How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too

http://uksbsguy.com/blogs/doverton/archive/2009/04/26/how-to-encrypt-backups-and-optionally-the-system-disks-on-windows-server-2008-and-sbs-2008.aspx

Hi,

someone asked in the forums how if the backups on SBS 2008 and Windows Server 2008 were encrypted and the answer is no, even if the drives being backed up are BitLocker protected (more details here). However you can get encrypted backups with a bit of effort. To do this you will need to at least BitLocker enable your removable drives and optionally your system disk. I used the information athttp://blogs.msdn.com/askdavid/archive/2007/06/08/enabling-bitlocker-on-removable-drives-usb-flash-drives-usb-hard-drives.aspx as a guide to putting together what I needed to do, so many thanks David Chandra for this. This same process can also be used on Windows Vista

There are a couple of snags however and you need to work out which scenario you wish to have (if you have a TPM chip then option 2 & 3 can be replaced with entering a key into the TPM prompt:

encrypt just the backup disks you will need to run a script each time a volume is added back to the system
encrypt the system disk and the backup disks and you will need a USB key or key information to be entered every time you reboot the server
encrypt the system disk and the backup disks, but store the system unlock information unencrypted on the server so you do not have to enter decryption information every time.

Given the choices above the steps are as follows (they build from option 1 through to option 3):

Option 1
1. Add BitLocker to the server
2. Encrypt the Backup Hard Disks
3. Add an unlock script
Option 2
1. Prepare the system disk for BitLocker encryption
2. Encrypt the system
Option 3
1. Store the unlock key on the boot partition for automatic use

Option 1 (encrypting the backup disks)

You will need to repeat the steps below (excluding adding Bitlocker to the system) for each disk you want to encrypt. You can do this to an existing disk or a new disk.

	Add Bitlocker role To start this task we need to add the BitLocker role to SBS 2008. While BitLocker is built into Windows Server 2008 it is not installed. To install it start Server Manager from the Start Menu and then scroll the right hand window down until you can find
	In the list of roles that can be added, select the BitLocker role and continue through the wizard until BitLocker is available
	To be able to easily BitLocker the drive we need to add a drive letter. Run the command diskmgmt.msc to start the Disk Management tool. Find the Backup disk and right click on it and select Change Drive Letter and Paths.
	You will notice that the disk, which present and used does not have a drive letter, so we need to change this. Press the Addbutton to add a drive letter that we can easily refer to in the command lines.
	Pick the next available drive letter and press OK. In my example the drive letter is “E:“. In all the command lines below replace E:with the right drive letter for your system.
	Open and administrative Command Prompt from the start menu and check the title bar says Administrator Command Prompt. Check that the disk is ready for encrypting with the commandscript manage-bde.wsf -status. Note this has to be run from\Windows\System32.
	Time to encrypt the disk and save the recovery keys. I’m going to save them to C:, but they can be saved to any disk in the system except the one being encrypted. Type script manage-bde.wsf -on E: -recoverykey C: -recoverypassword. You will see several pieces of information including the disk ID, the file name for the *recovery key file* and the numeric password should you not have these to hand. You will need to make a note of this information, but do NOT store with the drive. To create an unlock command, enter the command below replacing *<recovery key file>* with the filename from your output. The filename for the command in my example isc:\unlock_backup_disk3.cmd and you should change it to be appropriate to your system. echo cscript c:\windows\system32\manage-bde.wsf -unlock E: -recoverykey <recovery key file> > c:\unlock_backup_disk3.cmd
	The disk will now begin encrypting and depending on how much data is stored on it, may take some time. You can check the status with the command cscript c:\windows\system32\manage-bde.wsf -status as shows in the screen shot until the disk is 100% encrypted.
	If you intend on encrypting the system disk then you can remove the drive letter. The backup will still work if the drive has a drive letter, but it will now show up in the SBS Console and Computer windows, but should not be modified in any way.

Option 2 & 3 (encrypting the system disk and enabling automatic unlocking of the USB drives)

	Download preparation tool from Microsoft athttp://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=320b9aa9-47e8-44f9-b8d0-4d7d6a75add0 and then install the tool.
	Start the tool from the Start Menu – it is under Accessories,System Tools, BitLocker and is called BitLocker Drive Preparation Tool. As is always the case when making major changes to a system ensure you have a backup of the system. Press Continue to start the tool.
	The tool will shrink your system drive and create a small S: drive which will contain the boot files. Once it is complete, pressFinish.
	You will need to restart your computer to continue the preparation. Press Restart Now to do so.
	Once you have rebooted and logged back in the tool will continue. Once it is finished, press Close to exit the tool. Your drives are now prepared to be encrypted.
	To encrypt the system disk enter the command below. I put a recovery key on the backup disk (which is encrypted) and also onto another disk to enable system start up. For the system to start up it will need an unencrypted file system with the startup key present. You can either chose to put this onto the S: drive which is less secure as removing the boot disk will provide someone with all the encryption keys or if you wish for your system to be more secure you can put this onto a removable USB drive. If your only desire was to encrypt the backups and have them automatically available when plugged into the server then this is fine. If you want greater overall security then you should use the removable key method. Note that to reboot the server this will be required, so automatic updates could cause a problem. Leaving this removable media in the system means that any would-be thief would still have the decryption means. The command you need is: cscript manage-bde.wsf -on C: -recoverykey E: -recoverypassword -startupkey S: E: is the removable media I’m backing the key up to and S: is the system disk. Change S: to the startup usb key you will user to reboot the system with greater security. Once again, mate a note of the key security information highlighted in the screen shot.
	You can once again see the progress being made by the encryption by using the cscript manage-bde.wsf -statuscommand.
	Finally, your SBS backup will no longer function correctly as the S: drive is not included in the backup set, but is a crucial part of the system backup. You will need to Disable Backup and re-create it before the backup will work again. When you are re-creating the backup, when selecting the target device it will claim it is going to format the backup target, but for me it did not and previous backups were still available.

This whole process took a while as I had in total about 100GB to encrypt, between the system disk and backups, but I now have secure backups.

Thanks
David