Hyper-V Security How to: Use BitLocker to Protect Your VMs

  • Article

Windows Server 2008 Hyper-V and BitLocker Drive Encryption was recently published to the download center, but some folks are having trouble accessing it (it seems there is a lot of interest in all things Hyper-V). Here are the procedures in the doc to tide you over till your download comes through:

Deployment Overview

  1. Install Windows Server 2008.
  2. Install the Hyper-V role and the BitLocker feature.
  3. Configure the system volume for BitLocker.
  4. Turn on BitLocker and encrypt the operating system and data volumes.
  5. Create new virtual machines.

Deployment Steps

For more information on to partition a hard disk drive for BitLocker Drive Encryption, see https://technet2.microsoft.com/WindowsServer2008/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx#BKMK_S1. NOTE: BitLocker requires that your TPM module is enabled and working. See Windows Trusted Platform Module Management Step-by-Step Guide.

Step 1

Install Windows Server 2008.

Step 2

Install the Hyper-V role and the BitLocker feature.

  • Start Server Manager, navigate to the Device Manager tab, and verify that the prerequisite Trusted Platform Module (TPM) is present.
  • In Server Manager, click Add Roles.
  • Read the directions, and then click Next to continue.
  • Select the Hyper-V role check box, and then click Next to continue.
  • Read the directions, and then click Next to continue.
  • Select the appropriate networking interface check boxes to create virtual networks, and then click Next to continue.
  • To begin installation of the Hyper-V role, click Install.
  • After installation of the Hyper-V role is complete, click Yes to restart your server.
  • After reboot, start Server Manager and verify that the Hyper-V role has been installed successfully.
  • In Server Manager, click Add Features.
  • Select the BitLocker Drive Encryption check box, and then click Next to continue.
  • To begin installation of the BitLocker Drive Encryption feature, click Install.
  • After the BitLocker Drive Encryption initial installation phase is complete, click Yes to restart your server.

NOTE: After reboot, log on and Server Manager will be automatically started to complete the BitLocker Drive Encryption installation.

NOTE: Verify that the installation has been successful.

Now you must configure the system volume for BitLocker before turning on the installed BitLocker Drive Encryption from Control Panel.

Step 3

Download and read detailed information and instructions for the BitLocker Drive Preparation Tool at:
https://support.microsoft.com/default.aspx/kb/930063.

Download and install the installation kit from the Microsoft download center at:
https://www.microsoft.com/downloads/details.aspx?FamilyID=320b9aa9-47e8-44f9-b8d0-4d7d6a75add0&DisplayLang=en

  • Click BitLocker Drive Preparation Tool.
  • Click I Accept to accept the software license terms.
  • Read the warnings below Caution, follow them as appropriate, and then click Continue.
  • After completion, the BitLocker Drive Preparation Tool requires you to restart the system. To reboot, click Finish.

Note: After reboot, the system volume (drive S) and the operating system volume (drive C) are separate, as shown in the following screenshot.

image

Step 4

Turn on BitLocker and encrypt the operating system and data volumes.

  • Start Control Panel for BitLocker Drive Encryption.
  • Click Turn On BitLocker.
  • Click Continue with BitLocker Drive Encryption.
  • Follow the steps to turn on the Trusted Platform Module (TPM) security hardware. The system firmware performs a Physical Presence Interface check. This is a form of authorization validation before the TPM ownership is allowed on this system
  • After the TPM is initialized successfully, you must save the recovery password before you encrypt the operating system volume and any optional data volumes.
  • To start encrypting the operating system volume, click Encrypt.
  • Wait for the encryption of the operating system volume to complete, then repeat this task for the data volumes.

NOTE: If you have many data volumes to encrypt, consider using the manage-bde.wsf script. The manage-bde.wsf syntax is included in the "Windows BitLocker Drive Encryption Design Guide" and the "Windows BitLocker Deployment Guide," which are available from the Microsoft Download Center at go.microsoft.com/fwlink/?LinkId=115215.

For example, to mark data volume P: so that it must be manually unlocked, use the following command:

manage-bde.wsf –autounlock –disable P:

To turn autounlock back on for P:, use:

manage-bde.wsf –autounlock –enable P:

To view more detailed Help for this script, type the following command:

cscript.exe %windir%\system32\ manage-bde.wsf -h

Step 5

Create new virtual machines.