One day I received an email from our CSO asking to explore how to deploy BitLocker on our DCs and RODCs.
First I started asking me some question:
What is Bitlocker, why I need it:
Bitlocker is the technology from Microsoft to encrypt Disks and Volumes. It is available from Windows Server 2008. BitLocker protects your hard drive from offline attack. This is the type of attack where a malicious user will take the hard drive from your machine and connect it to another machine so they can harvest your data.
What I need for enable BitLocker:
Hardware requirements for BitLocker Drive Encryption:
Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, you must have one of the following:
- A computer with Trusted Platform Module (TPM), which is a special microchip in some newer computers that supports advanced security features. If your computer was manufactured with TPM version 1.2 or higher, BitLocker will store its key in the TPM.
- A removable USB memory device, such as a USB flash drive. If your computer doesn’t have TPM version 1.2 or higher, BitLocker will store its key on the flash drive
To turn on BitLocker Drive Encryption, your computer’s hard disk must:
- Have at least two partitions. One partition must include the drive Windows is installed on. This is the drive that BitLocker will encrypt. The other partition is the active partition, which must remain unencrypted so that the computer can be started. Once you’ve encrypted the drive Windows is installed on, you can also encrypt additional data drives on the same computer.
- Be formatted with the NTFS file system.
- Have a BIOS that is compatible with TPM and supports USB devices during computer startup.
Where is supported (our DCs are quite all virtualized):
Bitlocker on virtual machine is not supported (https://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_VHD) except for Data Volume (not boot disk) and only on Windows Server 2012.
What I can use for unlock the encrypted disk:
- TPM Only
- TPM + USB Key
- TPM + PIN
Windows Server 2012 have also a new option for unlock the encrypted volume called “Network Unlock”: the encrypted boot disk is auto unlocked (no pin needed) if the server boot on a predefined network. This option has some hardware and software requirement (UEFI DHCP Driver, Windows Deployment Services, DHCP server, AD Domain Functional Level of Windows Server 2012).
Then I make some concerns:
Using Bitlocker at DCs volume is not officially supported from Microsoft; we should consider the impact of this in case we have some issue on AD and a Microsoft support is required.
On Virtual Machine (we are using ESXi) there is no chance to expose TPM and probably also USB key. The only option is to insert Unlock Password at every DC reboot which makes automated updates impossible.
There is not a big advantage in terms of security improvement encrypting DCs volumes on not secure server rooms, where you can physically steal the server and / or the USB key with the encryption unlock key.
With option “TPM Only” if you steal the physical server it just boot up as usual. “TPM + PIN” required inserting Unlock PIN at every DC reboot which again hinders automated unattended update installation.
Then I explored some “alternatives”. Here my summary:
Loss or theft of physical disks
|Host OS compromise||
Guest OS compromise
|Host OS (transparent for Guest)||x||–||–|
|Storage Array/Controller (transparent for Host and Guest)||x||–||–|
Encryption make sense on your laptop; on server environment there are no technology/architecture at the moment (maybe Windows 2016 will change something) that are able to protect Guest Machines from Host Administrators… It’s true only the opposite :-)