Windows Server 2016 BitLocker, caveats, downsides?

Member_2_6428635 used Ask the Experts™
BitLocker with windows server 2016

1. what are the hardware/software requirements?

2. what are the caveats with BitLocker?

3. what are the downsides with BitLocker? What is the performance impact and other downsides?

4. what happens if the TPM chip and USB BitLocker startup keys are not working? Am I able to use the password method to unlock the system?

5. If the server is housed in a secured server location, is it still necessary to use BitLocker? Do I still benefit from BitLocker if the server is in a secure location?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
1. Integrity check should leverage on TPM 1.2 or later. In event there is no TPM then save a startup key on a removable device, such as a USB flash drive. TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. See more req in here

2. Caveats - Dynamic disks are not supported by BL. Two partitions are required to run BL because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. Note, you need to suspend BL for Non-Microsoft software updates, such as:
-Computer manufacturer firmware updates
-TPM firmware updates
-Non-Microsoft application updates that modify boot components
But having to suspend BL also means the data remains encrypted but the BL volume master key is now encrypted by a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. Reduce this exposure and resume from suspension once the upgrade completed. And, you cannot generate multiple PIN combinations.

A note for backup as form of recovery - BL keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM.

3. From Microsoft, generally BL imposes a single-digit percentage performance overhead. Otherwise, you don't really feel the impact of slowness as it is decrypt/encrypt on the fly. The performance is more on the IO read/writes which is already based on your existing hardware. Note BL does not encrypt and decrypt the entire drive when reading and writing data. So it is not really a significant IO "on-the-fly" operations.

And, BL does not support smart cards for pre-boot authentication. It is also not supported on bootable virtual hard disks (VHDs), but it supports data volume VHDs, such as those used by clusters if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2.

4. In BL, if TPM and US startup key fails, the recovery will then have to decrypt a copy of the volume master key using a cryptographic key derived from a recovery password. The TPM and USB key is not involved in any recovery scenarios, so recovery is still possible. So if you lose your recovery information, the BL-protected data will not be unrecoverable.

 If the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.

5. You still have internal threat such as 3rd parties. It is a risk measured approach to have layer of protection despite the physical security that you have in place. BL is to prevent unauthorised intrusion if the HDD is stolen or loss (intentional or unintentionally when in transit or removed for offsite store or repair etc). At least, a malicious user that has physical access to the computer cannot simply start the computer.

Actually you can find most of the above mentioned in this useful Microsoft portal on BL
btanExec Consultant
Distinguished Expert 2018

For consideration.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial