Windows 8.1 encryption and imaging

Discussion in 'backup, imaging & disk mgmt' started by HAN, Apr 18, 2014.

Thread Status:
Not open for further replies.
  1. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Many (most?) new PCs with Windows 8.1 already installed are going to come through with full disc encryption enabled. http://www.howtogeek.com/173592/win...rives-by-default-everything-you-need-to-know/ Whether or not this is best for most of us is not what I have questions about.

    My main choices for imaging are Clonezilla and Image for Linux (cold imaging outside of Windows.) But I also occasionally use Image for Windows and Reflect free, which run inside of Windows.

    My question is, with the exception of Clonezilla, the other 3 offer a means to restore individual files from system/partition images. How will this ability be affected by 8.1's encryption? When the PC is powered down and one uses a cold imaging program, the PC will be encrypted. So I assume Image for Linux will lose the ability to restore individual files. But what of the other 2? If the 8.1 encryption is "on the fly", I am not sure how this will work.

    So, I am asking for thoughts. TIA
     
  2. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,278
    AFAIK, no major imaging program fully supports encryption yet. Possibly, some method to temporarily disable encryption will be used to back up and restore outside of Windows.

    Also, I suppose that it will be possible to disable the 8.1 default encryption. Some people won´t trust MS encryption and will prefer to use TrueCrypt or to disable encryption permanently.
     
  3. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    HAN,
    No need to worry (for now). We covered this topic before: you need to have a TPM module on your computer in order for this automatic encryption to work. AFAIK, very few computers come with a TPM built-in. So there is no Bitlocker encryption on most computers.
     
  4. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    @HAN
    In addition to the TPM point, you may also be interested to know you can actually work with a TrueCrypt-encrypted volume using a bootable version of Image for Linux.

    That was actually part of what led to my question in this thread:

    TrueCrypt: encrypting a Windows partition?

    Check out the link to the Terabyte Unlimited article there.
     
  5. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,278
    One method to back up an encrypted partition is to unlock it from a boot medium. IFL includes TrueCrypt, so it´s possible to unlock from it a partition encrypted with TC. Some Paragon programs can unlock a BitLocker-encrypted partition using some line commands from a WinPE boot medium. I haven´t looked at this in detail, don´t know if it can be done using other programs or if it´s a Paragon "feature".
     
  6. crawfish

    crawfish Registered Member

    Joined:
    Jul 2, 2014
    Posts:
    24
    As a former TrueCrypt user, here's what I've found over the last few weeks concerning BitLocker and Image for Windows for a Windows 8.1 x64 system without a TPM, using a UEFI BIOS configured for the legacy mode.

    1. System images made while Windows is running are saved unencrypted. There is no way to encrypt on the fly while restoring, so the image is restored unencrypted. The restored system boots and re-encrypts fine, but auto-unlock is turned off for internal data drives previously configured for that. While they unlock just fine, attempting to turn auto-unlock back on returns an error. Do not despair, because nothing is wrong with the data drives, and the problem can easily be fixed, and auto-unlock restored, by following the simple procedure presented here:

    http://www.mcbsys.com/techblog/2010/08/re-enable-bitlocker-auto-unlock-after-system-volume-restore/

    If rebooting doesn't work, power down the machine. I've verified this works with several image and restore operations on a couple of machines, all non-UEFI and lacking a TPM.

    2. Non-system volumes can be imaged unencrypted and encrypted on the fly when restored, so you won't need to re-encrypt after the restore as you do with system images. So far, this is much like TrueCrypt, except for the stupid auto-unlock issue.

    3. The manage-bde program is available in the tbwinre environment and can be used to unlock encrypted volumes. However, I was unable to use manage-bde in tbwinre to unlock the system drive and image it unencrypted, the idea being to image it unencrypted outside a live Windows system like I had been doing with Image for Linux and TrueCrypt. IFW in WinRE apparently does not see the system partition as unencrypted, even though I can list its files from the command line. This means doing system images inside a running Windows system to take advantage of compression and pagefile/hibernation file omission, but VSS has been working all right for me, and I'm mostly over my fear of it.

    4. The drive letters are kind of wacky in WinRE. For example, the "System Reserved" is C:, and my real system partition is H:, while in the booted system, "System Reserved" has no drive letter, and the system partition is C:. This has no effect on restoring system images, and it's got nothing to do with BitLocker, but I found it notable.

    So, imaging is still very much viable when using BitLocker, though I have no idea if UEFI and a TPM have any effect on what I've described. BitLocker has a number of advantages over TrueCrypt, including (1) VSS and TRIM working on all volumes, not just those in the scope of system encryption, i.e. those that are on the same drive as the system partition, (2) not having to hide drive letters for RAW volumes to avoid "Do you want to format" and thus losing drive letters and labels in the "Safely Remove" menu, which is nice when you have a dual dock with independent power buttons, and (3) being able to encrypt just the used area of a system drive and not having to create a Recovery CD.
     
  7. blainefry

    blainefry Registered Member

    Joined:
    Jan 25, 2014
    Posts:
    165
    ?
    Isn't that kind of exactly what I said? And as I said before I even linked directly to the Terabyte Unlimited Knowledge Base that goes into detail on their imaging programs and TC.
     
Loading...
Thread Status:
Not open for further replies.