none
Encrypted backup of bitlocker protected virtual machines? RRS feed

  • Question

  • I have a Windows Server 2016 Hyper-V host on which I have a Windows 10 virtual machine.

    I have activated "enable trusted platform module" (vTPM) for the vm and following that I have activated Bitlocker inside the vm. As described here. The virtual machine is now encrypted.

    I want to back up content in the virtual machine with DPM without compromising the encryption.

    I found this article. In the section "Seamless protection and recovery of Shielded VMs (vTPM-enabled VMs)" it says:

    "DPM 2016 supports backup and recovery of Shielded VMs that have their VHDs/VHDXs protected with vTPM. Note that Item Level Recovery (ILR) and Alternate Location Recovery (ALR) to a location outside the guarded fabric is not available for this scenario."

    I have not deployed Guarded Fabric and the vm is not Shielded. In principle, I could do that, but it seems like A LOT of work. It is only the one VM that I need to encrypt.

    Will DPM retain the encryption in either of these two cases?

    1. I protect the complete VM through a DPM agent installed on the HyperV host
    2. I protect some folders and SQL Server databases inside the VM by installing the DPM agent in the VM.

    It is imperative that backup admins cannot circumvent the bitlocker encryption simply by browsing folders on the storage pool on the DPM Server.

    I am using Modern Backup Storage.

    DPM is 5.0.342.0: UR4

    Wednesday, January 24, 2018 3:30 PM

Answers

  • If backups are done inside the VM (guest-based), they are always in unencrypted form. If they are done host based(backups of the virtual drive files), the backups will be encrypted. I don't know how DPM does it, but you will be able to find that out, if you don't know already.
    • Marked as answer by ThomasIsr Friday, February 2, 2018 5:12 PM
    Wednesday, January 24, 2018 6:37 PM

All replies

  • If backups are done inside the VM (guest-based), they are always in unencrypted form. If they are done host based(backups of the virtual drive files), the backups will be encrypted. I don't know how DPM does it, but you will be able to find that out, if you don't know already.
    • Marked as answer by ThomasIsr Friday, February 2, 2018 5:12 PM
    Wednesday, January 24, 2018 6:37 PM
  • Thank you. That makes sense.

    I have been doing just that, but today I actually needed to restore a previous version of this virtual machine.

    DPM restored the VHDX file to an alternate location for me, but when I try to switch it out, the VM will not start. It was a permissions issue.

    I can see on the original vhdx-file (which I have preserved), that a special account has read/write access. It is named NT VIRTUAL MACHINE\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX.

    Any thoughts on what I might have to do to get Hyper-V to start te virtual machine?

    Thursday, February 1, 2018 5:32 PM
  • So what are we talking about, a restored vhdx file that was produced by the host-based backup component, right?

    What is the error message that you get? 

    Are you able to mount the vhdx file (simply double click it, it should mount in explorer as a drive (x:, for example)- after that test, you have to detach it again, by right clicking that mounted drive x:.

    If it is mountable, please quote the permissions by qouting the output of

    icacls c:\vmfolder\your.vhdx

    Friday, February 2, 2018 7:58 AM
  • Yes. Exactly: The VM was backed up by DPM through the agent installed on the host.

    Here are 3 events from the Windows Event log at the time I tried to start the vm after having attached the restored VHDX:

    event 12030: 'MyVM' failed to start. (Virtual machine ID E36696C9-4832-45AD-8CC2-496DB575ACA7)

    event 12010: 'MyVM' Synthetic SCSI Controller (Instance ID 60FC5DCB-8C7E-47B8-ADB9-9235C4936873): Failed to Power on with Error 'General access denied error' (0x80070005). (Virtual machine ID E36696C9-4832-45AD-8CC2-496DB575ACA7)

    event 12290: 'MyVM': 80070005 Account does not have permission to open attachment 'C:\ClusterStorage\Volume4\MyVM\disk.vhdx'. Error: 'General access denied error' (7864368). (Virtual machine ID E36696C9-4832-45AD-8CC2-496DB575ACA7)

    I cannot mount the restored vhdx in Windows File Explorer. The error message varies.

    Icacls for the restored vhdx:

    C:\ClusterStorage\Volume4\MyVM\From-backup>icacls Disk.vhdx
    Disk.vhdx NT AUTHORITY\SYSTEM:(F)
               BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               BUILTIN\Users:(I)(RX)
               BUILTIN\Users:(I)(WD)
               Everyone:(I)(RX)

    Icacls for the original (working) vhdx:

    C:\ClusterStorage\Volume4\MyVM>icacls Disk.vhdx
    Disk.vhdx NT VIRTUAL MACHINE\E36696C9-4832-45AD-8CC2-496DB575ACA7:(R,W)
               NT AUTHORITY\SYSTEM:(F)
               BUILTIN\Administrators:(I)(F)
               NT AUTHORITY\SYSTEM:(I)(F)
               BUILTIN\Users:(I)(RX)
               BUILTIN\Users:(I)(WD)
               Everyone:(I)(RX)


    • Edited by ThomasIsr Friday, February 2, 2018 10:23 AM
    Friday, February 2, 2018 10:22 AM
  • "I cannot mount the restored vhdx in Windows File Explorer. The error message varies." - quote your messages.

    Friday, February 2, 2018 12:31 PM
  • Ok, open diskmgmt.msc and try to attach the VHDX there via the "action" menu. Does it mount?
    Friday, February 2, 2018 4:28 PM

    • Edited by ThomasIsr Friday, February 2, 2018 4:34 PM
    Friday, February 2, 2018 4:29 PM
  • Apologies for the weird micro-picture in my first post. I deleted the first post and posted it again.

    Attach VHD isdiabled in Disk Management. Weird.


    • Edited by ThomasIsr Friday, February 2, 2018 4:35 PM
    Friday, February 2, 2018 4:34 PM
  • Turns out it was already attached:

    Friday, February 2, 2018 4:38 PM
  • After first detaching it in Disk Management and then remounting it in File Explorer, I see this:

    But I see it in Disk Management. And actually also in File Explorer:

    But I cannot see inside it in any way.

    Friday, February 2, 2018 4:47 PM
  • You cannot see inside, because you need to provide the bitlocker key.

    manage-bde -unlock d: -rp 111111-222222-...yourrecoverykeyhere-...-666666

    Friday, February 2, 2018 5:03 PM
  • But what I really want to do is to attach it to the virtual machine, where it belongs. Can I do that using the bitlocker key (which I have)?
    Friday, February 2, 2018 5:05 PM
  • Yes, you can. Unlock it here while being mounted, suspend bitlocker like that:

    manage-bde -protectors -disable d:

    then detach it in disk management and start the virtual machine. When started, you can setup a new vTPM protector for it.

    Friday, February 2, 2018 5:07 PM
  • OK. Thank you so much. I will try that.

    I cannot do it now: I solved the problem that I wanted to fix by restoring the vm from DPM in another way, and now it is back doing important work.

    But I will fint time to do a new test.

    Thank you for your help.

    DPM-folks: Please consider adding a section to the DPM 2016 docs, where you describe how to restore bitlocker protected virtual machines.

    Friday, February 2, 2018 5:12 PM