my personal blog about systemcenter

All posts in TPM

Protecting Virtual PKI Offline Root CA with Bitlocker

Categories: Bitlocker, Hyper-V, PKI, TPM
Comments Off on Protecting Virtual PKI Offline Root CA with Bitlocker

One of the steps in creating a secure PKI infrastructure is protecting the Root CA from attacks when its not used , normally we see people exporting VM’s with the Offline Root CA to multiple external drives and then storing them in a secure location and then out of the safe once a year to refresh the CLR or whenever a Issuing CA needs to be “killed” or renewed

But often in midsize installations the Offline Root CA stays in the environment making it subject for offline attacks and loss of control of the PKI environment

In the perfect world the CA root would be secured properly or might even be a physical HSM but sometimes ease of access and reduced complexity / cost wins

This is a attempt to meet in the middle , keeping a higher security level than just leaving the VM around , and easier to manage than VM exported to a removable media

There been multiple articles on how to use Bitlocker in a hypervisor where we don’t have access to the TPM chip that might reside in the server

This example follows 2012/2012R2 VM as generation 1 , the VM was created as a gen1 to ensure that potential problems with secureboot when moving the VM through Hypervisor lifecycle would prevent a boot

http://blogs.msdn.com/b/mszcool/archive/2010/02/03/bitlocker-in-a-windows-7-guest-running-on-a-hyper-v-r2-environment-or-any-environment-without-a-tpm.aspx

The above article is a example on how to enable Bitlocker on a Windows 7 Guest and we follow the same procedure

 

 

image

Through gpedit.msc enable Allow Bitlocker without a compatible TPM

 

image

Create a new virtual floppy

 

image

And attach it to the VM , this floppy files needs to be preserved in a safe as it will have the bitlocker recovery keys

image

Enable the bitlocker role on the VM

image

start manage-bde –on C: –rp –SK A: , this will enable the encryption after next reboot ,

the recovery password needs to be printed and secure with the virtal floppy ,

as this is a test enviroment created for this blog the password/key isnt pixelated

image

After reboot we can see that bitlocker is enabled

image

And verified from the gui

image

image

If we remove the virtual floppy

image

the VM wont boot so we need to virtual floppy to continue

 

Its a improvement over having a VM locally that can just be copied or stated up ,

scrubbing the data area where the virtual floppy is created to will improve further as changing encryption levels on the bitlocker drive

This is not a prefect implementation but over a VM just sitting there offline this wins every time.