Bitlocker on Virtual Domain Controllers

  • 193 Views
  • Last Post 13 August 2019
minwar posted this 12 August 2019

Is anybody doing this or has any guidance on it its practicality?  I have a mix of Hyper-V and ESXi and looking at all options to encrypt disks that host DIT file and backups. 

Order By: Standard | Newest | Votes
PhilipElder posted this 13 August 2019

vTPM Setup

 

# Host

$VM =

"VMName"

 

# Check

Get-VMSecurity

$VM

 

# Enable vTPM

Enable-VMTPM -VM

$VM

 

# Check

Get-VMSecurity

$VM

 

# Guest

 

# BitLocker Install

Install-WindowsFeature BitLocker -IncludeAllSubFeature

-IncludeManagementTools -Restart

 

 

 



Philip Elder MCTS

Microsoft High Availability MVP

E-mail:

PhilipElder@xxxxxxxxxxxxxxxx

Phone: +1 (780) 458-2028

Web:

www.mpecsinc.com

Cloud:

www.CanadianCloudWorx.com



Blog:

blog.mpecsinc.com

Twitter:

Twitter.com/MPECSInc

Skype: MPECSInc.

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru

Friday.




 

show

bdesmond posted this 13 August 2019

Implementing a guarded fabric (shielded VMs) in Hyper-V would be the way to safeguard the BitLocker keys for individual guests, amongst other protections.

 

Thanks,

Brian

 

 

show

ElasticSky posted this 12 August 2019

Hi Martyn,

 

In addition to what DavyP has mentioned, depending on your version of vSphere/ESXi you could potentially contemplate implementing VM encryption.



 

Same caveats apply, that this doesn’t protect you from rogue admins but does mean that disks cannot be just copied.



 

Make sure you protect your KMS with a vengeance as explaining to your management that you managed to crypto-locker yourself might be a hard sell

😊

 

Kind regards

 

ThompsG

 

show

davyp posted this 12 August 2019

Hi Martyn,
Bitlocker does volume encryption and is primarilly  to protect you from an offline attack (someone runs out with your DC hard disks)
In the case of a virtual DC, it does make sence to protect your vmdk/vhdx files from people making an unauthorised copy and attack it offline, 
Keep in mind though that when you do bitlocker a server, you need some sort of a mechanism to supply the decryption key to the bootloader at boot time.
In a physical server, this is usually handled by a TPM module, which stores the decryption key and releases it to the boot loader if a number of criteria are met.In the virtual world, this is not that straightforward. Some hypervisors provide a "virtual TPM", but these cannot use a hardware TPM module in the underlying server(s) so they will never really be temper-proof.
The guy that has sufficient access to your hypervisor to steal a .vhdx could just as well have access to manage the virtual TPM layer in the hypervisor.
One thing you can do is set up the bitlocker in your VM with a boot PIN or a full numerical boot password.That way only the admin managing the VM can unlock (and boot) it.Big catch though will be that the VM can no longer boot unattended, so after a powerdown of the hypervisor, a manual intervention at the VM would be needed.
Hope this helps,
DavyP


Van: martyn78@xxxxxxxxxxxxxxxx
Aan: activedir@xxxxxxxxxxxxxxxx
Verzonden: Maandag 12 augustus 2019 12:45:11
Onderwerp: [ActiveDir] Bitlocker on Virtual Domain Controllers




Is anybody doing this or has any guidance on it its pracicality?  I have a mix of Hyper-V and ESXi and looking at all options to encrypt disks that host DIT file and backups. 

show

Close