SBS 2011 Encrypted Backups to USB
It’s important that your backups are stored offsite, which means it’s important that they are encrypted. We used an article (How to encrypt backups and optionally the system disks on Windows Server 2008 and SBS 2008 and Windows Vista too) to create a procedure we apply at all of our sites that we manage the backups for. The following is a rough guide which we’ll flesh out in time.
- Configure your backup as per normal adding discs prior to encryption. It’s important to add the disc to the backup before encrypting as the backup wipes the device when you add it as a target.
- Add the BitLocker feature
- Use Disk Manager to give the external USB drive a letter and note this letter, we’ve used F: in our example.
- Run the following command to encrypt the drive, saving the key and password to a subfolder on your C drive, we’ve used FIT as an abreviation of the clients name, i.e. Focused IT and we’ve created a subfolder for each disk.
manage-bde -on F: -recoveryKey C:FITBMFITBM001 -recoveryPassword >C:FITBMFITBM001Password.txt
- Create an Unlock batch file with the following command for each drive to unlock the drive, we’ve used 12345678-1234-1234-1234-123456789012.BEK as an example key, but use whatever was saved earlier. If you’ve got 10 discs this batch file will contain a line for each disc.
manage-bde -unlock F: -RecoveryKey C:FITBMFITBM00112345678-1234-1234-1234-123456789012.BEK
- Create a task to run the Unlock batch file with the following triggers
- Daily – at 22:55 every day (5 minutes before the backup)
- At startup – At system startup
- On an event – Log: System, Source: Server Agents, Event ID: 1182 (This is a HP Server Agent event to indicate when a drive is plugged in)
It’s important to take a copy of the keys and passwords offsite so that you can do a full system restore if needed.
During the restore, if you’re not prompted to enter the password to unlock the drive then you’ll need to go to a command prompt and unlock the drive. First you’ll need to figure out which volume the drive has used which you can use DISKPART then LIST VOL to list the volumes, there-after you can unlock the drie using the following line.
manage-bde -unlock F: -RecoveryPassword 123456-789012-345678-901234-567890-123456
The password will be in the text file you save earlier, i.e. C:FITBMFITBM001Password.txt