The Goal: To encrypt windows 2008 using the built in Microsoft BitLocker.
The Problem: Since we are working with a Virtual Machine there isn’t a TPM (Trusted Platform Module) Chip. This is normally where Bit locker would store the encryption key.
The Solution: BitLocker can use a USB or floppy drive to store the key in the case the hardware doesn’t have a TMP chip on board. That fact alone doesn’t do a lot of good with a VM because the USB would would always have to be mounted to the VM. However we can use that feature to instead point it to a disk volume we create to store the encryption key.
A few details about my environment:
- VMware ESX 4.1 Hosts
- VM with Windows 2008 R2 already running and ready to encrypt.
- Our domain as already been extended to store BitLocker keys (see here for more.)
- Our GPO policy that Bit Locker requires TPM to backup to AD DS.
Next we will need a volume to store the encryption key since our VM doesn’t have a TPM Chip. You should add a additional Hard Drive to the VM and format it NTFS and mount it. I made mine 100 MB and labeled it “EncryptionKey”. Another method would be to shrink the OS Volume by 100MB and create the volume from the freed up space however this shouldn’t be done as resizing the drive and extending the volume is then prevented. It’s better to just create a the new Virtual hard drive.
After the drive is added, formated and labeled open the Run prompt and launch "gpedit.msc", We need to set the Group Policy Object (GPO) settings to enable BitLocker to store the key on a drive instead of TPM and to make sure it takes a backup of the key and stores it in AD.
 |
| Local Group Policy being used to edit BItLocker Settings |
- Click Start, type gpedit.mscin the Start Search box, and then press ENTER.
- If theUser Account Controldialog box appears, confirm that the action it displays is what you want, and then click Continue.
- In theLocal Group Policy Editorconsole tree, click Local Computer Policy, click Administrative Templates, click Windows Components, and then click BitLocker Drive Encryption.
- Double-click the setting Store BitLocker recovery information in Active Directory Domain Services(Windows Server 2008 and Windows Vista).
- Click to enable and Check to store Bitlocker Backup in AD FS.
- Next Open the Operating System Drives folder and Double-click the setting Require additional authentication at startup.
- Check Allow BitLocker without compatible TPM.
 |
| Store Bitlocker Recovery information in Active Directory Domain Services |
 |
| Bitlocker Settings - Require additional authentication at startup |
“It's not efficient for BitLocker to encrypt free space on a drive, so BitLocker protects this empty space by creating a large placeholder file on the drive that uses up all space except for 6GB, to keep the system running during the encryption.”
Since we want to tell Bitlocker to use a disk we cannot use a Normal BitLocker GUI to start it. Instead open an elevated Administrative Command Line and running the following to tell Bitlocker to encrypt the drive.
manage-bde.exe –on <Drive Letter to Encrypt>: -RecoveryPassword –StartupKey <Drive Letter to Encryption Key Volume >:
Example:
manage-bde.exe –on C: -rp –sk F:
Be sure that the that the encryption Key volume Letter is correct and will always be there when the machine is mounted. I didn't really use the recovery password but generated it and saved it just in case the key didn’t work.
Output by the Manage-bde.exe Command Line.
 |
| Result from the Manage-bde.exe |
manage-bde.exe -status
It should show see the Percent Encrypted for the drive growing. The drives icon will also now have a open padlock on it. If it’s still running you will notice that there’s only 6GB of free space. This will continue till the encryption finishes. Wait till it Finishes (rerun status to see) and reboot afterwards.
 |
| Result from "manage-bde.exe -status |
Congratulations. Your VM’s Drive is now encrypted with Bitlocker, however we are storing the Key on the same storage. If someone has better option I’m all ears as to how.
Follow up: If our storage or disk drive was thin provisioned. We need to reclaim all that space back from the VM that BitLocker wrote to then deleted while it encrypted the Volume. I’ll Try to write another post to address reclaiming free space from the Thin VM.
Warning – I take no responsibly for any harm that comes to you or your VM’s. Test for yourself what works for you in a safe environment and make sure you have backups.
Thanks, even if it's not a production way to configure it, it's a good way to try and "crashtest" the product
ReplyDeleteRegards,
Dear Chris,
ReplyDeleteGreat read and article. Some years ago I wrote something about Bitlocker myself how to run that with the TPM chip. Last year you referenced to this article. I made some updates and updated to content on mine;-).
Last week I published another post talking about Windows 7: best practices for enterprise deployment of Bitlocker (http://www.networknet.nl/apps/wp/archives/1851).
Please have a look if you want.
With kind regards,
Ivan
"I’ll Try to write another post to address reclaiming free space from the Thin VM..."
ReplyDeleteHey Chris, did you ever get around to this write up? I'm testing the above scenario in a large enterprise environment. All hosts ESX 4.1.
I have another question or two.
ReplyDelete"...we are storing the Key on the same storage."
by "same storage" you're talking about the same SAN LUN or the E: drive here, right? The complaint is that the VMDK files (one for the OS drive and 1 for the encryption key drive) are likely resident on the the same VMWare storage assuming each VMDK is stored with the VMs config files, right?
Next, I don't see anything on the encryption key volume I created. How do I confirm that a key exists? (note: it hasn't finished encrypting as I write this)
Do you know how to confirm that the bitlocker keys are, in fact, stored in the active directory?
It seems like this would be possible, but I thought I'd ask this too... we could theoretically alter the manage-bde command to encrypt a different drive as opposed to encrypting the OS volume, right? Having the OS volume encrypted, while secure, isn't necessarily what we're after. The data volumes hold critical data that need to be encrypted.
Thanks much for entertaining my questions.
If I had a laptop without a TPM chip could I set this up in the same way but target the letter of a USB drive and this still work the same as long as I use that USB drive when starting up my laptop?
ReplyDeleteThanks
Mark
First of all Great article !
ReplyDeleteI wanted to know the kind of encryption bit locker provides here.
Is it a 128 bit or a 256 Bit encryption.
For the problem of being on the same storage:
ReplyDeleteCreate a virtual floppy (store on a admin machine or somewhere appropriate), format, encrypt, and mount as needed.
manage-bde -on C: -rp -sk a:
Make sure your BIOS in the VM is configured to have the floppy out of the picture. (My order: CD-ROM, HDD, FDD, etc.)
Great article, thank you!
ReplyDeleteA quick note for anyone wishing to use bitlocker on any additional (non OS) drives in their VM. Bitlocker will by default view any additional scsi drives as removable devices and as such will only enable bitlocker to go. To resolve this and allow bitlocker to view the additional disks as fixed disks you must disable HotPlug capability within the VM. Here's the how to:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012225
cheers!
Thanks for the tip JT, worked like a treat
DeleteJust wondering...if you are storing the key unencrypted on the drive, what's the point in encrypting the data? Isn't that like fitting a lock to a door but always leaving it unlocked?
ReplyDeleteThe point is, you don't leave the USB key in the computer just as you wouldn't leave the key to lock your house in the lock itself when you are away. If the PC is stolen, the idea is to have the key offsite or locked in a separate secured area so that none of the computer will boot and the encryption would also protect if the drives were removed and attempted to be copied.
DeleteAlthough this works perfectly, just remember that it's not supported by either vendor;
ReplyDeletehttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2036142