Encrypt unmounted volume (vhdx) with Bitlocker? (Offsite-Backup Purpose)

To increase our data-redundancy we are planning to extend our current backup policy by an offsite-backup stored somewhere in the cloud.

Therefore we aquired an account for a certain cloud hoster, supporting block-Level synchronization. The Goal is now to synchronize an encrypted vhdx with that hoster. by keeping the incremental backup along with the Client supporting block-Level synchronization the daily upload should not be an issue.

However, we have Problems encrypting the file using bitlocker:

- the vhdx-file is placed on a certain vm, utilizing our local storage-pool.
- this vm is taking care for the synchronization of the vhdx-file and the "cloud".
- this vm exposes the vhdx as an iscsi-disk to our file Server.
- the file Server is using Windows Backup along with a harddisk (also on the pool) that is dedicated for backups and we want to add a second backup target: the vhdx connected through iscsi.

If we Mount the iscsi-disk on the file Server, giving it a drive letter we could easily enable bitlocker. However like that we can not use it as a second backup target, cause this only works with disks dedicated for backups.

If we add the iscsi target as a dedicated disk for backups, Windows backup will Format the volume, therefore disabling bitlocker.

We have tried to enable bitlocker afterwards by using the Volume-guid instead of the (non existing) drive letter, but bitlocker refuses to work like that...

manage-bde -Status \\?\Volume{9a9330de-c326-11e3-80c1-aaaaaa007409}\

yields the error message

BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
ERROR: The volume
\\?\Volume{9a9330de-c326-11e3-80c1-aaaaaa007409}\ could not be opened by BitLocker.
This may be because the volume does not exist, or because it is not a valid
BitLocker volume.

So currently, what we can (theoretically) do to achieve our Goal is:

- Mounting the iscsi disk on the fileserver, assign it a letter, encrypt it. (Therefore this Container will be synchronized encrypted to the cloud)
- Create another vhdx inside the disk located on the iscsi-target, and connect this disk as a disk dedicated for backups.

Windows backup would now write unencrypted data to the inner vhdx. This data will be written encrypted to the iscsi-target (the outer vhdx) which is then synchronized with the cloud.

While this could work - isn't there a better way to perform this? Like telling Windows Backup to write encrypted data, or encrypting the *Content* of the virtual disk on the ISCSI-Target rather than on the ISCSI-Initiator?