Hyper-V Security Best Practice: Use Bitlocker

  • Article

Small businesses, branch offices,  and home offices usually have less stringent physical security than enterprise datacenters and IT facilities.  If you have Hyper-V servers in these scenarios you should use the BitLocker Drive Encryption feature in Windows Server 2008. Use BitLocker on all volumes that house VM files (this includes the VMs, VHD, configuration files, snapshots, and any VM resource, such as ISOs and VFDs.

BitLocker works with features in server hardware and firmware to provide secure operating system boot and disk drive encryption, even when the server is not powered or operating. This helps protect data if a disk is stolen and mounted on another machine for data mining. BitLocker also protects data if an attacker uses a different operating system or runs a software hacking tool to access a disk.

For more information on how to configure Bitlocker to protect your Hyper-V server and the VMs on it, see Windows Server 2008 Hyper-V and BitLocker Drive Encryption.

See also “Windows BitLocker Drive Encryption Frequently Asked Questions,”  “Windows BitLocker Drive Encryption Design and Deployment Guides,” and”Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information.”

NOTE: Use BitLocker on  the Hyper-V in the parent partition. Do not run BitLocker within a virtual machine. BitLocker is NOT SUPPORTED within a virtual machine.

BitLocker supports four different authentication modes including one for servers that don’t include a Trusted Platform Module (TPM). For more information see “BitLocker Drive Encryption Technical Overview.”

NOTE: Any configurations and VHDs that are created and stored on a BitLocker-encrypted physical disk volume receive BitLocker protection, regardless of the operating systems that are running on those virtual machines. This means supported non-Windows and legacy Microsoft operating systems benefit from the same BitLocker protection when they run as guest operating systems of Windows Server 2008 Hyper-V.

Deployment is pretty straightforward:

1. Install Windows Server 2008.

2. Install the Hyper-V role and the BitLocker feature.

3. Configure the system volume for BitLocker.

4. Turn on BitLocker and encrypt the operating system and data volumes.

5. Create new virtual machines.

6. Consolidate and deploy workloads onto the Hyper-V server.

If there is a problem, you may need the BitLocker Repair Tool. This tool helps access data encrypted with BitLocker if the hard disk has been physically damaged. This tool attempts to reconstruct critical data from the drive and salvage any recoverable data.
To decrypt the data, a recovery password or recovery key is required. In some cases, a backup of the key package is also required.
Use this command-line tool if the following conditions are true:

  • A volume has been encrypted by using BitLocker Drive Encryption.
  • Windows does not start, or you cannot start the BitLocker recovery console.
  • You do not have a copy of the data that is contained on the encrypted volume.

Hopefully, you will never need the BitLocker Active Directory Recovery Password Viewer, extension for the Active Directory Users and Computers MMC snap-in which lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a volume that has been encrypted by using BitLocker. After you install this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. 

NOTE: To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.