Bitlocker on multiple partitions server 2008
I am trying to use Bitlocker to encrypt my server 2008. I have successfully unlocked the TPM chip on the motherboard, and enabled the Bitlocker feature. I have only encrypted single partitions with Bitlocker before. This is the first time I'm attempting to encrypt multiple partitions (2) with Bitlocker. I assume the C;\ parition will be easy, like it has been before...print or save the key information and then work much like normal. I'm just not sure what to do about about the D:\ partition. Microsoft has a "step-by-step" guide but it's mostly command prompt entries and using EFS...seems more complicated than it needs to be, but I'm game if that's the protocol.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to encrypt system drive first then the other data volume can kick in. Specifically, two NTFS disk partitions, one for the system volume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition. Note also the key for each separate data volume is store in each volume.
Go for the system EFS is for file encryption while Bitlocker is disk/volume encryption. For you case of encrypting other volume beside the default system drive you done, you should be able to use GUI interface to encrypt data volumes. Pse see
Using manage-bde for server data volumes
@ https://technet.microsoft.com/en-us/library/cc732725(v=ws.10).aspx#BKMK_S4
Using (only in Windows Vista SP1 and Windows Server 2008 above), encrypt and unlock these data volumes from the BitLocker Control Panel applet @ https://technet.microsoft.com/en-us/magazine/2008.06.bitlocker.aspx
Go for the system EFS is for file encryption while Bitlocker is disk/volume encryption. For you case of encrypting other volume beside the default system drive you done, you should be able to use GUI interface to encrypt data volumes. Pse see
Can I use EFS with BitLocker?
Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
Will BitLocker encrypt more than just the operating system volume?https://technet.microsoft.com/en-us/library/cc766200(v=ws.10).aspx#BKMK_OS
BitLocker provides a user interface for the encryption of the entire operating system volume, including Windows system files and the hibernation file. You can optionally use Encrypting File System (EFS) in Windows Vista to protect other volumes. The EFS keys are stored by default in the operating system volume. Therefore, if BitLocker is enabled for the operating system volume, all data that is protected by EFS is also indirectly protected by BitLocker. Additionally, advanced users can encrypt local data volumes using a command-line interface (manage-bde.wsf). In Windows Vista with SP1, after you have encrypted your operating system volume, you can then choose to encrypt additional data volumes through the user interface as an alternative to using the command-line interface.
Using manage-bde for server data volumes
@ https://technet.microsoft.com/en-us/library/cc732725(v=ws.10).aspx#BKMK_S4
Using (only in Windows Vista SP1 and Windows Server 2008 above), encrypt and unlock these data volumes from the BitLocker Control Panel applet @ https://technet.microsoft.com/en-us/magazine/2008.06.bitlocker.aspx
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
ASKER
So do I encrypt the C:\ partition first and then when it's done, go ahead and encrypt the D:\ partition? Will the TPM chip hold both encryption keys so that it unlocks automatically when rebooted or starts after a power down or restarts after a semi-forced Windows update?
I'm happy if the C: is encrypted and the key for the D: is held by and read from the C:...just not sure if BitLocker will or is intended to handle this seamlessly?