Does that mean I could steal a drive put it in my pc, run a backup and the encryption will be removed from the backup ?
It's kinda hard to understand, but the encryption doesn't really exist for you.
One way to understand this is to consider BitLocker to work like an incredibly durable safe, and inside that safe you have your very important documents. When the safe is locked, the documents can be considered secure from pilfering by anyone but the most determined US government agency (I'm presuming somehow the CIA or DHS or whoever has convinced MS to give them some sort of uber-key, but who really knows?)
You can't make copies of those documents until you unlock and open the safe. In BitLocker terms, you need the keys which are stored in the cryptographic key store embedded physically within the TPM chip on your system board to unlock the disk. However, once the safe is opened / the disk is unlocked, you now have free reign to do what you want with the contents. If your house is on fire, and you've left the safe open, the safe cannot protect your documents from being burnt up. If you've powered your machine and Bitlocker has successfully unlocked the disk with the TPM keys, the data is now available to be accessed by anything. That could be backups, it could be file copies, it could be malware or ransomware, it could be spies from another country. Bitlocker only protects the contents of the drive from attacks which depend on attacking the drive itself from another OS (sideloading the disk onto another PC, or booting your PC with external media.
There are other encryption mechanisms built into Windows, the next layer of which is Encrypting File System (EFS, a feature of modern NTFS which came along in Windows 2000.) In this scenario, the files themselves are encrypted with a user's private certificate, so even if the OS is booted and Bitlocker is now unlocked, the individual user-specific files themselves cannot be read unless the specific user is actively logged in. EFS doesn't encrypt the ENTIRE file system, it only encrypts specific areas such as C:\Users\<username> and similar user-specific sections. This is because encrypting common binaries with a user-specific cert may cause the machine to be unusable, as even the OS itself does not have access to the user's personal keystore (at least, not until the user logs in.)
But yet again, if the OS is booted then Bitlocker is no longer a blocker, and if the specific user is logged in then EFS is no longer a blocker. Again, malware (running in the user's context) could attack literally every piece of data in the user's profile, even those with EFS enabled, because it's acting with that user's encryption certificate. Also, EFS is not available / applicable for network shared storage; it's only local. If you copy an EFS-encrypted file to a network share, the OS will warn you that the file will become decrypted at the other end.
Now, a Windows OS backup solution running in the OS / kernel context can still back up EFS files, they'll just be useless unless you have the user's encryption cert. And along those lines, if you're backing up the ENTIRE PC and all the contents therein, you're getting the user's certificate store as part of the backup. As such, the backups will still contain all the EFS-encrypted files, and would restore them back from whence they came, but still wouldn't necessarily be able to make any sense of the data it had stored.
So, if you're REALLY paranoid about your files, then don't stop at BitLocker. Make sure to use a strong authentication mechanism, use the Encrypted File System for your local files, and perhaps think twice about putting anything you're worried about on a network share (eg NAS.)
www.msdigest.net
