Link to home
Create AccountLog in
Avatar of JamesNT
JamesNT

asked on

Configuring Bitlocker

We have a Dell VRTX with two blade servers and shared storage.

All physical hosts and all virtual machines are Windows Server 2012 R2.

The Hyper-V guests are all in a Hyper-V cluster already.  We have the quorum, and three CSV's on the VRTX shared storage.

We would like to enable bitlocker for the hosts to encrypt both their OS drives and the CSV drives.  The CSV's do NOT have drive letters assigned to them and are mounted under c:\clustersharedstorage for both hosts.

The domain controllers are also guests on the VRTX.  We do not have a separate domain controller outside the VRTX.

Can we enable bitlocker on the hosts to be TPM only and save to Active Directory?  What would be the best way?

JamesNT
Avatar of Jackie Man
Jackie Man
Flag of Hong Kong image

The simple answer is NO as there is no virtual TPM yet and the virtualization of the host and the virtual machines has no practical advantages.

Source: http://www.v-front.de/2014/08/do-you-need-disk-encryption-for-hosted.html
Avatar of JamesNT
JamesNT

ASKER

I'm not wanting to encrypt the guests, just the physical hosts and their physical drives.

JamesNT
You cannot use bitlocker on the hosts. it must be enabled on the CSVs directly as that's where the data is.
Doing this on existing CSVs can take some time as the entire disk needs to be encrypted offline. Puts a fair load on the SAN so plan for a slow system during the work.

https://technet.microsoft.com/en-GB/library/dn383585.aspx
Avatar of JamesNT

ASKER

We actually got this to work by placing the domain controllers on an unencrypted CSV and then by encrypting the host volumes and the other CSVs that contain data.  The VM's in the encrypted CSVs were set with a 60 delay for boot.

Note:  When I say host volumes I mean the C:\ drives of the host, not the CSVs.  From what I see, the TPM unlocks the c: drives then the HYPVER cluster account can unlock the CSV's once the domain controllers come up.

This survived a reboot and a mock unplanned outage (system is yet to be deployed).

One of our requirements is that the system come up safely without someone having to type in a bunch of codes or have a USB stick ready.

Am I just getting lucky or is this the way it can be done?

JamesNT
That doesn't do anything. The CSVs are mount-points on the C drives, not part of the C drive.
You may have successfully encrypted the Hyper-V hosts local drives but that achieves nothing as no data is on them. There is absolutely no advantage in using bitlocker on the hosts as you are encrypting nothing more than a base Windows installation.

Concentrate on the CSVs. that's all you need to encrypt/protect.
Avatar of JamesNT

ASKER

Steve,

This is starting to make sense so bear with me a bit longer, please.

You are quite correct there is no data on the host C drives.  However, to decrypt the CSV's, doesn't the host drive have to decrypt first so the user will not be prompted for an unlock key or USB stick?  Or is that only for other fixed drives like a D drive or something?

JamesNT
Nope. The CSV encryption is at a cluster level and is controlled on an AD authentication basis. no passwords or USB keys are required as its all handled as part of the cluster service. You do not use bitlocker on the 'host' as such, but on the 'cluster'

This is all managed by powershell on (or connected to) one of the hyper-V nodes (cluster service)

Have a look a this for some extra info.

https://technet.microsoft.com/en-GB/library/dn383585.aspx
Avatar of JamesNT

ASKER

Gotcha.  This is where the ADAccountOrGroup setting/protector comes into play.  So, this tells me we are going to have to put the Domain Controllers on an un-encrypted CSV by themselves.  Otherwise, the HYPERV account will not be able to get to them since it has to unlock their CSV first but can't since it won't be able to reach them.  Classic FULL STOP situation.

JamesNT
Avatar of JamesNT

ASKER

Steve,

If you find my last comment acceptable and does not require any further correction, I'll close this question.

JamesNT
ASKER CERTIFIED SOLUTION
Avatar of Steve
Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of JamesNT

ASKER

Thank you very much for all of your time and assistance.

JamesNT