Restoring a bitlocker system volume with Acronis 2014

March 22, 2014

I had reason to restore my Windows 8 system volume, which is encrypted using Bitlocker. Getting access to my data drive back after that wasn’t quite as straightforward as I had hoped. For reference, and in case others get into this situation, here is what I encountered.

My setup

One system drive, SSD, encrypted using Bitlocker, running Windows 8.1.

One data drive, HDD, encrypted using Bitlocker, set to auto-unlock.

One backup drive, HDD, unencrypted. TrueImage 2014 is set to encrypt the backups themselves. This is crucial: Without an unencrypted backup drive, I couldn’t “get at” my backups when restoring the system drive.

I do not have a TPM module and use a USB stick instead for Bitlocker keys. I do not have Secure Boot enabled, mainly because I upgraded this system from Windows 7, don’t have a Secure Boot compatible GPU, and really don’t feel like re-installing Windows 8 to get the additional boot sector protection of Secure Boot. It’s a neat feature, but convenience wins out.

I keep a copy of my startup key and my recovery keys on a separate USB stick in the safe, and this proved to have been a necessary precaution.

Restore system drive

Restoring the system drive itself was reasonably straightforward. It cannot be done from Acronis within Windows, I had to use a Rescue CD instead. On machines without an optical disk drive, use a Rescue USB stick.

As expected, the system drive was unencrypted after the restore. This is a result of the way Acronis takes sector backups: It is “fed” the unencrypted data by Bitlocker, and so that is what get’s backed up and restored.

Get access to data drive back

I encountered two errors.

First, upon attempting to unlock my data drive, I received an error “Application not found”. The context menu entry to unlock the drive read “unlock-bde”, which points to an issue. This can be resolved by editing the registry, see Microsoft’s KB entry. The automatic fixit didn’t work for me, since my temp directory is on the data drive. Rather than change the location of temp, I just made the necessary two changes in regedit. To unlock the drive, I had to get my recovery key USB stick from the safe. You do have one of those, I’d hope. If not, you might be screwed.

Secondly, upon attempting to set the data drive to auto-unlock, I received an error “data error cyclic redundancy check”. No need to panic, the data is fine: This is a problem with the stored Bitlocker keys. Mark Berry documented the fix back in 2010. I used his updated (2/17/2011) methodology, which is henceforth no longer untested. In a nutshell, enable Bitlocker on the system drive, reboot. While the system drive is encrypting, use manage-bde to get rid of old auto-unlock keys and delete external keys from data volumes, then re-enable auto-unlock. This worked like a charm. Note he uses S: as a sample drive letter of the data volume; replace with whatever drive letter your data volume has.

Lastly, do not forget to copy your startup key and backup your new recovery key for the system volume onto your “oh crap” USB stick, and put it back in the safe where it belongs.


Recover Juniper SRX from failed boot

November 13, 2013

I have a Juniper SRX240H in the lab. I decided to load a beta version of JunOS, which brought the unit into a state where it did not successfully boot, and where I could not use the loader> prompt to recover from TFTP.

The symptoms were:

  • During boot, the SRX would experience a fault and enter the db> prompt. I believe this to be a debugger, possible gdb. “c” will cause it to reboot again
  • If I enter the loader> , I cannot execute setenv – I get a “stack underflow” error. This means I cannot install JunOS from TFTP

I may have been able to recover this system using a USB key, but I am remote to my lab: All I have is serial console.

I resolved the issue by entering u-boot instead of the loader. u-boot prompts right after boot, and the loader prompt is shown shortly thereafter. The u-boot prompt is “Press SPACE to abort autoboot in 1 seconds”, and the loader prompt is “Hit [Enter] to boot immediately, or space bar for command prompt.”

In u-boot, I issued this command:

=> getenv

This showed me that boot.current=primary

I changed this to the alternate slice, which still held a working copy of JunOS:

=> setenv boot.current alternate
=> boot

The system came up successfully and warned me that I had booted from the alternate slice, and it rebuilt the primary slice:

***********************************************************************
**                                                                   **
**  WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE      **
**                                                                   **
**  It is possible that the primary copy of JUNOS failed to boot up  **
**  properly, and so this device has booted from the backup copy.    **
**                                                                   **
**  The primary copy will be recovered by auto-snapshot feature now. **
**                                                                   **
***********************************************************************

The auto-snapshot feature that was used here needs to be configured (set system auto-snapshot) and supported by the version of JunOS you’re running.

Lastly, I confirmed that the snapshot had been repaired, then rebooted:

root@SRX-Lab-2> show system snapshot media internal
Information for snapshot on       internal (/dev/da0s1a) (primary)
Creation date: Nov 13 12:53:04 2013
JUNOS version on snapshot:
  junos  : 12.1X44-D20.3-domestic
Information for snapshot on       internal (/dev/da0s2a) (backup)
Creation date: Oct 4 17:13:17 2013
JUNOS version on snapshot:
  junos  : 12.1X44-D20.3-domestic
root@SRX-Lab-2> request system reboot

Final IPv4 allocations; IPv6 readiness test; IPv6 world day

February 3, 2011

Final IPv4 allocations have been made today. Will this galvanize businesses to start moving to IPv6? We’ll see :)

 

If you’ve been following my “IPv6 at home” series, here’s a neat link to test your IPv6 readiness: http://test-ipv6.com/

 

Finally, “World IPv6 day” will be on June 8th 2011. Google, Facebook, Yahoo, Akamai and Limelight will turn on IPv6 for 24 hours. Results should be interesting to see. If you’d like to prepare for World IPv6 day today, go on over to their official site.

 


Compiling 64-bit mpir using VC++ 2008 Express

December 23, 2010

MPIR is a Windows-friendly fork of GMP. It can be used as a direct replacement of GMP. I wanted to have my pycrypto build use _fastmath, and that meant having GMP support.

Building a 64-bit version of MPIR is fully supported in Visual C++ 2010 Express. Not so, alas, for Visual C++ 2008 Express. The MPIR build.vc9 readme flatly states “the Express Edition cannot build 64bit binaries”.

Game over? No Python-compatible MPIR lib?

Luckily, the MPIR devs worked hard and provided command-line tools in build.vc9. Using those, even an Express edition of VC++ 2008 can build 64-bit MPIR binaries.

Preparing to compile:

  • You now also need the Windows SDK so you have the amd64 compiler, which isn’t included in the Express version. This needs to be the Win7 + Net 3.5 SDK, not the Win7 + Net 4.0 SDK. You can find it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505&displaylang=en , and again download  the ISO (the one for amd64 support though!) if nervous it may disappear. Install and make sure you install the “Visual C++ Compilers”.
  • The vcvarsall.bat in VC++ 2008 Express looks for the amd64 vcvars64.bat in all the wrong places. The easiest way to work around that is to navigate to the VC\bin directory of your VC++ 2008 installation (in my case C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin). Copy vcvars64.bat, and paste into the VC\bin\amd64 subdirectory. Next, rename VC\bin\amd64\vcvars64.bat to VC\bin\amd64\vcvarsamd64.bat.
  • You need yasm.exe to compile the assembly code in MPIR. Download the 64-bit version of yasm, rename the executable to yasm.exe, and copy it to the VC\bin directory of your VC++ 2008 installation.
  • You need the yasm.rules file. Download the MPIR source tarball, and copy yasm.rules from the build.vc9 directory. It goes into your VCProjectDefaults directory (in my case C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\VCProjectDefaults).
  • If you want to be able to automate the MPIR tests (that’s a really good idea), install Python. Chances are you are doing all this to use MPIR with Python and so it’s already installed. Just saying.

Compiling:

  • From within the vc9.build directory, run configure. You can specify –cpu-x86_64 if you’d like to build a generic 64-bit library, rather than one specific to your CPU type. You may opt to specify –enable-shared if you want to build a DLL rather than a static library.
  • Run make

Check that the compiled library works correctly:

  • Run make check

Your libraries and include files will be in build.vc9\lib or build.vc9\dll, depending. You can now copy those to your VC\lib (.lib and .pdb files) and VC\include (.h files) directories, respectively. If you are looking to use the library with pycrypto, you’ll also want to copy mpir.lib to your Python installations \libs directory, since that is where setup.py will look for it. Well actually setup.py looks for gmp.lib – I’ll leave that as an exercise to the reader.

Additional speed.exe and try.exe utilities:

  • Run make speed
  • Run make try

These will be in build.vc9\x64\Release and build.vc9\try\x64\Release respectively and allow you to measure the speed of the MPIR library and test MPIR functions.


Compiling pycrypto on Win7-64

December 22, 2010

Having had occasion to compile pycrypto 2.3.1 for Win7-64 and Python 2.7.1-64, I’ll share the process, and the result.

TLDR first: Here’s an archive of the compiled pycrpyto library. It was built with VC++ 2008 SP1, and assumes you are using the x86-64 version of Python 2.7.x. Unpack this archive into your Python main directory. It’ll end up in Lib/site-packages/Crypto.

Compiling pycrypto on Win7-64 is very straightforward, unless you happen to use Visual Studio Express, not Visual Studio Pro. Compiling with Express takes a couple extra steps, which is what this post is about.

Preparing to compile:

  • Install VC++ 2008 SP1 Express. Needs to be 2008, not 2010 – that goes back to an old tradition that modules need to be compiled with the version that Python was compiled with, which happens to be 2008 right now. The Express version of VC++ 2008 is still available: http://www.microsoft.com/express/Downloads/#2008-Visual-CPP. If you are nervous about whether it will remain available, download the ISO.
  • Python 2.7.1 has a bug where it will get confused with the paths that MS use for Express, which happen to be different than the paths used in Pro, which breaks vcvarsall.bat when attempting to build 64-bit binaries. This is a limitation of VC++ 2008 Express. The Python distutils team offers a work-around. Check the bug at http://bugs.python.org/issue7511 to see whether the issue has been resolved already in your version of Python. If not so, grab the diff attached to that bug report and apply it to your Python main directory using “patch”. The command line for this is “patch -p0 <vcvars4.diff”.
    If you don’t have a copy of “patch” already, the Cygwin default install + patch (not patchutils) will give you patch.

Now you’re ready to compile. This is pretty simple from here on out:

  • pycrypto should be unpacked somewhere other than your Python dir, say c:\temp
  • Then, from within the pycrypto directory, run these commands:
    • python setup.py build -c msvc
    • python setup.py install
    • python setup.py test

In my case, Python 3.1 is actually my registered default version, and I have python 2.7 renamed as python27.exe and pythonw27.exe. The build and install still works fine using python27 to invoke instead of python. Both my Python dirs are in the %path% to make my life easier. No PYTHON* env variables have been set.


ipv6 at home / small office: Verizon FIOS IPv6 trials

April 9, 2010

Verizon FIOS has entered into a month-long IPv6 trial on April 6th. It is a dual-stack trial carried out with Verizon employees in Reston, Virginia. The “custom CPE” that are mentioned in the article reflect the fact that precious few home routers have full, or even partial, IPv6 support at present. With both Verizon and Comcast testing the residential IPv6 waters, I expect router support to come along with them.


Warranty agreements for PC graphics cards

March 25, 2010

This post is to serve as a place for me to keep track of how different graphics card manufacturers handle warranty – in the US, that is, I’m not tracking Europe at all. Next time a graphics card fails on me, I’d like that to be an easy process.

After compiling this, it’s a pretty dismal picture. There are a lot of “original owner only” or “registration required” clauses. Be aware of what warranty is being offered and register if that’s required.

Asus:

3-year from date of manufacture

Asus’ website states that a customer would need to go through the reseller to get any kind of warranty service.

Warranty Page

BFG:

Limited lifetime if registered within 30 days, or 1 year from date of purchase if not registered

Registration within 30 days of purchase required

Original owner only, warranty does not transfer

Warranty Page

Diamond:

3-year warranty according to NewEgg

I had a hard time finding warranty information on their site – take a look around before deciding.

Warranty Page

ECS:

3-year NVidia cards, 1-year all other chipsets

Original invoice required as per web site. My experience is that S/N can be sufficient.

Warranty processing process is slow in my experience.

Warranty Page

EVGA:

1-year, 2-year, 3-year and lifetime agreements depending on model

Product needs to be registered 30 days from purchase

Warranty only extends to original purchaser

Warranty Page

Gainward:

1-year, 2-year, 3-year depending on model. Likely from date of manufacture or date of sale to distributor.

No direct warranty to end users, only to distributors, unless the card was bought directly from Gainward, say through their web shop.

Warranty will be voided if S/N sticker falls off, and for the usual technical “tampering” reasons.

Warranty Page

Gigabyte:

3-year from date of manufacture

Direct RMA available

Very speedy response from RMA dept. in my experience

Warranty Page

HIS:

2-year, presumably from date of invoice.

Original invoice required.

Direct RMA available.

Warranty Page

MSI:

2-year parts & labor, 3rd year parts only, from date of manufacture.

Direct RMA available.

Return shipping and handling paid by end user for 3rd-year warranty: US-$ 45.

Warranty Page

PNY:

3-year or lifetime, depending on model; 1-year if not registered

Registration required

Original invoice required, original owner only.

Warranty Page

PowerColor:

2-year from date of invoice

Original invoice required

Original owner only, warranty cannot be transferred.

Warranty Page

Sapphire:

2-year from date of invoice

Original invoice required

Sapphire’s website states that a customer would need to go through the reseller to get any kind of warranty service.

Warranty Page

XFX:

Limited lifetime warranty on graphics cards, or 3-year, depending on model

Warranty period starts from the date of invoice or packing slip

Direct RMA available

Original owner or one subsequent owner only. Subsequent owner needs to register product within 90 days of buying used, using the same ID that original owner used to register the product.

Warranty Page


Follow

Get every new post delivered to your Inbox.