Using BitLocker with server backup

BitLocker Drive Encryption (Bitlocker) is a data protection feature in Windows Storage Server 2008 R2 Essentials that protects against data theft or exposure on data stored on fixed and removable data drives and the operating system drive. BitLocker helps protect against “offline attacks,” which are attacks made by disabling or circumventing the installed operating system or made by physically removing the hard drive to access the data separately. BitLocker helps ensure that users can ready the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker protected computer that has the proper keys. BitLocker offers more secure data deletion when computers are decommissioned.

Important

When drives, folders, and files are backed up by the server, an unencrypted version is saved to the server. During full system restore, this unencrypted version is copied to the computer. After a successful full system restore, you have to reactivate BitLocker on the server.

For more information about BitLocker Drive Encryption basics, see “BitLocker Drive Encryption in Windows 7: Frequently Asked Questions” (https://go.microsoft.com/fwlink/?LinkId=190324).

Setting up BitLocker on your server

To use the BitLocker data protection feature with Windows Storage Server 2008 R2 Essentials server backup:

  1. Enable the BitLocker feature in the Server Manager

  2. Assign a drive letter to the backup hard disk drive

  3. Turn on BitLocker in the Control Panel.

To enable the BitLocker feature

  1. On the server, click Start, click Administrative Tools, and then click Server Manager.

Note

If you manage Windows Storage Server 2008 R2 Essentials remotely, you must access the server using Remote Desktop Connection.

  1. In the Server Manager navigation pane, click Features.

  2. In the Features Summary, click Add Features.

  3. In the Add Features Wizard, click to select BitLocker Drive Encryption, and then click Next.

  4. Click Install.

  5. When the wizard finishes, click Close, and then click Yes to restart the server if required.

  6. After the server restarts, click Close.

To assign a drive letter to the backup hard disk drive

  1. In the Server Manager navigation pane, click Storage, and then click Disk Management.

  2. Right-click the backup drive, and then click Change Drive Letter and Path.

  3. Click Add, choose a drive letter from the drop-down menu, and then click OK.

  4. Click Yes, and then close Server Manager.

To turn on BitLocker

  1. Click Start, and then click Control Panel.

  2. Click System and Security, and then click BitLocker Drive Encryption.

  3. Click Turn on BitLocker for each of the drives that you want to protect, and then click Yes.

  4. Choose the method that you want to use to unlock the drive after it is encrypted. If you choose to use a password, you can print it or save it in a file.

Important

If you choose to save a password in a file, you should not keep the file on the server. The password key that is saved in the file is in clear text.

  1. Click Start Encrypting. Depending on the size of the drive and the amount of data, it might take several hours to encrypt the drive.

  2. When encryption is finished, unlock the backup drive using the BitLocker password that you created. Server backup, and file and folder restore should work as expected.

Restoring files and folders to a different server

If you want to restore files and folders to a different server, you should install BitLocker on the server following the instructions in the Setting up BitLocker on your server section. After setting up BitLocker, unlock the drive before you start the Restore Files and Folders wizard.

Performing server restore

If the server that you need to restore was encrypted using BitLocker, you can still use the full system restore media provided with your server and the Full System Restore wizard to recover the hard disk drive image, including the operating system, from a backup, and then restore the data to the new or repaired computer.

In the event that a server restore needs to be performed, before beginning the server restore process, do the following:

  1. On a client computer that supports Bitlocker, enable BitLocker if it is not already enabled. For instructions, see BitLocker Drive Encryption Step-by-Step Guide for Windows 7 (https://go.microsoft.com/fwlink/?LinkId=140225).

  2. Attach the backup hard drive to the client computer.

  3. Decrypt the hard drive. For information about decrypting the hard drive, see What is the difference between disabling BitLocker Drive Encryption and decrypting the volume (https://go.microsoft.com/fwlink/?LinkId=219824).

Note

Decrypting the hard drive might take several hours.

See also

BitLocker and BitLocker to Go

BitLocker Drive Encryption Operations Guide: Recovering Encrypted Volumes with AD DS