+49 (0) 1766 960 4718

Setup & Clone a Bitlocker Encrypted Disk – Win 10

This article outlines the steps I took, and problems I encountered, enabling Bitlocker on my Windows 10 PC. I also outline how I back-up the encrypted disk by cloning it.

For all businesses today, there is an every increasing list of reasons to consider data security, not least the new EU GDPR regulation. For private citizens, personal privacy and financial loss through someone accessing and misusing your banking or credit card data etc., are just a couple of points worth considering.

Given that a lot of data breaches/losses are caused through people losing (or leaving somewhere) laptops or drives containing sensitive company/client data, a sensible course of action (assuming you actually need the data on your device) is to protect your data with encryption.

It is important to be aware that encryption will not protect you against viruses and malware etc. Additionally, it will only stop people reading the contents of your hard drive if the machine was powered off when they obtained it. If you are logged into an encrypted machine, data can be read/copied/amended/deleted as normal.

My system is a modern Intel based Laptop with a TPM and SSD drive. I recently upgraded my Windows 7 Ultimate to Windows 10 Pro. Windows 10 Pro includes the Bitlocker feature. There are alternative methods to encrypt your hard drive, however, as Bitlocker is an integral part of my OS, I wanted to make use of it.

My first attempt to enable Bitlocker encryption was halted by the fact I upgraded from Windows 7, and the disk format utilitised MBR. To use Bitlocker you require GPT. Normally this would involve a complete re-installation of the operating system, however, recent versions of Windows 10 support a feature that allows you to change the existing MBR record to GPT.

First challenge resolved. I re-set the TPM module and enabled the security options in the BIOS including disabling legacy mode. When all was ready, I enabled Bitlocker, printed the key off for future reference and let the drive encrypt itself. Very straightforward.

Because I have my drive partitioned, my data is on my D:\ partition. The second step was to encrypt this partition. I went back into the bitlocker control panel, selected the drive, set it to auto unlock when I logged into Windows, and let it do it’s stuff. I also printed off the encryption keys for this volume.

After completing the encryption process I found myself considering – how safe is it to rely on the TPM module to manage my encryption keys? A little research on Google confirmed my suspicions, TPM on its own is not a good idea. There is a technique called a ‘Cold Boot Attack’ that can be used to compromise the keys and enable your data to be read. What you need is two factor (or three factor) authentication. I decided two factor authentication using a pin code was best for my situation and set about enabling this option.

Now when my machine boots, I need to enter a pin code. If entered correctly, I am taken to the normal Windows login prompt. In terms of performance there is little or no difference with encryption enabled.

My next consideration was how to back my system up. I had previously used a disk cloning software called Acronis. Very useful to back a machine up before testing new software or configuration changes. Unfortunately, Acronis does not support cloning of Bitlocker encrypted drives via their boot media. The ‘general’ advice is to de-encrypt, back-up, then re-encrypt. This is not practical as it simply takes too long.

The solution I found was to utilise an open source software called Clonezilla. This is an incredibly powerful disk cloning software, and most importantly, it allowed me to back up – and restore my Bitlocker encrypted volumes without decrypting first.

I burnt the Clonezilla ISO to a USB stick and then set about backing up the encrypted volumes.

The user interface in Clonezilla is very retro. If you have only ever used a Windows type GUI, you may be a little shocked at its presentation. WARNING – you need to take time to read all the text and warnings displayed on the screen, especially when restoring data.

I followed the general guidance available and suspended Bitlocker encryption on the C:\ drive. I then re-booted the machine via my Clonezilla USB key.  It should have worked with the BIOS set as UEFI, however, it did not so I switched the BIOS to Legacy mode and re-booted. Everything functioned correctly.

After backing up the C:\ drive and two additional volumes, I was almost ready to test restoring the encrypted data from my Clonezilla back-up.

Before I did, I wanted a complete working back up in case things went wrong. I decrypted my hard disk and backed it up with Acronis. Ok now I was ready to test restoring the encrypted data from my Clonezilla back-up.

Initially I selected all three volumes to re-store, but this did not work. I then tried restoring each volume in turn, This added a few extra minutes to the process, however, it worked without error.

I reset the BIOS to UEFI mode and re-booted my PC into Windows 10. It did not work. I needed my encryption key due to a hardware change. Possibly the BIOS reset. Anyway, I had that to hand and carefully entered the very long number. That was accepted and I was taken to the Windows login. Entered my password and everything was restored as an encrypted volume.

I then re-booted and was prompted for my PIN code. Entered that and was taken to the main login screen. Entered my password and everything was functional. Now I needed to re-encrypt my D:\ drive. I had not restored this volume and it was still decrypted from my Acronis back-up.

CorrectBitlockerSettingsI went into the Bitlocker control panel, selected the D drive and selected encrypt. This started throwing errors about conditions not being met. The Group Policy for Bitlocker’s “Require additional authentication at startup” now appeared to have every option selected. If you have more than one option selected it throws errors. I corrected this (as shown in the screenshot right), saved my changes and Bitlocker encryption started to work for my D:\ drive. I do not know why all options were selected.

Next, I backed up the whole drive (all volumes). The only configurational change I made was to suspend Bitlocker. I made no changes to the BIOS which was set as UEFI. When the back-up was completed, I deleted a few test files from my desktop, and then restored the whole drive from this latest backup of my Bitlocker encrypted drive. The restore worked fine and the machine re-booted (without requesting a PIN), and allowed me to log in to Windows as normal. The drive was encrypted, deleted data restored, everything appeared in order. I rebooted and was asked for the PIN, then password as normal. Suspending the Bitlocker encryption before back-up allows you (by default) one re-boot without requiring the second factor authentication – in my case a PIN.

Now I had established the backup worked without changing BIOS settings, I wanted to try a backup without suspending Bitlocker (or making changes to the BIOS etc.,) and ensure the back-up did not by-pass the two factor authentication.

I re-booted into Clonezilla and performed a back-up. I made no changes beforehand to Windows 10 or the computer’s BIOS settings etc. When the back-up finished I restarted Windows, deleted a few files from my desktop, and re-booted into Clonezilla. Again, without making any changes to the OS or BIOS. I then restored the volumes and re-booted into Windows. Everything worked correctly. A PIN code was required to start the machine, then my password was requested. When I opened my desktop, the deleted files had been restored and encryption was enabled for all devices.
 

So what did I achieve:

 

Further information on any of the specific steps should be available on Google etc., however, if you require assistance, please contact me by telephone or email to arrange a meeting or ask a question.

News & Articles