With Bitlocker there's no need to decrypt the drive, but it is highly recommended you disable Bitlocker for the volume in question in its settings before making the image otherwise you'll need to perform a recovery via the recovery key (you did print it out when enabling BitLocker encryption right?).
Disabling Bitlocker is not the same as decrypting the drive. It instead writes the encryption key used to decrypt the Volume Master Key (the actual key responsible for your drive encryption) in the clear so no credentials are required to decrypt the Volume Master Key--and by extension--the drive. At no time does the Volume Master Key end up unencrypted on the drive, only the key to decrypt the VMK does. Encryption operations continue to take place as normal via the Volume Master Key at the block level.
Microsoft automatically disables BitLocker encryption in this way during OS upgrades so reboots can occur unattended (note: not on Windows Updates, just full OS upgrades such as Win 8 -> 8.1).
After restoring the image, you then re-enable Bitlocker encryption in the settings which then re-keys the encryption for the Volume Master Key to whatever setup is present on the current computer the image was restored to. This overwrites the unencrypted key and old VMK encrypted key on disk making any software data recovery of the old keys likely impossible.
This only opens a very small window of opportunity for an attacker--the time during which the Bitlocker encryption is disabled. Once encryption is re-enabled (and the Volume Master Key written back to the drive under new encryption) there's no longer an avenue of attack. Provided you store the images made on encrypted media as well, this should keep things well locked down.
Theoretically, some type of low level data recovery might be able to restore both the old encrypted Volume Master Key and the unencrypted decryption key for it, but it's highly unlikely without physically obtaining the drive and having a deep understanding of Microsoft's obfuscation methods. Plus the probability diminishes the longer the drive is used. It's still miles safer than completely decrypting the drive.
Even if you forget to do the above, if you have printed out the BitLocker recovery key for the volume, you're still fine. The recovery key is a separate encryption key used for the VMK which is never physically stored on the machine. You're presented with it when initially enabling Bitlocker encryption (it's recommended you always print it out and keep it physically safe) and you can generate a new one later from the BitLocker settings if you happen to lose it. You can recover any BitLocker encrypted volume this way even if you physically moved the drive away from the TPM which was used to encrypt it.
You may need to repair the MBR on the boot drive via a recovery CD or Flash drive if your imaging software doesn't restore the MBR as well. To my knowledge, Clonezilla does image the MBR when doing a with full disk image.
...
7th May 2023, 14:24 in