Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1632
  • Last Modified:

MS Exchange 2013 Datastore on Bitlocker Encrypted Volume

Dear EX Community,

I am currently experimenting with MS Exchange 2013 and Bitlocker Drive Encryption (Windows Server 2012 R2). My intention is to put the Exchange Database on an encrypted volume.  I am aware that this does not protect the data when the system is in a running state.  My goal is to protect the data in case one of the hard drives (RAID 1 Array) gets swaped out, since the server is located in an external Data Center.

On the server I have currently 2 partitions:
C: - System Partition (unencrypted)
D: - Data Partition (Bitlocker Encrypted, has to get manually unlocked using a key after every reboot)

Exchange itself I'd install on C: while the Exchange Database would get put on the encrypted D partition.

Now my question is how Exchange will cope at boot time when the Data Partition is not yet unlocked and Exchange can't access the Datastore.  I suppose this will lead into troubles?  How about if I set all Exchange related services to manual startup in order to start the services manually after the D: partition has been unlocked?

I am aware that there is a possibility to automatically unlock the D: partition at boot time but this would require that the System Partition is also encrypted, which is not possible in this scenario since the server doesn't have a TPM-Module and I don't want to enter the key through the KVM-Console when rebooting the server.

Any feedback is highly appreciated.  Thank you very much!
0
MrFortune100
Asked:
MrFortune100
1 Solution
 
MrFortune100Author Commented:
After multiple tests, I can confirm that my suggestion above seems to work well.

After the Exchange 2013 installation I have moved the Mailbox Database to the Bitlocker Encrypted Volume.  Then I have set the following Exchange 2013 Services from Automatic to Manual start up:

Microsoft Exchange Active Directory Topology
Microsoft Exchange Anti-spam Update
Microsoft Exchange Diagnostics
Microsoft Exchange EdgeSync
Microsoft Exchange Frontend Transport
Microsoft Exchange Health Manager
Microsoft Exchange Information Store
Microsoft Exchange Mailbox Assistants
Microsoft Exchange Mailbox Replication
Microsoft Exchange Mailbox Transport Delivery
Microsoft Exchange Mailbox Transport Submission
Microsoft Exchange Replication
Microsoft Exchange RPC Client Access
Microsoft Exchange Search
Microsoft Exchange Search Host Controller
Microsoft Exchange Service Host
Microsoft Exchange Throttling
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search
Microsoft Exchange Unified Messaging
Microsoft Exchange Unified Messaging Call Router

Open in new window


Additionally, I've created a batch file which starts all of these services followed by a IIS-Restart at the end:

net start MSExchangeADTopology
net start MSExchangeAntispamUpdate
net start MSExchangeEdgeSync
net start MSExchangeIS
net start MSExchangeMailboxAssistants
net start MSExchangeMailboxReplication
net start MSExchangeRepl
net start MSExchangeRPC
net start MSExchangeServiceHost
net start MSExchangeThrottling
net start MSExchangeTransport
net start MSExchangeTransportLogSearch
net start MSExchangeFastSearch
net start MSExchangeDelivery
net start MSExchangeFrontEndTransport
net start MSExchangeDiagnostics
net start MSExchangeHM
net start MSExchangeSubmission
net start HostControllerService
net start MSExchangeUM
net start MSExchangeUMCR
IISReset

Open in new window


After a server reboot I manually unlock the Bitlocker Drive and then start Exchange using the bat file. Exchange 2013 seems to run fine, at least I couldn't find any errors in the Event Log. I suppose this scenario is not supported by Microsoft, but it seems to do the trick for my requirements.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now