Restoring a bitlocker system volume with Acronis 2014

I had reason to restore my Windows 8 system volume, which is encrypted using Bitlocker. Getting access to my data drive back after that wasn’t quite as straightforward as I had hoped. For reference, and in case others get into this situation, here is what I encountered.

My setup

One system drive, SSD, encrypted using Bitlocker, running Windows 8.1.

One data drive, HDD, encrypted using Bitlocker, set to auto-unlock.

One backup drive, HDD, unencrypted. TrueImage 2014 is set to encrypt the backups themselves. This is crucial: Without an unencrypted backup drive, I couldn’t “get at” my backups when restoring the system drive.

I do not have a TPM module and use a USB stick instead for Bitlocker keys. I do not have Secure Boot enabled, mainly because I upgraded this system from Windows 7, don’t have a Secure Boot compatible GPU, and really don’t feel like re-installing Windows 8 to get the additional boot sector protection of Secure Boot. It’s a neat feature, but convenience wins out.

I keep a copy of my startup key and my recovery keys on a separate USB stick in the safe, and this proved to have been a necessary precaution.

Restore system drive

Restoring the system drive itself was reasonably straightforward. It cannot be done from Acronis within Windows, I had to use a Rescue CD instead. On machines without an optical disk drive, use a Rescue USB stick.

As expected, the system drive was unencrypted after the restore. This is a result of the way Acronis takes sector backups: It is “fed” the unencrypted data by Bitlocker, and so that is what get’s backed up and restored.

Get access to data drive back

I encountered two errors.

First, upon attempting to unlock my data drive, I received an error “Application not found”. The context menu entry to unlock the drive read “unlock-bde”, which points to an issue. This can be resolved by editing the registry, see Microsoft’s KB entry. The automatic fixit didn’t work for me, since my temp directory is on the data drive. Rather than change the location of temp, I just made the necessary two changes in regedit. To unlock the drive, I had to get my recovery key USB stick from the safe. You do have one of those, I’d hope. If not, you might be screwed.

Secondly, upon attempting to set the data drive to auto-unlock, I received an error “data error cyclic redundancy check”. No need to panic, the data is fine: This is a problem with the stored Bitlocker keys. Mark Berry documented the fix back in 2010. I used his updated (2/17/2011) methodology, which is henceforth no longer untested. In a nutshell, enable Bitlocker on the system drive, reboot. While the system drive is encrypting, use manage-bde to get rid of old auto-unlock keys and delete external keys from data volumes, then re-enable auto-unlock. This worked like a charm. Note he uses S: as a sample drive letter of the data volume; replace with whatever drive letter your data volume has.

Lastly, do not forget to copy your startup key and backup your new recovery key for the system volume onto your “oh crap” USB stick, and put it back in the safe where it belongs.

Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: