Hey Lai, How do I secure my virtual machine ? With Windows Server 2012 or 2012 R2, we can mount the virtual disk and copy the data out. Besides with Import fix on Windows Server 2012 R2, we can copy the virtual disk to another Hyper-V and run it without any problem. Yes we do have active directory for authentication but people still can get the content by mounting the virtual disk. My organization data is vulnerable. Can you help me to secure my data?
Lai > Sure no problem. For your scenario, you can implement BitLocker on a virtual machine. BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
Here is the step on how to configure Bitlocker.
Installation
Install Bitlocker features by Using Server Manager. Select BitLocker Drive Encryption.
Configuration Local Policy
Configure some setting on VM local policy. Type gpedit.msc and navigate to
Computer Configuration | Administrative templates | Windows Components | Bitlocker Drive Encryption
Operating System Drives:-
- Choose drive encryption method and cipher strength – AES 256 bit (military grade encryption algorithm)
- Enforce drive encryption type on operating system – Enabled
- Require additional authentication at startup – Enabled. Bitlocker can work with TPM. Since our virtual machine do not has TPM, we can use password as well.
On fixed data drives (for other disk- data):-
- Set enforce drive encryption type on fixed data drives – Enabled
Configuration Control Panel
Go to Control Panel | Select BitLocker Drive Encryption
Select your drive and click Turn on BitLocker.
Select the mode on how to unlock drive at startup. Since it is a virtual machine, we select “Enter a password”
Enter your password –> this is the password that you need to key in on every vm restart.
In case you forget the password, you can use recovery key by get recovery key. For our case, we select “Save to a file”. Keep this file in a secure location for future recovery.
Restart the VM to start encryption. Below is how the screen will look like when restart. User need to enter the password to unlock and boot to the operating syste. This is the process on every time the Virtual machine restart.
Once VM has restarted, it will start the encryption process. Just continue to do your work while the system perform encryption in the background. It will take a while for the encryption process. Once complete, your virtual machine is secure and encrypted.
Mount using the any Hyper-V Host:-
The Drive G is locked and you cannot mount the virtual disk to get the data. Even you move the virtual disk to another Hyper-V, you also cannot view the content.
Bitlocker is available on the following server operating system:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
Verification
- Mount the virtual disk – SECURED
- Move the VM to another Hyper-V – SECURED
For more question about Bitlocker, check out the FAQ here.
Hi, I tried this process after many unsuccessful attempts to encrypt my secondary drives on my virtual domain controllers. I was never prompted to set a password that could be used at startup. Any Ideas? Thank you for the detailed information.
ReplyDeleteOh, thanks! Good article!!!
ReplyDeleteGreat walk-through, thanks for posting it! Just a quick question, our admins can remote desktop connection into the VMs, but not the host server. Will they be able to reboot their vms, or will the IT office (only one with access to vm hosts) have to enter the bitlocker key from the host?
ReplyDeleteThanks, again!