Many multi-colored window frames

How-to encrypt backups using Windows 10’s built-in tools

Windows Backup can automatically store your files on a secondary hard drive, or more conveniently for laptop users, on a network attached storage device or server (“NAS”). Whether you’re storing your backups and file revisions on an external or network drive, you may want to enable encryption. However, there isn’t a simple “Enable encryption” option in Windows Backup as you can find in competing systems on other operating systems. Here is how you can achieve fully encrypted backups with Windows Backup.

Windows Backup, or “File History”, is the built-in backup system in Windows 10 that you really should be using. It not only stores the most recent copies of your personal files, but will allow you to restore previous versions of them should you need an earlier copy or after having accidentally deleted it.

Setting up Windows Backup can take anywhere from a few minutes to over one hour.

Before proceeding, make sure you meet the following requirements:

Icon for VHD with locked BitLocker

Virtual Hard Drive with BitLocker

  • Either a iSCSI storage drive (preferred), a regular SMB network drive (you probably have this), or an external hard drive.
  • Windows 10 Pro or Enterprise, you can upgrade your Home license to Pro by purchasing a digital upgrade code from Amazon or the Windows Store.
  • You either have BitLocker enabled on your system drive, or a willingness to enter your backup drive’s password every time you start your computer.

There are two sets of instructions depending on where you want to store your backup data. If you want to store your backup data on an iSCSI drive or an external hard drive, setting them up with encryption is relatively simple and then you should skip straight to step 18. If you’re setting it up on an network attached storage location such as an SMB volume, then you can continue reading.

Turning a network location into a network drive

The encryption system available in Windows only operates on what is known as the block level of storage. It doesn’t encrypt individual files per say, but rather encrypt the entire storage surface they’re stored on. You don’t need to understand that, but it marks an essential difference between a network location (like SMB or DAV) and a network drive (like iSCSI). Without a hard drive to work on, you can’t enable encryption on a location in Windows.

To work around this limitation, we’ll set up what is called a virtual hard drive (VHD). In simpler terms, we’ll make a fake hard disk and store that hard disk on the network location. Windows will look at this one big file as a hard drive, and you’ll be able to turn on encryption.

To create such a virtual hard drive, follow the these instructions to the letter:

  1. Start Disk Management by searching for “create and format disk partitions” in the Start menu.
  2. Select the C: drive in the volume list. This is inconsequential for anything except activating the menu item we’ll be using next.
  3. Create a Virtual Disk Hard Disk from the Action menu: Create VHD.

If the menu item isn’t available, then you either don’t have an appropriate edition of Windows. Pro or Enterprise is required. If the option is disabled/greyed out even after selecting any active volume in the volume list, then the processor in your PC is too old for this feature.

  1. In the location field, type in the network path you want to store your backups on. I’ll use the example \\\backups\windows-pc.vhdx in this article.
  2. Set your VHD size to at least a few hundred gigabytes. This should be set no larger than 90% of your available remote storage space, and no smaller than twice the size of the contents of your user’s Home folder in Windows.
  3. Select VHDX disk format and a Fixed size disk type.
  4. Click OK in the dialog.

In the main window of Disk Management, a new disk will appear the bottom of the disk list indicated as a virtual drive by a light blue drive icon in the drive list. Please note that it will not appear in the volume list, only in the disk list.

  1. Right click on the new virtual disk (right side narrow panel) and choose Initialize Disk.
  2. Select GPT partition table, and click OK.
  3. Right click on the new volume (long panel to the left) and select New Simple Volume.
  4. Accept the defaults in the Simple Volume wizard and choose a drive letter. I’ll use the example H: in this article.
  5. Click Finish.

The last few steps required to setup the virtual drive is to have the volume automatically mount when you login to Windows. There are a handful of third-party tools available for automatically mounting virtual drives. Unfortunately, none of them actually support mounting drives stored at network locations. It has something to do with how Windows service workers can’t access the credentials stored in your user account that are required to login to the network storage location. Instead of relying on these tools, we’ll simply create a shortcut to the volume file and open that every time you login to Windows.

  1. Open File Explorer and navigate to the network location where you saved your virtual drive. It will appear as a file with the name you gave it.
  2. Right-click on the drive file and choose Create shortcut.
  3. Right-click on it again and choose Cut.
  4. Click to focus the location bar at the top of the File Explorer, type in “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup“, and then press Enter.
  5. Right-click anywhere in the folder and choose Paste to move the shortcut to this location.

If you login to Windows without having network access to your network storage disk, you’ll see an error message about a broken shortcut. You should just ignore this. If it appears when you are on the same network as your network attached storage disk, repeat the steps from 13–17. You can deploy Virtual Private Network (VPN) technology to connect into that same network and have access to your backup drive from anywhere in the world.

You now have a virtual hard disk and can proceed with setting up encryption and then turn on Windows Backup.

Encrypting your backup drive with BitLocker

Now that you’ve either created a virtual hard drive, or have another equivalent storage type it’s time to turn on encryption. We’ll use Windows’ built-in encryption tool, BitLocker, to encrypt your backup hard drive. You can use another disk-level encryption tool, if you prefer but it might create issues when used with Windows Backup.

To enable BitLocker on your hard drive, follow these instructions:

  1. Start BitLocker Manager by searching for it in the Start menu.
  2. Click Turn on BitLocker next to the volume you want to store your backup data on.
  3. Enter a unique password and click Next.
  4. Save or preferably print your recovery key. You’ll need this if you ever lose the password to your encrypted partition.
  5. Select new encryption mode for the best performance, and click Next and finally click Start Encryption.

This process can take some time; up to several hours if you’re encrypting a large volume over Wi-Fi or legacy-USB.

If your system drive is also encrypted with BitLocker, you can choose to mount the backup volume automatically when you login to Windows. If your main system drive isn’t BitLocker enabled, you wouldn’t be able to have the drive decrypt automatically when you use your computer.

  1. Click Turn on auto-unlock to automatically unlock the volume ones it ha been mounted.

If you’re unable to enable automatic unlock of the BitLocker volume, you’ll be asked to provide your backup volume’s password when you login to Window if you followed steps 13–17. If you skipped that part because you’re backing up to an iSCSI or external drive, you can go back and follow those steps but perform them with your volume as the source file.

You’ve now got an encrypted volume and are ready to turn on Windows Backup!

Enabling Windows Backup and File History

The last step now is to configure Windows to use your encrypted hard disk as the backup data destination for Windows Backup and File History to store data on.

  1. Open the Settings app: Update and security: Backup.
  2. Click Add Drive and select your backup destination volume.

The initial backup can take anywhere from minutes to hours depending on how much data you’re backing up. You can review which folders are backed up from the Backup page in the Settings app, or find some additional advanced settings in Control Panel: Updates and Security: File History.

So this is not a perfect method for backing up your valuable user data. The setup is cumbersome and time consuming, and it might not even be fully automatic; which is crucial to ensure frequent and good backup habits. However, it does demonstrate that Windows has all the bits and pieces built-in that are required to create a good encrypted backup experience on remote network machines.

The question then becomes: Why hasn’t Microsoft made this a nice little three step process as with macOS’ Time Machine backup system, or GNOME Backup (also known as Déjà Dup)? It really isn’t a whole lot that would be required here to make this setup much more seamless and reliable. It should have been a simple “Enable encryption” option when you enable Windows Backup.

I suspect that the answer to this lies somewhere between these two points:

  • Encryption hasn’t been a priority at Microsoft as they’ve limited the functionality to their Windows Professional customers up until now.
  • Enterprise doesn’t need encrypted backups of their employees’ computers.

Enterprise users really don’t need encrypted backups, as employees would back their data up over a Virtual Private Network (VPN) to a server within their network. It would be undesirable if employees could limit access to their backed up data using readily available encryption.

I believe there is a conflict of interest between Microsoft’s enterprise and home/professional consumer bases. Unfortunately for Windows enthusiasts and end-users, it would seem that the needs of the enterprise consumers — once again — have been placed before the needs of all the other users.

Leave a Reply

Your email address will not be published. Be courteous and on-topic. Comments are moderated prior to publication.