Is anybody doing this or has any guidance on it its practicality? I have a mix of Hyper-V and ESXi and looking at all options to encrypt disks that host DIT file and backups.
Bitlocker on Virtual Domain Controllers
- 246 Views
- Last Post 13 August 2019
Bitlocker does volume encryption and is primarilly to protect you from an offline attack (someone runs out with your DC hard disks)
In the case of a virtual DC, it does make sence to protect your vmdk/vhdx files from people making an unauthorised copy and attack it offline,
Keep in mind though that when you do bitlocker a server, you need some sort of a mechanism to supply the decryption key to the bootloader at boot time.
In a physical server, this is usually handled by a TPM module, which stores the decryption key and releases it to the boot loader if a number of criteria are met.In the virtual world, this is not that straightforward. Some hypervisors provide a "virtual TPM", but these cannot use a hardware TPM module in the underlying server(s) so they will never really be temper-proof.
The guy that has sufficient access to your hypervisor to steal a .vhdx could just as well have access to manage the virtual TPM layer in the hypervisor.
One thing you can do is set up the bitlocker in your VM with a boot PIN or a full numerical boot password.That way only the admin managing the VM can unlock (and boot) it.Big catch though will be that the VM can no longer boot unattended, so after a powerdown of the hypervisor, a manual intervention at the VM would be needed.
Hope this helps,
Verzonden: Maandag 12 augustus 2019 12:45:11
Onderwerp: [ActiveDir] Bitlocker on Virtual Domain Controllers
Is anybody doing this or has any guidance on it its pracicality? I have a mix of Hyper-V and ESXi and looking at all options to encrypt disks that host DIT file and backups.
In addition to what DavyP has mentioned, depending on your version of vSphere/ESXi you could potentially contemplate implementing VM encryption.
Same caveats apply, that this doesn’t protect you from rogue admins but does mean that disks cannot be just copied.
Make sure you protect your KMS with a vengeance as explaining to your management that you managed to crypto-locker yourself might be a hard sell
Implementing a guarded fabric (shielded VMs) in Hyper-V would be the way to safeguard the BitLocker keys for individual guests, amongst other protections.