JamesNT
asked on
Configuring Bitlocker
We have a Dell VRTX with two blade servers and shared storage.
All physical hosts and all virtual machines are Windows Server 2012 R2.
The Hyper-V guests are all in a Hyper-V cluster already. We have the quorum, and three CSV's on the VRTX shared storage.
We would like to enable bitlocker for the hosts to encrypt both their OS drives and the CSV drives. The CSV's do NOT have drive letters assigned to them and are mounted under c:\clustersharedstorage for both hosts.
The domain controllers are also guests on the VRTX. We do not have a separate domain controller outside the VRTX.
Can we enable bitlocker on the hosts to be TPM only and save to Active Directory? What would be the best way?
JamesNT
All physical hosts and all virtual machines are Windows Server 2012 R2.
The Hyper-V guests are all in a Hyper-V cluster already. We have the quorum, and three CSV's on the VRTX shared storage.
We would like to enable bitlocker for the hosts to encrypt both their OS drives and the CSV drives. The CSV's do NOT have drive letters assigned to them and are mounted under c:\clustersharedstorage for both hosts.
The domain controllers are also guests on the VRTX. We do not have a separate domain controller outside the VRTX.
Can we enable bitlocker on the hosts to be TPM only and save to Active Directory? What would be the best way?
JamesNT
ASKER
I'm not wanting to encrypt the guests, just the physical hosts and their physical drives.
JamesNT
JamesNT
You cannot use bitlocker on the hosts. it must be enabled on the CSVs directly as that's where the data is.
Doing this on existing CSVs can take some time as the entire disk needs to be encrypted offline. Puts a fair load on the SAN so plan for a slow system during the work.
https://technet.microsoft.com/en-GB/library/dn383585.aspx
Doing this on existing CSVs can take some time as the entire disk needs to be encrypted offline. Puts a fair load on the SAN so plan for a slow system during the work.
https://technet.microsoft.com/en-GB/library/dn383585.aspx
ASKER
We actually got this to work by placing the domain controllers on an unencrypted CSV and then by encrypting the host volumes and the other CSVs that contain data. The VM's in the encrypted CSVs were set with a 60 delay for boot.
Note: When I say host volumes I mean the C:\ drives of the host, not the CSVs. From what I see, the TPM unlocks the c: drives then the HYPVER cluster account can unlock the CSV's once the domain controllers come up.
This survived a reboot and a mock unplanned outage (system is yet to be deployed).
One of our requirements is that the system come up safely without someone having to type in a bunch of codes or have a USB stick ready.
Am I just getting lucky or is this the way it can be done?
JamesNT
Note: When I say host volumes I mean the C:\ drives of the host, not the CSVs. From what I see, the TPM unlocks the c: drives then the HYPVER cluster account can unlock the CSV's once the domain controllers come up.
This survived a reboot and a mock unplanned outage (system is yet to be deployed).
One of our requirements is that the system come up safely without someone having to type in a bunch of codes or have a USB stick ready.
Am I just getting lucky or is this the way it can be done?
JamesNT
That doesn't do anything. The CSVs are mount-points on the C drives, not part of the C drive.
You may have successfully encrypted the Hyper-V hosts local drives but that achieves nothing as no data is on them. There is absolutely no advantage in using bitlocker on the hosts as you are encrypting nothing more than a base Windows installation.
Concentrate on the CSVs. that's all you need to encrypt/protect.
You may have successfully encrypted the Hyper-V hosts local drives but that achieves nothing as no data is on them. There is absolutely no advantage in using bitlocker on the hosts as you are encrypting nothing more than a base Windows installation.
Concentrate on the CSVs. that's all you need to encrypt/protect.
ASKER
Steve,
This is starting to make sense so bear with me a bit longer, please.
You are quite correct there is no data on the host C drives. However, to decrypt the CSV's, doesn't the host drive have to decrypt first so the user will not be prompted for an unlock key or USB stick? Or is that only for other fixed drives like a D drive or something?
JamesNT
This is starting to make sense so bear with me a bit longer, please.
You are quite correct there is no data on the host C drives. However, to decrypt the CSV's, doesn't the host drive have to decrypt first so the user will not be prompted for an unlock key or USB stick? Or is that only for other fixed drives like a D drive or something?
JamesNT
Nope. The CSV encryption is at a cluster level and is controlled on an AD authentication basis. no passwords or USB keys are required as its all handled as part of the cluster service. You do not use bitlocker on the 'host' as such, but on the 'cluster'
This is all managed by powershell on (or connected to) one of the hyper-V nodes (cluster service)
Have a look a this for some extra info.
https://technet.microsoft.com/en-GB/library/dn383585.aspx
This is all managed by powershell on (or connected to) one of the hyper-V nodes (cluster service)
Have a look a this for some extra info.
https://technet.microsoft.com/en-GB/library/dn383585.aspx
ASKER
Gotcha. This is where the ADAccountOrGroup setting/protector comes into play. So, this tells me we are going to have to put the Domain Controllers on an un-encrypted CSV by themselves. Otherwise, the HYPERV account will not be able to get to them since it has to unlock their CSV first but can't since it won't be able to reach them. Classic FULL STOP situation.
JamesNT
JamesNT
ASKER
Steve,
If you find my last comment acceptable and does not require any further correction, I'll close this question.
JamesNT
If you find my last comment acceptable and does not require any further correction, I'll close this question.
JamesNT
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thank you very much for all of your time and assistance.
JamesNT
JamesNT
Source: http://www.v-front.de/2014/08/do-you-need-disk-encryption-for-hosted.html