https://www.hyper-v.io/hyper-v-security-mistakes-dont-want-make/<\/a> .<\/p>","upvoteCount":3,"datePublished":"2023-01-12T13:35:57.000Z","url":"https://community.spiceworks.com/t/bitlocker-on-a-server/943859/6","author":{"@type":"Person","name":"supaplex-starwind","url":"https://community.spiceworks.com/u/supaplex-starwind"}},{"@type":"Answer","text":"We use bitlocker on several servers and have for years. Yes the keys are listed in AD for those who have access to read the keys, we also maintain a separate vault that the keys are stored so if AD is gone but the Veeam restore is to an encrypted stated we can pull the key or password with ease.<\/p>\n
The servers will reboot normally without issue but as someone mentioned before the data drives will lock, our 2016 servers or higher do not have that traditional blue login screen as long as the server has not move to another network segment, if it is moved to another VCenter or network you will get the traditional blue screen and yes you need to physically enter the password to complete boot unless it is a VM.<\/p>\n
Best practice is before you patch or reboot the server, is to suspend bitlocker on all drives, it will re-enable after it reboots.<\/p>","upvoteCount":2,"datePublished":"2023-01-12T23:51:22.000Z","url":"https://community.spiceworks.com/t/bitlocker-on-a-server/943859/7","author":{"@type":"Person","name":"johncubit","url":"https://community.spiceworks.com/u/johncubit"}},{"@type":"Answer","text":"
As Supaplex said, Do you really need it?<\/p>\n
Last year our cybersecurity insurance underwriter tried to push server encryption on us. I pushed back and after explaining why<\/em> it doesn’t help in most cases (and can actually make recovery more difficult) they agreed with my logic and gave us a pass.<\/p>","upvoteCount":4,"datePublished":"2023-01-13T22:28:19.000Z","url":"https://community.spiceworks.com/t/bitlocker-on-a-server/943859/8","author":{"@type":"Person","name":"Ethan6123","url":"https://community.spiceworks.com/u/Ethan6123"}},{"@type":"Answer","text":"Can I please ask where you saw the recommendation from Microsoft re\" Microsoft do not recommend you bitlocker your C drive on servers. Only the data partitions.\"<\/p>\n
I’m trying to do exactly that with command<\/p>\n
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector<\/p>\n
but get error<\/p>\n
BitLocker cannot use the Trusted Platform Module (TPM) to protect a data drive. TPM\n\n
<\/div>\n
Rod-IT:<\/div>\n
\nMicrosoft do not recommend you bitlocker your C drive on servers. Only the data partitions.<\/p>\n
You never said though, are these physical or virtual and if the latter, virtual how - Hyper-V, VMware or something else?<\/p>\n\n\n
<\/div>\n
Aaron7832:<\/div>\n
\nI need to encrypt my servers.<\/p>\n<\/blockquote>\n<\/aside>\n
May I ask what the specific requirement is - it may help.<\/p>\n<\/blockquote>\n<\/aside>","upvoteCount":0,"datePublished":"2023-11-21T10:32:40.000Z","url":"https://community.spiceworks.com/t/bitlocker-on-a-server/943859/9","author":{"@type":"Person","name":"davidclark7900","url":"https://community.spiceworks.com/u/davidclark7900"}}]}}
Aaron7832
January 11, 2023, 1:27pm
1
I need to encrypt my servers. Bitlocker being the main option. While I know I can store Bitlocker keys in AD to automatically unlock domain computers, how does this work with the domain servers? My fear is one day, I’ll end up restarting both of my domain servers in the middle of the night and they will prompt for the unlock key before fully loading. This would mean a very unpleasant 3am trip to the store to enter a code, or 6am phone calls for users saying everything is down. How do you set this up to avoid these two issues?
34 Spice ups
ranhalt
January 11, 2023, 1:56pm
2
1 Spice up
Use the TPM or a dedicated USB key to unlock the machine on login.
Bitlocker basically prevents someone removing the drive and plugging it into another machine and getting the data. That and not being able to access the machine without logging in. … The drive is unlocked on system boot.
Keeping a copy of the recovery key in a secure location i.e. not taped to the device is your last resort option.
2 Spice ups
Rod-IT
January 11, 2023, 2:01pm
4
Microsoft do not recommend you bitlocker your C drive on servers. Only the data partitions.
You never said though, are these physical or virtual and if the latter, virtual how - Hyper-V, VMware or something else?
May I ask what the specific requirement is - it may help.
1 Spice up
scottwmson
January 11, 2023, 2:05pm
5
If Bitlocker enters Recovery Mode, you don’t.
Entering the 48 bit recovery key is always a manual process. AD can automatically store the recovery keys with the right GPO but even that has limitations. I’ve seen the GPO fail to trigger and leave me with no recorded recovery keys for encrypted WFH machines.
Bitlocker does have an automatic unlock so users don’t need to do anything during boot to unlock the drive but this only protects you if someone removed the hard drive from the machine.
2 Spice ups
Do you? What kind of threat are you trying to protect from, or what kind of problem are you trying to solve? Encrypting servers is not an extremely popular approach, to be honest, foremost due to the significant performance impact and considerable resource waste required to process encryption/decryption algorithms, hence my question. If you need to protect the data from being stolen at rest with disks, self-encrypting drives may be a better option.
Also, if you are confident you need to use Bitlocker on your servers, make sure they are virtualized, and all the other essential security aspects are observed https://www.hyper-v.io/hyper-v-security-mistakes-dont-want-make/ .
3 Spice ups
johncubit
January 12, 2023, 11:51pm
7
We use bitlocker on several servers and have for years. Yes the keys are listed in AD for those who have access to read the keys, we also maintain a separate vault that the keys are stored so if AD is gone but the Veeam restore is to an encrypted stated we can pull the key or password with ease.
The servers will reboot normally without issue but as someone mentioned before the data drives will lock, our 2016 servers or higher do not have that traditional blue login screen as long as the server has not move to another network segment, if it is moved to another VCenter or network you will get the traditional blue screen and yes you need to physically enter the password to complete boot unless it is a VM.
Best practice is before you patch or reboot the server, is to suspend bitlocker on all drives, it will re-enable after it reboots.
2 Spice ups
Ethan6123
January 13, 2023, 10:28pm
8
As Supaplex said, Do you really need it?
Last year our cybersecurity insurance underwriter tried to push server encryption on us. I pushed back and after explaining why it doesn’t help in most cases (and can actually make recovery more difficult) they agreed with my logic and gave us a pass.
4 Spice ups
Can I please ask where you saw the recommendation from Microsoft re" Microsoft do not recommend you bitlocker your C drive on servers. Only the data partitions."
I’m trying to do exactly that with command
Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
but get error
BitLocker cannot use the Trusted Platform Module (TPM) to protect a data drive. TPM
Rod-IT:
Microsoft do not recommend you bitlocker your C drive on servers. Only the data partitions.
You never said though, are these physical or virtual and if the latter, virtual how - Hyper-V, VMware or something else?
May I ask what the specific requirement is - it may help.
