Imaging encrypted drives

[occsean]

I have a client who uses disk cryptor for full disk encryption who also wants to do full image backups of their workstations to enable a full system recovery in case of disaster like failing hard drive, theft, etc. and not have to spend hours reinstalling all of their business software.

What I am running into is not being able to find a product that will do the full image backup. Before disk encryption we were using Macrium Reflect with great success. Even did a dissimilar hardware recovery after one of their systems failed.

From the research I have done, as well as speaking with reps from both Macrium and Acronis, disk imaging software does not play nicely with full disk encryption. With the lone exception of BitLocke which both Macrium and Acronis do support.

The client is running Windows 7 Pro (therefore no BitLocker) and is very hesitant to move to Win 10 Pro due to some older software that is likely not compatible with it. I tried the anytime upgrade just for the hell of it and of course there are no upgrades available to Windows 7.

My best case scenario would be to find a legit license for Windows 7 Ultimate and just do an upgrade but after searching I am convinced that there is no legit COA's to be had. Everything I found is really skectchy..

I know that I could probably do a sector by sector image backup but I am not sure if that would restore correctly in the event disaster recovery is needed.

Anyone have any ideas or ever run into a situation like this?

 

[YeOldeStonecat]

Software that does backups "from within" Windows normally can do this on pre-boot full disk encryption, such as StorageCraft. As, the OS does not know it's an encrypted drive, since the encryption is FDE (full disk encryption, pre boot).

I have not worked with Disk Cryptor...so I don't know for sure with that software. Performance would suffer with 3rd party software disk encryption...the only one I've not seen hit performance much is BitLocker. I stopped using all other 3rd party software disk encryption packages due to the high failure rates they caused on hard drives (from the severe extra wear and tear).

With hardware disk encryption it's no problem, as the encryption is done on a co processor daughter card on the hard drive, underneath the OS so the OS isn't aware of it.

 

[lcoughey]

I don't understand your logic on why a sector-by-sector copy would not restore well. If anything, it has the best chance of restoring perfectly, as it is the only truly perfect copy of the drive.

 

[phaZed]

If you need to verify the integrity/ability to restore - grab another drive and try a restore and see if it does. Big corps and business fall prey to this problem all the time.. they do the backups but never tested a restore.. when that fateful day comes they find out that the restore fails.

I know it's not as relevant in your situation but an offline copy of the drive with ddrescue or dd will work just fine for copying encrypted drives.

 

[nlinecomputers]

Most backup programs running from WITHIN the Windows environment should run just fine and make an unencrypted backup of the system. It's no different than copying a file to a flash drive. It will not be encrypted either. A copy program outside of the Windows environment will only see a RAW partition and you'll need to perform a sector by sector copy to properly image the drive. That result will be as encrypted as the source is.

 

[timeshifter]

Great question! I'm in the same boat with a client. Her drive is encrypted using Norton PGP. Tried Veeam Rndpoint Free and it didn't work. I then installed the new Veeam Agent for Windows. Haven't had a chance to follow up yet to see how it's working.

 

[occsean]

I then installed the new Veeam Agent for Windows. Haven't had a chance to follow up yet to see how it's working.

I did some reading as well on Veeam and there may be some hope there.

 

[OaksLabs]

DiskCryptor? https://diskcryptor.net/wiki/Main_Page I used this on my daily driver Windows box as a TrueCrypt alternative. I was using ToDo to make images from inside Windows, and as others have said, the online imaging works just fine.

What I suspect you're running into is that some disk utilities squawk about the file system being corrupt when using full disk encryption. I don't have a low level technical explanation of why, but we can chalk it up to the fact that encryption software inserts a driver to communicate with the encrypted physical layer, and drive imagers don't know how to talk with the driver.

One "solution" cound be ODIN: http://odin-win.sourceforge.net/ The software never seemed really stable to me, but I was using it on older hardware at the time. This is the closest thing to DD as you're going to get in Windows.

Otherwise, is this a domain network? An alternate fix is to architect a new network structure and implement roaming profiles, redirected folders, or a terminal server. Laptops would still pose an issue (and I suspect they represent a bulk of the systems?), but if the data can be centralized, the task becomes a bit more manageable.

 

[occsean]

What I suspect you're running into is that some disk utilities squawk about the file system being corrupt when using full disk encryption. I don't have a low level technical explanation of why, but we can chalk it up to the fact that encryption software inserts a driver to communicate with the encrypted physical layer, and drive imagers don't know how to talk with the driver.

Exactly this...Error I get with Macrium is corruption and to perform a chkdsk /f. Obviously, that does not fix the issue.

I was fortunate enough to have a member here PM me and offered a Win 7 Ultimate OEM coa that was valid in exchange for a donation to Technibble (which I thought was a fabulous idea). I used the Windows Anytime Upgrade to install the COA and will be upgrading the machine tomorrow, decrypting with diskcryptor and reencrypting with BitLocker probably tomorrow or whenever the customer will let me. Once that is done I'll test Macrium and see what's what.

Not a domain network. 4 person network, all desktops, and no server, just a 12TB RAID 5 NAS used for file sharing and image backups. We are only backing up 2 of the desktops as the other two would be no issue to rebuild and don't have any unique user data saved to them.

I'll go check out Odin and read up on it as an alternative...Thanks for the feedback

 

[occsean]

I don't understand your logic on why a sector-by-sector copy would not restore well. If anything, it has the best chance of restoring perfectly, as it is the only truly perfect copy of the drive.

I've just never restored from a sector by sector backup in a production environment. Therein lies my hesitation. Thanks for the clarification. Think I was confused by the concept of the "empty" disk space and what becomes of it, but it makes sense now.

 

[lcoughey]

I've just never restored from a sector by sector backup in a production environment. Therein lies my hesitation. Thanks for the clarification. Think I was confused by the concept of the "empty" disk space and what becomes of it, but it makes sense now.

It is pretty simple...do another sector-by-sector copy from the backup to the new replacement drive.