Protect Servers with ‘Entire Drive Encryption’ via BitLocker

April 6, 2016 | Views: 7467

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Protect Servers with ‘Entire Drive Encryption’ Via BitLocker

Windows BitLocker Drive Encryption is a new security feature that provides better data protection for your computer, by encrypting all data stored on the Windows operating system volume. (In this version of Windows, a volume consists of one or more partitions on one or more hard disks. BitLocker works with simple volumes, where one volume is one partition. A volume usually has a drive letter assigned, such as “C.”)

A Trusted Platform Module (TPM) is a microchip that’s built into a computer. It’s used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft.

BitLocker uses the TPM to help protect the Windows OS and user data and helps to ensure that a computer is not tampered with – even if it is left unattended, lost, or stolen.

BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.

 

How does BitLocker Drive Encryption Work?

Your data is protected by encrypting the entire Windows operating system volume.

If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.

During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered with.

By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.

For enhanced security, you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that’s stored on a USB flash drive.

 

BitLocker Entire Drive Encryption (Windows Server 2012 R2)

Your drive letters might not correspond to those in this example. In this example, the operating system volume is labeled C, and the system volume is labeled X (for system volume). In this example, we also assume that the system has only one physical hard disk drive.

Here we go !

Step 1:

To partition a disk with no OS for BitLocker:

  1. Start the computer from Windows Server 2012 .

  2. In the next Install Windows screen, click Repair your computer, located in the lower left of the screen.

  3. In the System Recovery Options dialog box, make sure no operating system is selected. To do this, click in the empty area of the Operating System list (below any listed entries). Then, click Next.

  4. In the next System Recovery Options dialog box, click Command Prompt.

  5. Use Diskpart to create the partition for the operating system volume. At the command prompt, type diskpart, and then press ENTER.

  6. Type select disk 0.

  7. Type Clean to erase the existing partition table.

  8. Type Create partition primary size=1500 (Microsoft recommended) to set the partition you’re creating (as a primary partition).

  9. Type Assign letter=S to give this partition the x designator.

  10. Type Active to set the new partition as the active partition.

  11. Type Create partition primary to create another primary partition. You’;; install Windows Server on this larger partition.

  12. Type Assign letter=C to give this partition the C designator.

  13. Type List volume to see a display of all the volumes on this disk. You will see a listing of each volume.

  14. Type Exit to leave the diskpart application.

  15. Type Format c: /y /q /fs:NTFS to properly format the C volume.

  16. Type Format x: /y /q /fs:NTFS to properly format the x volume.

  17. Type Exit to leave the command prompt.

  18. In the System Recovery Options window, use the close window icon in the upper right (or press ALT+F4) to close the window to return to the main installation screen. (DO NOT click Shut Down or Restart.)

  19. Click Install now and proceed with the Windows Server installation process. Install Server 2012 on the larger volume, C: (the operating system volume).

 

Consider the steps on the Figure 1!

20151202_102249.jpg

 

Step 2:

In Windows Server 2012 R2, we need to install the BitLocker feature on our machine. We want to follow these steps.

Just go ahead!

1. Go to the server manager and install the BitLocker feature on the machine, following the screenshots:

How-to-enable-BitLocker-on-Windows-Server-2012-R2-01.png

 

How-to-enable-BitLocker-on-Windows-Server-2012-R2-02.png

Now, we have a chance to pop-up one problem based on the TPM. Before finishing the BitLocker feature, we’ll definitely get a error from here when there’s no TPM chip on the Motherboard.

We want to bypass the problem.

 

Go ahead!

Open the Local Group Policy Editor (gpedit.msc) and go to Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives.

without TPM 1.png

 

witout TPM 2.png

 

without TPM 3.png

After a restart, open the Control Panel, you’ll find the BitLocker configuration panel. Open it and click “Turn On BitLocker.”

 final beofre png

Almost Finished!

 

Step 3:

Go ahead!

Windows asks us to configure an additional authentication at startup. We chose a password to protect the data, but we suggest using  a USB flash drive instead. With a flash drive, you don’t have to enter the password at every server restart, just leave the USB drive plugged and you’ll be fine.

 

Go through the screenshots – they will help you more than reading!

1.png

 

2.png

 

3.png

 

4.png

 

5.png

 

At the next boot, you’ll be “forced” to enter the password or plug the USB flash drive. After the Windows starts, BitLocker will begin the encryption process:

 20151202_115916.jpg

Windows Server 2012 R2 Drive encryption is successfully processed!!

Thank You!


Well, the BitLocker feature successfully installed on our Windows Server 2012 r2.

Just go ahead, take the normal steps to make (enable) and perform the BitLocker on the drive and other portable device.

Thank You Cybrary.IT!

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
5 Comments
  1. Can anyone suggest how to use bitlocker encryption on windows7 professional OS?

  2. Hi Yaser, it is informative, no offense but I guess the best practice in server deployment is RAID regardless of 1/5/6 or 10, but most important, data must be separate from the Operating system drive, and encryption such as bitlocker on windows must be implemented for security purposes.

    that way data is protected in any event either hardware failure as long it is not on Data drive or software corruption.

  3. Kewl, but whoo will try to steal whole server ?
    Hackers borrows just data from a live working server 😀

    • Just imagine you are disposing faulty hard disk’s, and it went to hand of Hacker who can recover the data from the media. It is possible to copy data even from dead HDD’s.

      • Our policy is we destroy the hard drives before disposing of them. Depending on what was on them determines how they are destroyed as well.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel