Disk Encryption and Image for Windows

This article provides general information on how Image for Windows and PHYLock handle disk encryption. If you are using BitLocker or VeraCrypt/TrueCrypt please refer to the appropriate article linked below. Note that it may be helpful to read through these articles even if not using VeraCrypt/TrueCrypt or BitLocker to have a better understanding of how disk encryption affects imaging.

• Using BitLocker with TeraByte's Imaging Programs
• Using VeraCrypt/TrueCrypt with TeraByte's Imaging Programs

Depending on the how the encryption program is installed and how it functions, it may be possible to back up some partitions in the decrypted state using Image for Windows in Windows. For example, you may be able to back up the Windows partition in the decrypted state, but not separate data partitions, which may be seen as RAW. If the encryption program supports VSS you may be able to use it instead of PHYLock to create backups in the decrypted state (BitLocker is an example of this).

In many cases, the encryption driver is installed to UpperFilters. This driver is required to provide on-the-fly encryption and decryption of the system partition or system drive. It is installed to the UpperFilters list of the DiskDrive class (GUID 4D36E967-E325-11CE-BFC1-08002BE10318). The driver is usually inserted at the beginning of the list, before any existing entries.

The list of UpperFilters drivers can be found at the following registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}

A standard Windows installation may only have PartMgr listed. In this case, after system encryption is enabled, UpperFilters may be (encryptiondriver is used here as an example): encryptiondriver PartMgr

The order of the UpperFilters list is especially important when PHYLock is installed because it affects whether or not PHYLock sees encrypted or decrypted data.

Image for Windows can be installed either before or after system encryption is enabled. By default, the PHYLock driver (used by Image for Windows to image live partitions) is installed to the UpperFilters of the DiskDrive class just before PartMgr. This means that the placement of PHYLock in the list of drivers does not change depending on the existence of the encryption driver. For example, on a typical VeraCrypt system, UpperFilters would be: veracrypt phylock PartMgr

With PHYLock listed before the encryption driver, Image for Windows will back up encrypted data because the data has not yet been decrypted by the encryption driver. This has a profound effect on how Image for Windows functions. This type of system will be referred to as PHYLock 1st. Note that when configured this way, Image for Windows in Windows sees the drive the same as it would outside Windows (e.g. from TBWinPE/RE) — the same as Image for Linux or Image for DOS.

With PHYLock listed after the encryption driver, Image for Windows will back up decrypted data because the encryption driver has decrypted it before PHYLock sees it. In most aspects, a backup of this type is the same as a normal backup where encryption is not involved. This type of system will be referred to as PHYLock 2nd.

Comparison of the PHYLock 1st and PHYLock 2nd Methods

Backing up from Windows — PHYLock 1st

The PHYLock 1st method of backing up from Windows allows the system-encrypted partitions to be backed up in their encrypted state (similarly to backing up outside Windows). Since this is not the default method, using it requires manually changing the order of the encryptiondriver and phylock drivers in the UpperFilters of the DiskDrive class.

Proceed as follows to modify the UpperFilters value:

• Start the Registry Editor (regedit.exe).
• Browse to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}
• Right-click on the UpperFilters value and select Modify... from the context menu.
• The drivers will be listed one per line. Edit the list and place phylock before encryptiondriver. This can be done using cut & paste or by typing.
  Important: Do not change the order of any other drivers in the list. Do not remove any drivers from the list. Making any incorrect or invalid changes will very likely cause Windows to fail during boot-up with a BSOD.
• Click Ok to save the changes. Make sure the list is shown correctly in the display.
• Close the Registry Editor.
• Restart Windows.

A before and after example of a typical system is shown below:

The option of creating an image in the encrypted state directly from Windows can be appealing for a number of reasons, including being easily scheduled and that restoring doesn't require re-encrypting the drive. However, it is important to understand there potential problems and increased risk involved with this type of backup.

To help prevent PHYLock from failing during the backup, it is recommended to keep disk activity to a minimum. PHYLock has to buffer all changes to the underlying encrypted partition. Excess changes may cause PHYLock to fail. If this happens, the partition is not corrupted or damaged, but the backup image is and will be deleted by default.

A byte-for-byte validation (Validate Byte-for-Byte option) will almost always fail when backing up an encrypted partition from Windows. This failure is for the same reason as when backing up unused sectors (Backup Unused Sectors option) — the backup may include the cache of changes, which may change by the time the backup is complete and the validation is run. If the cached changes haven't changed by the time Image for Windows gets to the point of validating them, the byte-for-byte validation will pass. PHYLock will use disk space or RAM for the cache (options for which can be changed in Image for Windows settings). The disk cache does not have to be on the same partition that is being backed up, but it must be on the same physical drive. This means that a backup of an encrypted partition will not cache to the encrypted partition (because it's seen as RAW), but will instead cache to another location on the drive or to RAM if it cannot access the drive. Disk changes are written immediately to the drive and the old data is cached — the cache cannot be cached or it would cause a never ending loop. In this case, a failed byte-for-byte validation does not necessarily mean the backup image itself is corrupt (however, it would still be deleted by Image for Windows unless the option to keep failed backups is enabled). If you require absolute byte-for-byte validation, the encrypted partition must be unmounted at the time of the backup and PHYLock cannot be used (back up from Image for Linux, Image for DOS, or Image for Windows from TBWinRE/TBWinPE).

Any errors in the backup that are not caught by Image for Windows may render the entire backup corrupt. When restored, the partition may unmountable or may not be able to properly decrypt the data if mounting succeeds. The computer system needs to be able to process the backup from start to finish with 100% accuracy to ensure the validity of this type of backup. Marginal systems are very likely to create corrupted images.

It is recommended to create additional backups, either from outside Windows or using the PHYLock 2nd method, and not to rely solely on the PHYLock 1st backups to provide access to your data in the event of a system failure. It is also recommended to create an image of the entire drive instead of the individual partitions, if possible.

Backup images if this type cannot be accessed using TBIView and TBIMount.

Backing up from Windows — PHYLock 2nd

The PHYLock 2nd method of backing up system encrypted partitions from Windows allows Image for Windows to see the partitions normally, in the decrypted state. This is the default method. As when backing up standard unencrypted partitions, Image for Windows is able to apply compression, back up only the used sectors, and exclude the paging and hibernation files. This results in image files the same size as if no encryption were used. In addition, backup images can be viewed using TBIView or mounted using TBIMount, allowing files to be extracted normally.

If encryption is required in the backup image, the Encrypt Data option can be selected to encrypt the image with 256-bit AES encryption (note that you must also specify a password). This option provides an easy way to keep the data being imaged secure while still providing easy access and smaller image sizes. Alternatively, you can save the backup to another mounted encrypted partition.

Restoring Images taken in the Encrypted State

Images created in the encrypted state (either from outside Windows or by using the PHYLock 1st method) cannot be successfully restored while in Windows. These types of restores must be done using Image for Linux, Image for DOS, or Image from Windows in TBWinRE/TBWinPE.

Some types of encrypted partitions cannot be restored to an alternate location. For example, they must be restored to the same sectors on the same drive. When the partition is moved, the encryption program will still look in the original location and decryption will fail.

It may be necessary to use certain restore options to allow the restore to be successful. Be prepared to do thorough testing to determine appropriate options needed or if this type of backup/restore is even feasible.

Restoring Images taken using PHYLock 2nd

An image created using the PHYLock 2nd method contains the decrypted data. Restoring this image will restore the decrypted data (i.e. data is no longer encrypted). Encryption would need to be activated again to encrypt the drive.

When restoring the system drive to the decrypted state, it may be necessary to select the Write Standard MBR Code option and the Update Boot Partition option and/or the Update BOOT.INI option. Some systems may require a boot repair before they will boot successfully into Windows.