BitLocker and that can lead to system volume corruption.
If you back up a non-system volume using the Keep BitLocker option, then you end up backing up the entire volume - including unused space. That can greatly extend backup time and increase storage requirements (imagine a 4 TB volume with 200 GB of used space and 3.8 TB of unused space). That also means you cannot exclude folders for backup on the volume using that option as everything needs to be backed up
As you've noted, you cannot perform file-level restores from volumes using the Keep BitLocker option
You can (and should) use our AES-256 encryption during backup to protect the backups.
Unless you have a specific need to keep the BitLocker encryption, I would not keep it for backup.
Just thought I'd add to this as I have a ticket open at the moment for a related issue.
Even though there is mention above and here: https://forum.msp360.com/discussion/360/windows-image-based-backup-keep-bitlocker about not being able to do "File Restores" I have a different experience of file restores on "Keep Bitlocker" backups of Bitlocked system drives. I have tested a "file restore" from an Image Backup (block level) and successfully restored a .png file (from my c:\temp folder) from my block level image backup created of a Bitlocked Encrypted system drive (C:) using the "Keep Bitlocker" option. Also I had AES256 turned on. It seems some clarification is needed here.
Yes it will not let you exclude any files/folders if "Keep Bitlocker" is enabled so it will back up things like c:\pagefile.sys, C:\swapfile.sys & c:\hiberfile.sys which can added up to 10+GB of space required for full image backups. This also makes block level backups much bigger.
In this thread (https://forum.msp360.com/discussion/comment/5170) it mentions pagefile.sys and Recycle bin being excluded automatically from the backups but this is not the case if "Keep Bitlocker" is enabled - hence larger backup storage being required. I'm not sure if any of the above files are even excluded even if "Keep Bitlocker" is disabled - maybe someone else can let me know.
When I went to do the restore it asked for my AES256 encryption key (success) and then for my Bitlocker (BL) key for which I gave my BL recovery key (success).
I can imagine corruption (confusion) may occur if the source drive bitlocker key changes between backups. I've not had any problems with restores when using "Keep Bitlocker" as long as you have your BL recovery keys!
I agree with not having "Keep Bitlocker" enabled unless you have a specific reason - the only reason I can think of is if you have tonnes of storage/fast network/fast internet!
The best I can see at the moment is to have "Keep Bitlocker" disabled and to exclude c:\pagefile.sys, C:\swapfile.sys & c:\hiberfile.sys to keep backup storage requirements to a minimum for image backups.
Further testing reveals that if "Keep Bitlocker" is disabled for a system volume for an image based backup then the files c:\pagefile.sys, C:\swapfile.sys & c:\hiberfile.sys do indeed get excluded automatically for an image based backup which is good news for keeping your storage requirements as low as possible. It seems though that the option "Keep Bitlocker" is enabled by default so you have to remember to disable it when you create or deploy a backup job.