Protecting data at rest is a real security concern in datacenters. Data that is stored here is very important; any leakage can lead to serious problems for companies and can damage their reputation and brand.
BitLocker Drive Encryption is a Windows feature that enables data protection by using strong encryption to protect your data in case of theft. It is a perfect solution for branch offices or datacenters where there is no local security. BitLocker is a solution that protects the disk in case of lost, stolen, or inappropriately decommissioned hard drives. This protection is by way of a password or smart card, and it also supports a recovery key in case of lost passwords.
In virtual and cloud environments, when using virtual hard disks, prior to Windows Server 2012, there's no encryption, by default. If one of your servers or storage is stolen, someone can open the virtual hard disk files with a double-click and obtain all the information they want.
When used in conjunction with a system that supports Trusted Platform Module (TPM), BitLocker also provides additional and advanced security features. A TPM is a chipset present on servers, which BitLocker can use to store the encryption key so that the system can identify, say, whether the hard disk has been moved from one server to another. During the boot process, BitLocker and the TPM verify the hardware and boot file integrity, allowing verification for any modification, say, attaching a disk to another computer in an unauthorized manner.
This recipe demonstrates how to enable BitLocker to encrypt and protect your hard drives.
To enable the additional security features provided by TPM, you need to make sure your server has a TPM chipset and a Trusted Computing Group BIOS.
It is a best practice to use a USB flash drive to store the startup key for a scenario without a TPM chipset. Add a flash drive before you start the BitLocker wizard.
If you don't have a TPM chipset, this recipe will also demonstrate how to enable BitLocker without the need to have TPM.
The following steps will show you how to enable and configure BitLocker for your disk partitions:
gpedit.msc
. Click on the gpedit icon to open Local Group Policy Editor.gpupdate /force
to make sure the local policy or GPO has been applied.BitLocker has come far since its initial release in the Windows 2008 operating system.
It is a very common feature enabled on servers located in the branch, to allow disk protection in case the server is stolen, and will become more common in the future for securing virtual machines in the cloud. The good news is that you can also use it on a number of storage options to enable high protection.
On Windows Server 2016, BitLocker is a feature, and must be installed in order to enable BitLocker on a disk drive. By default, you must also have a TPM chipset to use BitLocker. In case the server doesn't have TPM, you can disable the TPM requirement using group policies. However, with the introduction of Windows Server 2016, you can now use a vTPM to secure a virtual machine.
After installing, it is quite easy to get BitLocker enabled. There are several ways to do it, such as through Windows Explorer, by right-clicking on the disk drive, through the Control Panel, and through the command-line interface.
During the process of turning it on the wizard creates a recovery key that needs to be saved on another hard drive or even printed, in case you lose the password.
With these new features, you can apply and manage BitLocker in a vast list of scenarios and storage, including CSVs, within a VM and boot via SANs, which is very useful for branch offices with lower physical security, such as disaster recovery multisite cluster.
BitLocker can also be enabled using two commands. The first one is Manage-BDE
. Using the following example, you can enable BitLocker on C
: and save the recovery key on H
:. After typing the command, the system will prompt for the password, and the encryption process will begin:
Manage-bde –on C: -RecoveryPassword –RecoveryKey H:
If you prefer PowerShell, you can use the cmdlet Enable-BitLocker
. For more information, type Help Enable-BitLocker
.
18.190.217.134