Knowlege base

Bitlocker Driver Encryption

Article ID: 610
Last updated: 16 Jul, 2018

Introduction

A secure computing environment would not be complete without consideration of encryption technology. This article describes how it is possible to encrypt Imagicle Application Suite server storage leveraging Microsoft BitLocker feature.

BitLocker is Microsoft's encryption program that provides full-disk encryption of the hard drives. By utilizing the latest encryption algorithms and leveraging the power and efficiency of modern CPUs, the entire contents of the startup disk are encrypted, preventing unauthorized access to the data stored on the disk, save for those with either the login account to decrypt the disk, or those which possess the recovery key.

By enabling BitLocker's whole-disk encryption, data is secured from prying eyes and all attempts to access this data physically or over the network will be met with either prompts to authenticate or error messages stating the data cannot be accessed even when attempting to access data backups, as BitLocker encrypts those too.

Configuration

Adding (virtual) floppy drive

For the sake of simplicity, in this article the encryption key will be stored on the floppy drive. Make sure floppy resource is configured in your environemnt and, if not, follow the below steps to make it available into a Vsphere environment.

Open VM properties and click on Add

Select floppy drive and click on next

In the next screens, first select "Create a blank floppy image", click on next and select datastore location where to save the floppy image. Make sure flag "Conncet at power on" is selected.

Enabling Bitlocker

Start the VM and enable Bitlocker feature, with Local Group Policy Editor (gpedit.msc) and navigate to "Require additional authentication at startup", as described in picture below. Select "Enable". Make sure the other options are as in picture below. Click on "Apply" and "OK". Close Local Group Policy Editor.

Select in the VM the created floppy drive and format it with default settings.

Generating and saving the Encryption key

From the VM that needs to be encrypted, open a CMD prompt window as admin and navigate to C:\windows\system32\

Run the command  manage-bde.exe –on C: -rp –sk A:

This command generates a key  (i.e. 068552-159588-193347-063712-370997-614405-340516-XXXXXX), and saves it in the floppy drive.The floppy drive will provide the key at each boot, enabling the VM to properly boot.

It is very important to save the geenrated key in case floppy becomes not available (i.e. damaged, unredable, ...). Please copy it from the prompt windows to a text file and store securely, as it contains the key enabling boot.

Check that Hard Drive is set to be first in order, reboot the VM and wait a few time until encryption process starts, as shown in picture below.

Final recommandations

Make sure the VM properties are configured as reported in the following picture; enabling the flag "Connect at power on" makes the floppy (with the key that will be installed into it in the next steps) available for booting.

Make also sure VM boot order in the BIOS has hard Drive in frst place (prior to any other I/O devices)

Article ID: 610
Last updated: 16 Jul, 2018
Revision: 1
Views: 288
Print Export to PDF Subscribe Share
This article was:  
Prev   Next
Basic Troubleshooting     IAS Audit Management