BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles How to Protect Valuable or Personal Data on PC, Hard Drive and Flash Drive

How to Protect Valuable or Personal Data on PC, Hard Drive and Flash Drive

Bookmarks

Target Markets

  • Small business (mobile employees),
  • Vertical Industries (insurance companies),
  • Original Equipment Manufacturers (OEMs such as Siemens).

The Purpose of Supporting BitLocker

About BitLocker

Approximately 60% of all computers sold worldwide today are portable. Portable computers are taken everywhere: home, vacations, or business trips. It makes them an easy target for criminals, especially for the private data they contain. Flash drives are also an easy theft target. Even a failed hard drive that you send back to your vendor for warranty is a potential threat to your private intellectual property. How can your personal data be protected? With one word - encryption!

Data encryption has gone mainstream with Windows BitLocker, an optional security feature that enables data protection on volumes with 128/256-bit AES (Advanced Encryption Standard) encryption. It first appeared in Windows Vista Enterprise and Vista Ultimate to protect the contents of hard disks from offline attacks - for example- when a hard disk is stolen and connected to another computer to retrieve the data it contains. To learn more on the subject, please visit.

Important take-away: Windows BitLocker is ideal for protecting personal data from unauthorized access.

Third-party Data Backup and Recovery Tools

If you compare third-party backup and recovery solutions with the Windows native backup/restore utilities, when in most cases, third-party software provides much more efficient and flexible backup, data compression, recovery, wider customization options, multi-platform recovery environments, etc.

Important take-away: Third-party backup solutions are much more efficient than the Windows native utilities in protecting OS and personal data from multiple types of loss.

Combining BitLocker and Third-party Backup Software

Windows BitLocker can protect sensitive data from theft, but not data corruption or accidental deletion as a result of a hardware failure, virus attack or human error. However, third-party data backup and recovery solutions support those scenarios and can recover data from volumes encrypted by BitLocker, allowing backup, restore or copying of their contents as well as a number of other partitioning operations. For more information, please consult the Operations Available for BitLocker Encrypted Volumes chapter.

Important take-away: Combining Windows BitLocker and third-party backup capabilities provides exceptional protection of OS and personal data from unauthorized access and data loss.

BitLocker and Paragon’s Backup Protect Against Data Loss and Unauthorized Access

Turning on BitLocker

To encrypt volumes through BitLocker, your computer must meet certain requirements, which vary depending on the type of drive you’re encrypting (a local data, a system volume, a flash drive, etc.).

Encrypting system volumes

To encrypt/decrypt drives that accommodate Windows OS, BitLocker stores special keys for hardware devices:

  • If a computer has a special microchip called TPM ver. 1.2 (Trusted Platform Module), BitLocker will store its keys here (default option);
  • If a computer doesn’t support TPM 1.2 or higher, BitLocker will store its keys on a flash drive. However, this option is not available by default and must be enabled by an administrator.
  • Please review the following requirements in order to encrypt the operating system drive:
  • Your hard drive should have at least two partitions: a system volume that contains files required for the computer to startup, and a separate OS volume that contains the Windows OS itself. The system volume will remain unencrypted to allow the computer to boot, while the operating system volume will be encrypted against unauthorized access to data. BitLocker will create the second partition if only one is present in the system to begin with.
  • Both volumes should be formatted with the NTFS file system.
  • BIOS should either be compatible with TPM or support booting the computer from USB devices.
  • We won’t go into detail on how to encrypt system volumes in Windows OS, as you can find in-depth information on the subject in your Windows Help System. For additional information, please use the following resources: resource #1, resource #2.

Encrypting data volumes or USB flash drives

Encryption of data volumes (local, or external) is much easier and transparent for the user and can be accomplished by using either a password or a smartcard with a PIN. For more information of this subject, please consult Windows Help System or the aforementioned resources.

Unlocking BitLocker Encrypted Volumes

Paragon’s solutions enable users to accomplish a number of operations on volumes encrypted by Windows BitLocker, but only after the volumes are unlocked. Locked volumes will be recognized in the program’s interface as ‘Not formatted’ until they’ve been unlocked. The user can unlock these types of volumes only through Windows-native features:

  • Windows graphical user interface,
  • The manage-bde command line tool, which is available from both Windows and the WinPE recovery media.

Thus the first action required before working with a BitLocker encrypted volume will be to unlock in either Windows or the WinPE recovery media. Let’s consider both options under Windows 8 and the WinPE 4.1 based recovery environment.

In Windows

  1. Initially we find an encrypted data volume (F:), note, the drive is displayed as a locked volume in Windows Explorer.

In Paragon Hard Disk Manager (HDM), if viewing the hard disk layout through the main launcher of the program (Open Advanced Interface), this particular volume will be detected and identified as ’Not formatted’, thus no backup, restore, or copy operations will be available for use.

  1. To unlock the volume, right-click on the corresponding volume in Windows Explorer, then select Unlock Volume… or use the corresponding option from the HDM main launcher (Partition > Unlock Volume).

NOTE: There are other ways to unlock a volume encrypted by BitLocker. For more information, please consult documentation provided by Microsoft.

  1. Enter an unlock password.

  1. Once complete, the volume should be identified with an ‘unlocked’ icon, as shown below.

Now, when viewing the hard disk layout through the main launcher of the program (Open Advanced Interface), the volume will be detected and displayed correctly, and is available for all supported operations.

In WinPE

  1. Start up the computer from the WinPE recovery media.

To automatically boot from the recovery media please make sure the on-board BIOS is set up to boot from CD/USB first.

  1. Go to the Security and BitLocker Encryption section, and select List of Volumes.
  2. Define volumes encrypted by BitLocker (they will be detected as ‘Unknown’). If several BitLocker encrypted volumes are present (just as in our case below), you can pinpoint the required volume by its size.

When viewing the hard disk layout from main launcher of the program (Open Advanced Interface), you can easily see all the unknown volumes detected as ’Not formatted’, just like they are under Windows.


Drive letters in Windows and WinPE may differ, so please do not use them as identifiers.

  1. Close the ‘List of Volumes’ dialog, then select Unlock Encrypted Volumes.
  2. Use provided examples and syntax to unlock the required volume(s). If you’d like to see all commands of the manage-bde tool, please run it with the ‘–help’ parameter (manage-bde -help).

As you can see in the screenshot above, we’re attempting to unlock volume E: by providing a path to the corresponding recovery key (recoverykey.bek), which is stored on a System Reserved partition (volume C:).

NOTE: the System Reserved partition has the letter C: assigned, as work is performed in the WinPE recovery environment.

The same dialog can also be called from the Hard Disk Manager 14 main launcher (right-click on the required volume, then select ‘Unlock Volume’).

  1. As a result, the volume should be unlocked.

Now, when going to the main launcher of our program (Open Advanced Interface), the volume will be correctly detected and is available for all supported operations.

Protecting BitLocker Encrypted Volumes

Creating a Full Backup

Let’s consider how to create a pVHD full backup of a hard disk that contains BitLocker encrypted volumes. The process is similar to the one for separate volumes or a flash drive.

  1. Launch Paragon’s backup solution.
  2. Click the New Backup Format tab on the Ribbon Panel and select Backup to VD.
  3. On the wizard's Welcome page, click the Next button.
  4. Select the required partitions or entire hard disks you’d like to back up by using Shift or Ctrl to select several objects at once. Click Next to proceed.


You’ve got the option to modify default backup settings by marking the appropriate checkbox on this page.

By default the program will take into account any exclude filters preconfigured in the Settings dialog.

  1. Specify a location for the resulting pVHD-based backup in the ‘Backup destination’ section. If you’d like to save it locally, either enter a full path to the target folder in the corresponding field, or use the Browse button to find it.

If you’re going to save the backup image on a network share, or a physical partition (a partition that doesn’t have a drive letter in the system), click on the Browse button. In the ensuing dialog you will see several options:

  • Select Disk Drives to use a local disk as the backup destination;
  • Select Partitions to use a physical partition as the backup destination;
  • Click on the Map Network Drive icon to map a network share to use it as the backup destination (as in our case).
  1. To map a network share, please do the following:

  • Click the abbreviated browse button [...] to locate the required network share or manually enter the full path to it;
  • Define a letter for the mapped drive from the pull-down list of available drive letters;
  • Mark the checkbox to make this connection permanent. Otherwise it will only be available for the current Windows session;
  • Specify a valid user name and password to access the selected network share, if necessary.

  • Click OK when ready.
  1. Edit the default archive name and description in the ‘Archive details’ section if necessary. Click Next to proceed.

  1. Choose whether to execute the operation immediately after finishing the wizard and applying the pending changes (only if the virtual mode is enabled), or to generate a script file to be executed later.
  2. Click Finish to complete the wizard, and apply the pending changes.

This operation can also be accomplished with Paragon’s recovery media.

Creating an Increment to pVHD

Backup is not a one-shot action, it should obviously be done on a recurring basis. This is where technologies that accelerate the process and reduce backup storage requirements come into play. pVHD-based incremental imaging offers such advantages. In Paragon’s backup solutions, it’s possible to maintain several incremental backup chains based on one base pVHD archive, provided each chain contains the changed data of a particular backup object(s). This option allows much more flexibility in managing backup contents.

One of the crucial things about incremental imaging is the way changed data is parsed. In HDM there are three different methods which enable the user to pick the one that fits their preference (none of Paragon’s competitors currently offer this level of flexibility).

Follow these steps to update a pVHD backup image:

  1. Launch Paragon’s backup solution.
  2. Click the New Backup Format tab on the Ribbon Panel, and select Incremental Backup to VD.
  3. On the wizard's Welcome page, click the Next button.
  4. On the Browse for Archive page, specify the required full (base) archive:
  • By clicking the Switch to Archive List View link, you can see a list of images contained in the Archive Database (if any). Please note that only sector-based images in the new format type (with a .pfi index file) are available to work with.

To get a clear-cut picture on properties of the required image, click on it and the section below will (i.e. Archive File Details) display a short description.

  • By clicking the Switch to File View link, you can find the required image in the Explorer-like window. The section below (i.e. Archive File Details) will also display a short description of the selected image. Please note that only sector-based images in the new format type (with a .pfi index file) are available to work with.

HDM enables the creation of several incremental backup chains based on one base (full) pVHD, provided each chain contains the changed data of a particular object(s). In the wizard these chains will be associated with their base image.

  1. The Archive Content page displays detailed information about the contents of the archive.

  1. Edit the default description to the created incremental image, if necessary. Specify the required method of acquiring information on the changed data:

  • Compare metadata (default). At first, file system metadata on each source and backup volume will be analyzed. As a result, pairs of directory trees will be built. If working with NTFS volumes, directory trees will be built directly on MFT, skipping the file system analysis. The next action will be a comparison of file attributes (e.g. creation/modification date) inside directory trees of the source and backup volumes, to:
    • Copy all file clusters with changed attributes;
    • Copy all file clusters with changed location of cluster chains;
    • Copy all clusters of new files;
    • Copy all sectors with metadata, for instance all copies of directories and MFT for NTFS. Depending on a file system and its location, a full metadata copy can exceed several hundreds of megabytes.

This method is the fastest of all three, but the resulting increments will also be the largest.

  • Compare all data. At first, a list will be created of all occupied cluster chains. After comparison with the backup contents, all changed clusters will be copied. This method is slower, but more space is saved in comparison to the first option above. Please note, however, that if an increment has been performed after defragmentation, there may be a great amount of redundant data changes that might have occurred, as data is being moved during the defragmentation process, but not changed.
  • §Compare changed data. This is a combination of the previously mentioned methods above. After detection of new/changed files, a list of clusters to copy will be created. During the copying, clusters on source and backup volumes will be compared in order to copy only changed clusters and the clusters of new files, as well as clusters of changed file system metadata (not all metadata). This method is the slowest of all three, but it can guarantee increments will only contain changed/new data.
  1. Choose whether to execute the operation immediately after finishing the wizard and applying the pending changes (only if Virtual Mode is enabled) or to generate a script file to be executed later.
  2. Click Finish to complete the wizard, and apply the pending changes.

After the operation is complete you’ll have generated an incremental update to the selected pVHD backup image, stored next to the base image.

This operation can also be accomplished with Paragon’s recovery media.

Building WinPE Recovery Media

Local or external data volumes can be restored directly under Windows through the Restore from VD Wizard, while system volumes (it’s assumed that this OS is down and fails to boot) should be restored from Paragon’s recovery media, either Linux- or WinPE-based.

Paragon offers two options to create recovery media, the Recovery Media Builder (RMB) and the Boot Media Builder (BMB), to help users build customizable boot media. In short the RMB is simpler and doesn’t require the download and installation of WAIK or OPK Tools to build WinPE; however, its functionality is limited. In this document we will focus on using the RMB as it’s the easiest way to build the WinPE-based recovery media.

For more information on the subject, please consult Paragon’s BMB and RMB documentation, which you can find on the company’s website, in the My Account Section (you must be a registered user).

System Prerequisites

  • Windows XP or later;
  • Paragon’s product installed;
  • A 512MB or larger USB flash drive.

Please note that depending on the host system, product functionality can be restricted:

  • You can specify whether to create a 32-bit (BIOS mode) or 64-bit (uEFI mode) Linux environment only in the 64-bit Recovery Media Builder. The 32-bit Recovery Media Builder can only prepare 32-bit Linux-based media.
  • There’s no option to choose whether to build a 32-bit (BIOS mode) or 64-bit (uEFI mode) WinPE environment. Automatic detection will occur. For 64-bit systems a 64-bit WinPE environment will be built, while for 32-bit systems – 32-bit WinPE media is built.
  • You can only prepare the Linux-based environment (flash, ISO) on Windows XP and Vista operating systems.
  • Creation of WinPE-based ISO images is not available on Windows 8.1, or Server 2012 R1/R2.

Operation Scenario

To build the WinPE recovery media on a flash drive, please do the following:

  1. Plug in a 512MB or larger flash drive. Please note, all data on that drive will be deleted, though after the recovery media is created, you may add data to the flash drive, space permitting.
  2. Select: Start > Programs > Paragon Recovery Media Builder, or double-click on its desktop icon.
  3. The welcome page introduces the wizard’s functionality. Click Next to proceed.

  1. Select Microsoft Windows PE. As you can see on the screenshot there’s no option to choose whether to build a 32-bit (BIOS mode) or 64-bit (uEFI mode) WinPE environment. 64-bit systems build a 64-bit WinPE; 32-bit systems build a 32-bit WinPE.

  1. Click on Removable flash media, then select a flash drive from the list of flash memory devices presently connected to the system (if multiple devices are detected). If you’d like to create an ISO image of the WinPE environment, please use the corresponding option.

  1. The wizard will warn you that all data on the selected drive will be deleted. Please confirm the operation to proceed.

  1. The entire operation takes a couple of minutes. Once complete, you’ll receive the required bootable media.

Restoring BitLocker Encrypted Volumes

Let’s consider how to restore system volumes, as they’re the most complicated scenario which involves the use of the recovery media. For data volumes, the process is much easier.

  1. Start up the computer from the WinPE recovery media.

To automatically boot from the recovery media please make sure the on-board BIOS is set up to boot from CD/USB first.

  1. Select Switch to Full Scale Launcher, and then click the Restore from VD item from the Wizards dropdown menu.
  2. On the Restore Wizard's Welcome page, click the Next button.
  3. On the Browse for Archive page you need to specify the required backup image:
  • Map a network drive where your archives reside:
    • Open the Map Network Drive dialog by clicking the appropriate button;

    • Click the standard browse button [...] to browse for the required network share or manually enter a path to it;
    • Define a letter from the pull-down list of available drive letters;
    • Click the Connect as user button at the foot of the dialog page to specify a user name and password to access the selected network share if necessary.

You can also map a network drive with the Network Configurator.

  • Choose the required archive in the Explorer-like window. The Archive File Details section displays a short description of the selected image. If you need more information on the selected backup object, please click the corresponding link at the bottom of the section. Click Next to proceed.

  1. The What to Restore page displays detailed information about the contents of the archive. Select the required item to restore.


If you need to restore several backup objects from a pVHD image in one operation, please use the Linux-based recovery media.

  1. On the Where to Restore page, specify a target hard disk, and then select the desired partitions (if several in your computer). By default, the program offers to restore the archive exactly where it belongs, which is the goal of this scenario.


All contents on the partition selected for restoring purposes will be deleted during the operation.

  1. On the Restore Results page you can see the resulting hard disk layout. There’s also the possibility to change size of the partition and its location, if necessary, as well as an option to assign a particular drive letter. If you’re working with a 64-bit Windows OS configured in uEFI boot mode, the Switch EFI to boot from destination drive option will become available for you to define what instance of Windows OS you’d like to boot from once the operation is complete. Either way, you can specify a new bootable device at any time through Boot Corrector.

  1. Choose whether to execute the operation immediately after finishing the wizard and applying the pending changes (only if the virtual mode is enabled) or to generate a script file to be executed later.
  2. Click Finish to complete the wizard and apply the pending changes.
  3. In the Progress window you can see real-time detailed reports on all the actions carried out by the program. Mark the checkbox at the bottom of the window to automatically switch off the computer on the successful accomplishment of the restore operation.
  4. After completing the operation, please reboot the computer.

To make Windows bootable on different hardware, please complete the P2P Adjust OS Wizard as a post operation process.

Comparing Paragon’s Backup Tools with Windows-native Backup

Target System: Windows 7 x64 Enterprise, residing on an MBR hard disk (120GB), that includes System Reserved (100 MB, non-encrypted) and Volume C:, (30 GB in size, where 15 GB is used, encrypted by BitLocker). The recovery key is on a NTFS formatted flash drive.

Backup

  • Windows Backup (system image): 24 minutes; resulting backup size is 9.7 GB.
  • pVHD (System Reserved + Volume C:): 9 minutes, 13 seconds; resulting backup size is 5 GB.

As you can see, Paragon’s backup solution creates full system backups approximately 3x faster, while the resulting backup is 47% smaller in size.

Incremental Backup

  • Windows Backup (system image): 3 minutes, 43 seconds; resulting backup size is 500 MB.
  • pVHD (System Reserved + Volume C:): 1 minute, 09 seconds; resulting backup size is 369 MB.

Paragon’s incremental imaging to pVHD is 4x faster, while the resulting image is ¼ smaller.

Restore

  • Windows Backup (restore of the entire system from an increment): 35 minutes, 20 seconds
  • pVHD Restore (restore of the entire system from an increment): 18 minutes, 39 seconds.

Paragon’s incremental restore from pVHD is approx. 2x faster.

Appendix

Operations Available for BitLocker Encrypted Volumes

The following operations are currently supported on volumes encrypted by BitLocker:

  • Backup Partition;
  • Restore Partition;
  • Copy Partition;
  • Delete Partition;
  • Change Volume Label;
  • Add/Remove Drive Letter;
  • Hide/Unhide Partition;
  • Mark Partition as Active/Inactive;
  • Change Serial Number;
  • Change Partition ID;
  • Test Surface;
  • Check File System Integrity;
  • Properties.

About the Author

Sergey Solomatin has served as a Technical Specialist at Paragon  Software Group's System Utilities department since 2005. He holds a  degree in Engineering at the Moscow State Institute of Steel and Alloys.

Rate this Article

Adoption
Style

BT