How To Create Encrypted Disk Images on Windows 8 Pro

I regularly perform a backup of my data at home. I bring the backup to work on an external USB hard disk and copy it to a larger disk there, so I have at least two generations offsite. The backup on either disk must be encrypted in a way that ensures that a thief cannot get access to my data. I have tried various backup tools, but I keep returning to a routine that combines a mounted encrypted disk image with a utility that synchronizes select directories. It makes the process of copying the backup time consuming but very easy.

I have previously used a combination of TrueCrypt and SyncToy. I was made aware that TrueCrypt did not fully support Windows 8 (and it reached end-of-life a year later), so I started looking for alternatives.

I have used the VHD format with Virtual PC in the past. Microsoft improved the technology and renamed the format VHDX. What especially got my attention was native support in Windows 8 and protection against data corruption during power failures. The format does not provide encryption by itself, but that can be layered on top using BitLocker as a mounted VHDX file acts as a normal disk volume.

This article describes how to set up encrypted disk images using the built-in tools of Windows 8. It does not go into the details of using it as a backup destination.

I have attempted to the best of my ability to document exactly what is needed. I cannot make any guarantee as to if it is correct or works for you.

Overview

A number of preparations need to be done for the first encrypted disk image. First a disk image is created, BitLocker is configured to use strong encryption, and finally BitLocker encryption is applied. BitLocker encryption can be applied to subsequent disk images without the need to configure encryption.

Creating A Disk Image

The "Disk Management" management console snap-in can be used to create a VHDX file, initialize it, and create a partition.

Use Disk Management to create the disk image:

  1. Run "diskmgmt.msc"
  2. Click the "Action > Create VHD" menu item
    Create and Attach Virtual Hard Disk
  3. Select the "VHDX" option as "Virtual hard disk format"
  4. Click the "Browse" button and navigate to where the disk image is to be stored. Preferable on a large external hard disk. Enter a filename (such as "backup.vhdx")
  5. Select a unit in the drop down next to the "Virtual hard disk size" field, and specify the number of MB/GB/TB that the disk image will be able to store
  6. Select a "Virtual hard disk type". Use "Fixed size" for maximum I/O performance when files are backed up, but with the added overhead of the maximum disk image size from the outset. Use "Dynamically expanding" if it can be guaranteed that the specified virtual hard disk size can be allocated at all times (such as if location is only to be used for the disk image file).
  7. Click the "OK" button. The disk image will now be created and mounted

Initialize the mounted disk:

  1. Re-run "diskmgmt.msc" if it is not running
  2. Right click the mounted disk image in the left hand side of the list (it is flagged as "Not initialised"). Select the "Initialise Disk" menu item of the pop up menu
    Initialise Disk
  3. Select "GPT" in the partition style radio group. It is more resilient to corruption than MBR
  4. Click the "OK" button

Create a partition on the disk:

  1. Re-run "diskmgmt.msc" if it is not running
  2. Right click the mounted disk image on the "Unallocated" area in the right hand side of the list. Select the "New Simple Volume..." menu item of the pop up menu
  3. Click the "Next" button in the "New Simple Volume Wizard" dialog to start creating a partition
  4. Leave the suggested volume size as-is, so all space is allocated. Click the "Next" button
  5. Leave the suggested drive letter as-is. Click the "Next" button
  6. Leave the "File system" and "Allocation unit size" drop downs as-is, so NTFS is used with default allocation unit size
  7. Specify "<filename of disk image (excluding VHDX extension)>-mounted" as "Volume label" (such as "backup-mounted")
  8. Leave the "Perform a quick format" checkbox checked. This will ensure that the hard disk image does not grow to its full size if it is created as "dynamically expanded" earlier
  9. Optinally mark "Enable file and folder compression" as checked if the virtual disk is to store small text documents or similar compressable files, increasing the write speeds. It will actually slow down write speeds if only large files or files that cannot be compressed further are written
  10. Click the "Next" button
  11. Click the "Finish" button to start formating
  12. A file explorer window will pop up, showing the empty newly formatted drive. Close the window

Configuring BitLocker to use 256-bit AES

BitLocker uses AES 128-bit by default, but the very secure maximum AES key length of 256-bit is also supported. Configuring BitLocker encryption needs to be done prior to applying BitLocker encryption to a disk as configuration does not affect existing encrypted disks.

Configure BitLocker encryption:

  1. Run "gpedit.msc"
  2. Navigate to "Computer configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption" using the tree view
  3. Double click "Choose drive encryption method and cipher strength" in the settings list to the right of the tree view
  4. Change the "Select the encryption method" drop down to "AES 256-bit"
  5. Click the OK button
Group policy editor with "Choose encryption method and cipher strength"

Source: How to change the default BitLocker encryption method and cipher strength when using the Enable BitLocker task in ConfigMgr 2007

Applying BitLocker

BitLocker is now configured to use the maximum encryption strength, so applying it is straight forward now. It is a good idea to verify the encryption strenght after the BitLocker has been applied to the first disk.

Apply BitLocker encryption:

  1. Press Windows key + E to run "File Explorer"
  2. Click "Computer" in the left pane
  3. Right click the "Hard Disk Drive" labeled "<filename of disk image (excluding VHDX extension)>-mounted" (such as "backup-mounted"). Select the "Turn BitLocker on" menu item of the pop up menu
  4. Select a way to unlock the drive. Microsoft recommends a 12-character minimum password length if a password is to be used to unlock the drive
    Apply BitLocker
  5. Use at least one of the ways to back up the recovery key. Without it or the unlocking method (password or smart card depending on what was selected) there is no practical way to decrypt the data
  6. Click "Start encrypting" when the wizard gets to the end
  7. BitLocker will now encrypt the drive. This should not take long as the drive is empty. Click "Close" in the "BitLocker Drive Encryption" dialog box that pops up when the encryption process is done
    Encryption of drive is complete

Source: How Strong Do You Want the BitLocker Protection?

Verify BitLocker encryption:

  1. Press Windows key and enter "cmd"
  2. Right click "Command Prompt" and click "Run as administrator" at the bottom
  3. Enter manage-bde -status
    "manage-bde -status" sample output
  4. Look for a volume labelled "<filename of disk image (excluding VHDX extension)>-mounted" (such as "backup-mounted"). The "Encryption Method" should be "AES 256"
  5. Close the window

Source: Manage-bde Command-Line Reference

Outtro

A VHDX disk image with 256-bit AES encryption is now ready for use. The first disk image required a bit of work, but additional disk images can be created with less hassle as BitLocker has been configured and there is no need to verify the applied encryption.