Search This Blog

Saturday, March 29, 2014

Secure Your Virtual Machine Using BitLocker

 

Hey Lai, How do I secure my virtual machine ? With Windows Server 2012 or 2012 R2, we can mount the virtual disk and copy the data out. Besides with Import fix on Windows Server 2012 R2, we can copy the virtual disk to another Hyper-V and run it without any problem. Yes we do have active directory for authentication but people still can get the content by mounting the virtual disk. My organization data is vulnerable. Can you help me to secure my data?

Lai > Sure no problem. For your scenario, you can implement BitLocker on a virtual machine. BitLocker encrypts the hard drives on your computer to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen, and more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.

Here is the step on how to configure Bitlocker.

Installation

Install Bitlocker features by Using Server Manager. Select BitLocker Drive Encryption.

image

Configuration Local Policy

Configure some setting on VM local policy. Type gpedit.msc and navigate to

Computer Configuration | Administrative templates | Windows Components | Bitlocker Drive Encryption

image

Operating System Drives:-

  • Choose drive encryption method and cipher strength – AES 256 bit (military grade encryption algorithm)

image

  • Enforce drive encryption type on operating system – Enabled

image

  • Require additional authentication at startup – Enabled. Bitlocker can work with TPM. Since our virtual machine do not has TPM, we can use password as well.

image

On fixed data drives (for other disk- data):-

  • Set enforce drive encryption type on fixed data drives – Enabled

image

Configuration Control Panel

Go to Control Panel | Select BitLocker Drive Encryption

image

Select your drive and click Turn on BitLocker.

image

Select the mode on how to unlock drive at startup. Since it is a virtual machine, we select “Enter a password”

image

Enter your password –> this is the password that you need to key in on every vm restart.

image

In case you forget the password, you can use recovery key by get recovery key. For our case, we select “Save to a file”. Keep this file in a secure location for future recovery.

image

Restart the VM to start encryption. Below is how the screen will look like when restart. User need to enter the password to unlock and boot to the operating syste. This is the process on every time the Virtual machine restart.

image

Once VM has restarted, it will start the encryption process. Just continue to do your work while the system perform encryption in the background. It will take a while for the encryption process. Once complete, your virtual machine is secure and encrypted.

image

Mount using the any Hyper-V Host:-

image

The Drive G is locked and you cannot mount the virtual disk to get the data. Even you move the virtual disk to another Hyper-V, you also cannot view the content.

Bitlocker is available on the following server operating system:

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Verification

  • Mount the virtual disk – SECURED
  • Move the VM to another Hyper-V – SECURED

For more question about Bitlocker, check out the FAQ here.

3 comments:

  1. Hi, I tried this process after many unsuccessful attempts to encrypt my secondary drives on my virtual domain controllers. I was never prompted to set a password that could be used at startup. Any Ideas? Thank you for the detailed information.

    ReplyDelete
  2. Great walk-through, thanks for posting it! Just a quick question, our admins can remote desktop connection into the VMs, but not the host server. Will they be able to reboot their vms, or will the IT office (only one with access to vm hosts) have to enter the bitlocker key from the host?

    Thanks, again!

    ReplyDelete