my personal blog about systemcenter

All posts in PKI

Protecting Virtual PKI Offline Root CA with Bitlocker

Categories: Bitlocker, Hyper-V, PKI, TPM
Comments Off on Protecting Virtual PKI Offline Root CA with Bitlocker

One of the steps in creating a secure PKI infrastructure is protecting the Root CA from attacks when its not used , normally we see people exporting VM’s with the Offline Root CA to multiple external drives and then storing them in a secure location and then out of the safe once a year to refresh the CLR or whenever a Issuing CA needs to be “killed” or renewed

But often in midsize installations the Offline Root CA stays in the environment making it subject for offline attacks and loss of control of the PKI environment

In the perfect world the CA root would be secured properly or might even be a physical HSM but sometimes ease of access and reduced complexity / cost wins

This is a attempt to meet in the middle , keeping a higher security level than just leaving the VM around , and easier to manage than VM exported to a removable media

There been multiple articles on how to use Bitlocker in a hypervisor where we don’t have access to the TPM chip that might reside in the server

This example follows 2012/2012R2 VM as generation 1 , the VM was created as a gen1 to ensure that potential problems with secureboot when moving the VM through Hypervisor lifecycle would prevent a boot

The above article is a example on how to enable Bitlocker on a Windows 7 Guest and we follow the same procedure




Through gpedit.msc enable Allow Bitlocker without a compatible TPM



Create a new virtual floppy



And attach it to the VM , this floppy files needs to be preserved in a safe as it will have the bitlocker recovery keys


Enable the bitlocker role on the VM


start manage-bde –on C: –rp –SK A: , this will enable the encryption after next reboot ,

the recovery password needs to be printed and secure with the virtal floppy ,

as this is a test enviroment created for this blog the password/key isnt pixelated


After reboot we can see that bitlocker is enabled


And verified from the gui



If we remove the virtual floppy


the VM wont boot so we need to virtual floppy to continue


Its a improvement over having a VM locally that can just be copied or stated up ,

scrubbing the data area where the virtual floppy is created to will improve further as changing encryption levels on the bitlocker drive

This is not a prefect implementation but over a VM just sitting there offline this wins every time.