Axcient Knowledge

●  Status of Axcient Services
Submit a Ticket View My Cases

    Axcient Knowledgebase  /  Axcient x360Recover  /  Essential User Guide - x360Recover  /  2. Configure x360Recover  /  Protecting systems with encryption - x360Recover

    Protecting systems with encryption - x360Recover

    Super Administrator

    Written By Tami Sutcliffe (Super Administrator)

    Updated at July 22nd, 2024

    Overview

    Many protected systems have some type of encryption enabled to enhance the security of their data. This article will discuss how x360Recover interacts with various encryption cases.

    Windows Bitlocker and other full disk encryption services

    NOTE: x360Recover fully supports backup and recovery of Windows systems using Bitlocker and other full disk encryption services so long as the volumes are unlocked during the backup process. We recommend that you enable automatic unlocking of Bitlocker encrypted volumes to ensure they are available for backup.

    Bitlocker (and other full disk type encryption platforms) perform encryption at a very low level, (beneath the operating system disk storage layer.) Such disks appear to be unformatted drives with random data - until they are ‘unlocked’ by the encryption service. 

    Microsoft Windows volumes are first unlocked (decrypted) by Bitlocker before being presented to the operating system and mounted by the filesystem drivers (like NTFS.) Microsoft’s backup infrastructure and Volume Shadowcopy Services (VSS) interact with the volume above the encryption layer.

    What this means for the backup agent is that Bitlocker-encrypted volumes are only mountable and accessible for backup in an unlocked, (decrypted) state. Volumes protected by Bitlocker must be unlocked for backups to be performed. Otherwise, the volume will be inaccessible and skipped for backup, triggering either a backup failure or a missing volume alert.

    Bitlocker key points to consider

    • Bitlocker-protected volumes are always protected in an unencrypted state on the backup server
    • Bitlocker protected volumes must be unlocked to be available for backup

    Recommended: Enable Auto Unlock for all Bitlocker protected volumes

    • When recovering a protected system, disks will be restored without encryption enabled

    Recommended: Re-enable Bitlocker for volumes after completing a restore

    • x360Recover cannot recover lost Bitlocker keys or passphrases
    • File and Folder recovery of Bitlocker encrypted volumes will return unencrypted files and folders


    Linux full disk encryption

    Similar to Windows Bitlocker, Linux LUKS disk encryption is applied underneath the block storage device layer. Encrypted disks are ‘unlocked’ and mounted as unencrypted volumes during runtime. The x360Recover Agent for Linux can read and backup only the unlocked virtual block devices. Unlike Windows, there is no easy or convenient way to re-encrypt a Linux system after it has been recovered from backup.

    Linux key points to consider

        Linux LUKS protected volumes are always protected in an unencrypted state on the backup server

        When recovering a protected system, disks will be restored without encryption enabled

        x360Recover cannot recover disk encryption settings on Linux systems

        File and Folder recovery of Linux LUKS encrypted volumes will return unencrypted files and folders



    Microsoft Encrypted Filesystem (EFS)

    Unlike disk-level encryption mechanism, the Microsoft Encrypting Filesystem feature provides encryption at the file level within the mounted volume. File data is stored on disk in an encrypted format inside the underlying block device. In this case the agent does backup each encrypted file in an encrypted state, and such files will be unreadable outside of the protected system they belong to.

    Microsoft Encrypted Filesystem (EFS) key points to consider

        Each individual file is encrypted separately and stored as normal block data within the filesystem

        The agent will backup the underlying filesystem blocks, including each encrypted file in its encrypted state

        Encryption and decryption are handled by the Application API layer within Windows, which sits above the underlying block management and Volume Shadowcopy Services layers

        If the EFS encryption is configured locally on the protected system (and not as part of an Active Directory domain with central encryption key management enabled) then ONLY the original protected system will be able to read and decrypt the files

        If the EFS encryption is configured as part of an Active Directory domain with central encryption key management enabled, then EITHER the original protected system OR another protected system within the Active Directory domain with Administrator user permissions will be able to read and decrypt the files

        Encrypted files will be downloaded in encrypted form when recovering from backup and must be saved and opened on a machine with the correct EFS keys and permissions to decrypt the files

        x360Recover backs up EFS keys and permissions only in the form of a full system backup (i.e. you must fully restore an entire system or virtually restore the protected system to have access to files and folders encrypted by Microsoft EFS.




    SUPPORT | 720-204-4500 | 800-352-0248


    1813

    Related Articles

    Best practices for removing a Windows profile with a Desktop Client installed - x360Sync

    Best Practices We recommend first unregistering and then uninstalling the desktop...

    How to audit license use

    Overview [A detailed overview of x360Recover's billing models is available at  x3...