Protect Servers with 'Entire Drive Encryption' via BitLocker
Protect Servers with 'Entire Drive Encryption' Via BitLocker
Windows BitLocker Drive Encryption is a new security feature that provides better data protection for your computer, by encrypting all data stored on the Windows operating system volume. (In this version of Windows, a volume consists of one or more partitions on one or more hard disks. BitLocker works with simple volumes, where one volume is one partition. A volume usually has a drive letter assigned, such as "C.")
A Trusted Platform Module (TPM) is a microchip that's built into a computer. It's used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft.
BitLocker uses the TPM to help protect the Windows OS and user data and helps to ensure that a computer is not tampered with - even if it is left unattended, lost, or stolen.
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
How does BitLocker Drive Encryption Work?
Your data is protected by encrypting the entire Windows operating system volume.
If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.
During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered with.
By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.
For enhanced security, you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.
On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that's stored on a USB flash drive.
BitLocker Entire Drive Encryption (Windows Server 2012 R2)Your drive letters might not correspond to those in this example. In this example, the operating system volume is labeled C, and the system volume is labeled X (for system volume). In this example, we also assume that the system has only one physical hard disk drive.Here we go !
Step 1:To partition a disk with no OS for BitLocker:
Start the computer from Windows Server 2012 .
In the next Install Windows screen, click Repair your computer, located in the lower left of the screen.
In the System Recovery Options dialog box, make sure no operating system is selected. To do this, click in the empty area of the Operating System list (below any listed entries). Then, click Next.
In the next System Recovery Options dialog box, click Command Prompt.
Use Diskpart to create the partition for the operating system volume. At the command prompt, type diskpart, and then press ENTER.
Type select disk 0.
Type Clean to erase the existing partition table.
Type Create partition primary size=1500 (Microsoft recommended) to set the partition you're creating (as a primary partition).
Type Assign letter=S to give this partition the x designator.
Type Active to set the new partition as the active partition.
Type Create partition primary to create another primary partition. You';; install Windows Server on this larger partition.
Type Assign letter=C to give this partition the C designator.
Type List volume to see a display of all the volumes on this disk. You will see a listing of each volume.
Type Exit to leave the diskpart application.
Type Format c: /y /q /fs:NTFS to properly format the C volume.
Type Format x: /y /q /fs:NTFS to properly format the x volume.
Type Exit to leave the command prompt.
In the System Recovery Options window, use the close window icon in the upper right (or press ALT+F4) to close the window to return to the main installation screen. (DO NOT click Shut Down or Restart.)
Click Install now and proceed with the Windows Server installation process. Install Server 2012 on the larger volume, C: (the operating system volume).
Consider the steps on the Figure 1!
In Windows Server 2012 R2, we need to install the BitLocker feature on our machine. We want to follow these steps.Just go ahead!
1. Go to the server manager and install the BitLocker feature on the machine, following the screenshots:
Now, we have a chance to pop-up one problem based on the TPM. Before finishing the BitLocker feature, we'll definitely get a error from here when there's no TPM chip on the Motherboard.
We want to bypass the problem.
Go ahead!Open the Local Group Policy Editor (gpedit.msc) and go to Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption/Operating System Drives.
After a restart, open the Control Panel, you’ll find the BitLocker configuration panel. Open it and click “Turn On BitLocker.”
Go ahead!Windows asks us to configure an additional authentication at startup. We chose a password to protect the data, but we suggest using a USB flash drive instead. With a flash drive, you don’t have to enter the password at every server restart, just leave the USB drive plugged and you’ll be fine.
Go through the screenshots - they will help you more than reading!
At the next boot, you’ll be “forced” to enter the password or plug the USB flash drive. After the Windows starts, BitLocker will begin the encryption process:
Windows Server 2012 R2 Drive encryption is successfully processed!!
Well, the BitLocker feature successfully installed on our Windows Server 2012 r2.
Just go ahead, take the normal steps to make (enable) and perform the BitLocker on the drive and other portable device.
Thank You Cybrary.IT!