Solved BitLocker question

Hollywood said:

Can I ask, when you do a restore of your system drive, is it still encrypted? I use Easeus Todobackup and enabling Bitlocker resulted in transparent use of my computer and the use of Todobackup, but when I do a restore and reboot, the drive is no longer encrypted. Does Macrium Reflect restore the system drive to the Bitlocker state it was when backed up, or do you need to reapply Bitlocker after a restore? This was touched on in post #6.

Click to expand...

I suspect all imaging programs work in the same way WRT Bitlocker. I use Image for Windows, and I use it to backup my live system drive to another encrypted drive. This backup is unencrypted, but it's possible to have Windows encrypt it on the fly during the restore of the system partition, so that I'm not restoring it unencrypted, only to have to re-encrypt and invalidate the previously saved rescue keys and auto-unlock keys. I do this by booting from rescue media into Terabyte's WinRE environment, using manage-bde to unlock the system drive, and then I have Image for Windows restore just the system partition. There's a detailed paper discussing this, which they call a "Type A" backup, and other scenarios here:


I just skimmed it again and ran across this, "You can suspend BitLocker on the Windows partition before booting to the TBWinRE boot media to avoid having to unlock it manually." That's nice to know, because I have multiple Bitlockered drives, and it's always been trial and error to unlock the right one. That is, I don't know which is the system drive until I unlock it. So suspending Bitlocker will save me some time and aggravation.

BTW, if you ever forget and restore in the unencrypted state, you'll find your auto-unlock drives no longer auto-unlock, and there's a procedure to get them back to normal:


After you've done this a time or two, you'll remember. lol

The reason I am even exploring encryption is I was looking into usb boot iso's and seen these windows password reset programs. I tried one and, WOW!, it removed the need for my password in less the 30 seconds after it booted. I think the password reset program will not work on an encrypted system, and I will test soon, but meanwhile am seeing if Bitlocker will be easy to live with, provide security but make sure I can do a restore if necessary.

Click to expand...

Bitlocker is very easy to live with and will definitely prevent those password reset programs from working. Unlike with TrueCrypt, everything just works, including things like drive names in "Safely eject", which I noticed when I moved to Bitlocker after the TrueCrypt people said it was no longer secure in May 2014. The only consideration besides restoring images I've encountered is the necessity to suspend protection before updating the computer's BIOS. Everything else is seamless, as if I'm not using encryption.

barreleye said:

Bitlocker is very easy to live with and will definitely prevent those password reset programs from working. Unlike with TrueCrypt, everything just works, including things like drive names in "Safely eject", which I noticed when I moved to Bitlocker after the TrueCrypt people said it was no longer secure in May 2014. The only consideration besides restoring images I've encountered is the necessity to suspend protection before updating the computer's BIOS. Everything else is seamless, as if I'm not using encryption.

Click to expand...

A lot of what you wrote is helpful, but some is more then I understand. Good advice about not changing the BIOS unless you have access to your files/drive. I remember when Trucrypt was halted. It was about the time Snowden stories were out and NSA stories about the government requiring a backdoor to most data channels. At the time Truecrypt was 7.1a, but it's website had an announcement it was Not Secure Anymore, a hint using the first letters of that phrase. It was then they posted a final version 7.1b, with little if any further discussion. You could only come to your own conclusion, but mine was that I would not trust the "b" version with the text in that post.

Who knows what backdoors are in any software. We have to do what we think is best. So far I have not heard of mass fraud from info stolen from computers, but we still have to be careful and informed.

Thanks for your reply!

Rufus now adds BitLocker disable option
Rufus 3.22 final version

glasskuter said:

I'll let y'all argue this out, but I've been reading all damned day on this and I'm convinced MS has snuck this in on us with one of the recent ISOs. It may affect only OEM machines as threads over on Dell and Lenovo indicate it is being seen on some new PCs as well as modern standby laptops. If we believe the OP of this thread it's not just Bitlocker Device Encryption on Home but Bitlocker on Pro too which could be a fluke...but it might not be.... Or maybe it's a Dell thing....but then Dell is always the first to do what MS wants and the others always follow suit



So....we can take what we will from this and the so-far random reports, but you'll never convince me that something ain't a'comin' or may already be here. It all revolves around that damned MS account.

Click to expand...

07/28/2024 I'm setting up a new HP laptop with Windows 11 Home v23H2. (Retired applications programmer, I'm reasonably proficient, but my first Win 11 PC.) When doing my first clone with Clonezilla after the OOBE, Clonezilla showed the main partition on the 1TB SSD as952.9G_BitLocker... and showed it 100% full, although C: Windows has only 60.1GB used of 952GB. I'm thinking the encryption is making Clonezilla think unused blocks are used. I'm here doing research, but wanted to chime in that it appears, Bitlocker/Device Encryption may be turned on by default for OEM Windows 11 Home, also. (New PC, so yes on TPM and I did use my MS Account.)

Although I've always felt I should have some encryption on, I admit I'm scared of Bitlocker. As I age, I'm feeling there is a much higher risk of a) losing my Bitlocker key or b) passing and wife/executor needing access to it, but not finding/understanding it. It seems to me, the risk of accidental catastrophic data loss is higher than a thief getting access to my SSD.

My backup strategy is Backblaze for current data, periodic clones with Clonezilla (for Windows/Disk restore and also data partitions), and periodic copies to local external drives stored off-site.
I assume Backblaze backups would not be affected by on-device encryption.
I wonder if Clonezilla backups will require the Bitlocker key for restoration.
I saw something that sounded like every USB drive I plug in might have all / new files encrypted.

After I finish my research, I expect I will try to turn off Device Encryption/Bitlocker, before continuing setting up this new PC. (At this point, it only has Windows OOBE on it.)