This article explains BitLocker Drive Encryption and its interaction with the Datto solution.
- BitLocker Drive Encryption
- Datto SIRIS
- Datto ALTO
- Datto NAS
- Direct to Cloud (DTC)
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately-decommissioned computers by encrypting the storage disks of the host.
It uses a special chip on the motherboard called a Trusted Platform Module (TPM). It is designed to unlock your encryption key only after confirming that your bootloader program hasn’t been modified. When inside of a local virtualization, the TPM will no longer be accessible, so re-locking drives require you to adjust the group policy settings.
Interactions with the Datto Solution
- Partners who run local virtualizations with BitLocker should know that Microsoft does not officially support BitLocker on the bootable partition of virtual disks. Non-bootable virtual partitions can be supported; see VMware's reference article (external link) for additional information.
- The Datto solution backs up data in its encryption state at the time of the backup. If the data is backed up decrypted, then it will be restored decrypted. Machines protected by BitLocker are decrypted when they are in a booted state; because of this, full-system restores (such as USB Bare Metal Restore) of systems protected by BitLocker will result in the system being restored to an unencrypted state. To protect backups which require encryption, Datto recommends using encrypted agents,
- Datto's Rapid Rollback restore feature is unable to work with drives encrypted by BitLocker. This is because drives which use this type of protection are in an encrypted state when the protected machine is booted into the Datto Utilities environment, preventing the Rapid Rollback environment from reading the disk and matching the data to the unencrypted backup.
- Since BitLocker functions below the operating system layer, it is important to note that Datto cannot access or manipulate it. Datto cannot recover lost BitLocker keys or passphrases.