my personal blog about systemcenter

Enabling bitlocker on Hyper-V 2012 R2 Cluster

 

One of the features in Windows Server 2012 / 2012 R2 is the ability to use bitlocker on clustered volumes this will encrypt the whole volume preventing access to the data if they storage is “lost” or cloned , adding another layer to the security model.

The requirements is a Windows Server 2012 Domain Controller and a Trusted Platform Module in the Hyper-V host , this will not enable bitlocker within the guest vm but on the volume that the guest is stored

If applications dont support encryption of data and there is a hard requirement from audits that everything stored must be encrypted using bitlocker will help pass the audit

This example will use a staticpassword for the bitlocker other options are available

 

Image

To enable bitlocker on the Hyper-V host we need a TPM module after adding the module on the blade servers its showing in the device manager on both nodes

 

Image

There are two ways of adding the bitlocker feature either though server manager and add features bitlocker

Image

or though powershell Add-WindowsFeature BitLocker

Both will require a reboot after completion.

 

Image

 

To enable encryption we need to turn on maintenance mode this can either be done from the gui

Image

or from powershell – get-clusteredsharedvolume | Suspend-ClusterResouce

In this test cluster we only have that one volume so no filtering is needed

 

Image

Both methods puts the resource into maintenance

 

Image

This example uses a static password as recovery

To enable bitlocker on the CSV owner node run

$SecureString = ConvertTo-SecureString thispasswordshouldbebetter -AsPlainText -Force

Enable-BitLocker C:\ClusterStorage\CSV001 -PasswordProtector –Password $SecureString

 

Image

And we adding the Cluster Named Object for unlock

 

Image

And we can see the volume being encrypted

 

Image

and through powershell with get-bitlockervolume

 

Image

After encryption is completed turn off maintenance mode

Image

and the volume is back in action.

Image

Unpresent/Removing the drive from the cluster to test

Image

 

Adding the drive to a host outside of the Cluster

Image

So we can see the bitlocker volume trying to browse it

 

Image

Prompts us for the recovery password used in this example

 

 

Image

And grants us access to the data

 

 

 

 

 

Reference :

http://blogs.msdn.com/b/clustering/archive/2012/07/20/10332169.aspx

http://technet.microsoft.com/en-us/library/dn383585.aspx

 
Comments

No comments yet.

Leave a Reply

You must be logged in to post a comment.