I have used and loved the System Image tool that comes with Windows 7 a few times now. However, it concerns me that the drive that I save my restore image to sits somewhere and is accessible to anyone. The risk here as I see it is that anyone could startup their computer in recovery and restore my image onto their computer, potentially gaining access to my files. So I started researching a way to encrypt the files on this drive and came across Bitlocker which seems really neat. However, I'm concerned about the logistics of how recovery would work. If I "Bitlocker To Go" encrypt my external drive which holds my system image and my primary hard drive fails, how then do I recover using the system image on a Bitlocker encrypted drive? There seems to be a lot of conjecture as to how Bitlocker works so what I'm really looking for is for someone to respond from experience. I guess what I'm hoping the response will be, is that when I insert the recovery disk and say that I want to restore my computer using a system image found on an external hard drive and identify my Bitlocker To Go encrypted drive, the next step will prompt me to either insert a USB key with my recovery key on it, or type in my recovery key, and then proceed with the restore as usual. Can anyone confirm that this is the case?

This post seems to indicate that recovering from a Bitlockered To Go drive is not possible without first unencrypting it on a different computer: http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/e924d24e-abb1-49ba-957f-cee24b2af349/ Can anyone confirm this? I think that it's pretty sad if this isn't built in functionality to the recovery process. One of the foremost reasons too have an external drive is for backup purposes, as referenced by the fact that just about every external hard drive comes with backup software on it from the manufacturer. It seems to me then, that it's kind of a glaring problem that you can encrypt the data while it is on your computer, however, if you make a backup you cannot encrypt your backup data in such a way that it is easy to restore?

For anyone who happens to come across this post here is another possible answer to this question as posted from SuperUser. Here the person recommends entering into the Windows PE environment and executing the manage-bde.wsf file, which should unlock the recovery drive, and then going back to the recovery process and using the now unlocked drive. I haven't given this a try yet, but it seems as good a recommendation as any. http://superuser.com/questions/130964/how-can-i-do-a-complete-pc-restore-from-a-bitlocker-encrypted-drive-windows-vist

Well, you seem to have found the answer. Best practices suggest that you need to implement physical security as well. The back-up media should be stored away from the location of the computer in a secure location. ie. a fire or theft. This would not require the the drive to be bit-lockered. You cannot create a system image of a locked bit-lockered drive. So, the reverse is true. A system image would need to be on an unlocked drive to use the restore utility. You have found the method by using the command line tool to unlock the removable drive. I would suggest to read these, which are available by Start>Help and Support also. Choose only the locked drive method and not EFS for the security you wish and to facilitate the ease of use on the removable drive. http://windows.microsoft.com/en-US/windows-vista/Whats-the-difference-between-BitLocker-Drive-Encryption-and-Encrypting-File-System They are two distinct methods of security. http://windows.microsoft.com/en-US/windows7/How-do-I-use-the-unlock-options-in-BitLocker-Drive-Encryption Store the password in all methods in secure locations. Without it you have no access. This requires physical security also. (Written on paper, flash drive) Test it first with a second drive. Bit Locker to Go the drive, create the passwords, then attempt to unlock the drive. Take it another computer, and unlock it. Once you are confident with the process, do it on the actual drive. A flash drive will do for testing. Then explore EFS and the image and recovery process if you wish additional security. Here's a search with relevant topics on EFS http://windows.microsoft.com/en-US/windows7/search?q=EFS+drive&prd=Windows7 In either case, if it were easy to restore it would not be effective. So, don't rely on conjecture. I am sure I have only touched the surface of these topics. You can see that this feature requires some time to understand and use. Good luck, I hope I've helped you move further along.

Alright, I now have a definitive answer for this question since I went ahead and tried it. The short of it is that the restore works exactly like what I was hoping, I inserted the drive and the first thing that the recovery environment prompted me to do was unlock the drive. However, I believe in being complete so here's the long answer. The setup: My work laptop with a 300 GB non-bitlockered drive A 2 TB bitlockered external Seagate drive The Process: I "Bitlocker To Go"'d my external hard drive. It was a 2 TB drive so this process took me about 2 24 days to complete. (Also, just as a reference I'm pretty sure that Bitlocker To Go differs from regular Bitlocker in the fact that it does not appear use TPM because after this process my TPM module is still not initialized, and supposedly the Bitlocker process will initialize TPM if it needs to. See: http://technet.microsoft.com/en-us/library/cc749022%28WS.10%29.aspx and http://technet.microsoft.com/en-us/library/cc766200(WS.10).aspx for more information about Bitlocker and TPM) I also chose to both print a version of the Bitlocker key as well as copy the key to my USB flash drive so that I would have two ways to unlock the drive should I need to. I unlocked the Bitlocker To Go drive. Because I didn't need the utmost security I actually chose to have the drive automatically unlocked every time I connected it to this computer. I created a Windows 7 system image using the "Backup and Restore" control panel (this process took about 2 hours for 177 GB) Once this process was finished I then created the "System Repair Disc" through the same control panel. It will actually prompt you to create this disc at the completion of the image process. Since this was a work laptop, my company has many of the same laptop with the same specs as mine. I was allowed to borrow one for an afternoon to test the recovery process. I plugged my Bitlocker To Go drive into the USB port of the new laptop, plugged my USB flash drive into a second USB port, inserted the recovery disc and booted the computer. When the recovery disk finished booting it asked me to verify the keyboard layout, and then the very next prompt was it telling me that it detected a Bitlockered drive attached to the computer. It then asked me if I would like to unlock the drive using a USB Flash drive, or by typing in the key. For whatever reason, I was unable to get the computer to detect my USB Flash drive. I even tried several different boots, plugging it into different USB ports, etc. So, in the end, I chose to type in the pass key that I had printed out in step 2. After this was finished, the drive unlocked perfectly. The recovery disc continued on as usual, the next step was me choosing the image to restore, and where to restore it to. It detected the image on the Bitlockered drive, and began the restore process. I went ahead and restored the entire image just to be thorough (this took about an hour and 15 minutes). At the conclusion of the process I was able to boot up the new laptop and it looked identical to my old laptop. Anyway, hopefully this helps anyone looking for the same type of information. Post in this thread if you have any other questions and I'll answer them if I can.

Thanks for the well written post. I am sure it will help someone. As for the flash drive, some laptops will only use a usb port as a boot option, other models, usb emulation or something similar needs to be enabled for a usb port to work from the bios, and older models it won't. That's why you write down the password\key, too. Also, the TPM may need to be enabled in the BIOS. Anyway, thanks again.

Thanks much. Can you tell me which type your external drive using? a basic disck (which format? ntfs, fat32 or ?) or a dynamic disk (simple volume?)? Rgds

Yeah, I was using a regular USB 2.0 External Seagate Go-Flex drive (http://www.seagate.com/www/en-us/products/external/external-hard-drive/desktop-hard-drive) using a simple volume (I've never played with Window's dynamic disks) with NTFS.