BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 3) – Cluster Shared Volume Support

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the other parts in this series please go to:

Introduction

In Part 1 of this series, we discussed the new self-encrypting drive (SED) support in the Windows 8/Server 2012 version of BitLocker, along with the new Network Unlock feature. Then in Part 2, we talked about the ability to encrypt used disk space only and BitLocker preprovisioning. This time, we’ll look at yet another BitLocker enhancement that applies to Windows Server 2012 servers: Cluster Shared Volume Support.

Working with Cluster Shared Volumes

Cluster Shared Volumes (CSV) is a feature that Microsoft introduced in Windows Server 2008 R2 with Hyper-V, which makes it possible for all of the nodes in a failover cluster to access a common NTFS volume so that clustered virtual machines can share storage but can still fail over. You can move or migrate virtual machines that share the volume independently of one another. CVS works with Virtual Hard Disk (VHD) files.

Unfortunately, this feature wasn’t utilized to the fullest extent because of problems that plagued CSVs. They were limited to certain kinds of workloads such as SQL clusters, configuration was difficult and updates often created problems.

Microsoft listened to the complaints and Windows Server 2012 brings a number of improvements to CSV, including support for more cluster roles, CSVFS (Cluster Shared Volume File System) which creates a single file namespace across the shared storage, easier backup, enhanced copy performance through the removal of external dependencies for authentication, the ability to make the storage available to only some of the nodes, and the ability to scan and repair volumes without downtime. In addition, the new version of CSV integrates with Storage Spaces and with SMB Multichannel and SMB Direct. And finally, we now have CSV support for BitLocker drive encryption for physically securing CSVs that are outside of the secure data center.

If you’re interested in learning more about the general improvements to CSVs in Windows Server 2012, be sure to check out this slideshow session on the MSDN web site.

If you’re interested in learning more about using BitLocker Drive Encryption with CSVs in Server 2012, read on.

How BitLocker on CSVs works

The practical application of this is that now you can use BitLocker to encrypt the volumes on a failover cluster using CSV version 2.0. Because BitLocker provides protection even when an unauthorized person gains physical access, this creates a higher level of security for those cluster volumes that hold critical files. This can be an important part of a multi-layered security strategy for those server volumes.

BitLocker works with different types of volumes in a failover cluster, including physical disks and their LUNs (logical unit numbers) that reside on NAS (Network Attached Storage) or SANs (Storage Area Networks). A LUN is the identifier for a logical disk that is created on the physical disk. But it also now works with the shared namespace of a Cluster Shared Volume. You need to enable BitLocker on the CSV before you add it to the cluster’s storage pool.

Managing BitLocker on CSVs

You may be used to managing BitLocker volumes with the BitLocker Control Panel applet shown in Figure 1.

Image
Figure 1: BitLocker Control Panel applet

However, the recommended way of managing BitLocker on Server 2012 CSV 2.0 volumes is by using either the manage-bde command line tool or by using Windows PowerShell. The problem with using the BitLocker Control Panel applet is that it does not display volumes that don’t have drive letters assigned to them. Because CSV 2.0 volumes are actually mount points, they don’t necessarily have assigned drive letters, so they won’t show up in the Control Panel applet.

A CSV can contain both encrypted and unencrypted volumes.

Implementing BitLocker on CSVs

You can enable BitLocker on a volume before you add it to a storage pool in a cluster, or you can do it after the volume has already been added, but it’s easier to do it beforehand if you can. If you do it afterward, you’ll need to suspend the storage pool in order to implement the BitLocker encryption.

Here’s how you enable BitLocker on a disk before you add it to the cluster:

  1. If the BitLocker Drive Encryption feature isn’t installed on the server, you’ll need to install it. You can do this either via Server Manager or PowerShell. If it’s already installed, skip to step 9. If you want to install using PowerShell, skip to step 8.
  2. To install BitLocker via Server Manager, go to the Server Manager navigation bar and select Manage, then Add Roles and Features.
  3. In the wizard, click Next and select Role-based or feature-based installation, then click Next again.     
  4. Click Select a server from the server pool and confirm the identity of the server.
  5. Click Next to go to the Features selection, and check the box labeled BitLocker Drive Encryption. You can install additional management features for BitLocker here.
  6. Click Next again and select Install.
  7. You’ll need to restart the computer to finish installing BitLocker. You can select whether to restart automatically.
  8. To install BitLocker with PowerShell, use the Install-WindowsFeature or the Add-WindowsFeature cmdlet in the servermanager module. The command to install BitLocker with all features and restart the computer is: Install-WindowsFeature BitLocker –IncludeAllSubFeature –IncludeManagementTools –Restart
    Note that the Enhanced Storage feature must be installed separately.
  9. Format the drive in NTFS if it isn’t already.
  10. Assign a drive letter.
  11. In PowerShell, use the following command to enable BitLocker using a password protector as in this example:  Enable –BitLocker E: -PasswordProtector –Password $pw
  12. In PowerShell, use the following command to identify the cluster name:
    Get-Cluster
  13. Use the following command example (defining your SID based protector) to add the SID based protector so the volume will fail over):
    Add-BitLockerProtector E: -ADAccountOrGroupProtector –ADAccountorGroup CLUSTER$

For every disk in the cluster, perform steps 9-13.

If the disk has already been added to the cluster before you enabled BitLocker, you can still enable BitLocker on it, but you will have to put it in maintenance mode, which means it won’t be accessible during that time. Use PowerShell to perform the following steps:

  1. Install the BitLocker feature on the server if you haven’t already (see steps 1-8 above).
  2. Use the following PowerShell command to verify the status of the cluster disk:
    Get-ClusterResource “Cluster Disk 1”
  3. Use the following command to put the disk into maintenance mode:
    Get-ClusterResource “Cluster Disk 1” | Suspend-ClusterResource
  4. Now you can follow steps 11-13 above to identify the cluster name and add the SID based protector to the volume.
  5. Add the volume or volumes to the cluster.
  6. You’ll need to resume operation of the disk (take it out of maintenance mode). You can do this with the following PowerShell command:
    Get-ClusterSharedVolume “Cluster Disk 1” | Resume-ClusterResource

As handy as it can be, some folks are not fans of “PowerHell.” If you prefer to use the manage-bde tool instead of PowerShell, here are the steps you’ll need to perform:

  1. As in the foregoing instructions, install the BitLocker feature if it’s not already installed and format the disk in NTFS.
  2. Use the following parameters in the manage-bde tool to encrypt the volume, add a recovery key and add the cluster administrator as the protector key:
    manage-bde –on –used <drive letter> -RP –sid domain\CNO$ -sync
    (Note that the –sync option is used to make sure that the volume is finished encrypting before it’s released to the cluster storage pool)
  3. Use the Failover Cluster Manager in the MMC (or you can use PowerShell) to enable the disk for clustering.
  4. When the disk is in the storage pool, click the disk resource and select Add to cluster shared volumes to      add it to the CSV.

If you need to decrypt a CSV volume, you can put it into maintenance mode or you can remove the volume from the cluster (just as you have to put it in maintenance mode or remove it to start encrypting it). Generally, BitLocker will automatically resume the conversion process when the conversion is paused with encryption in progress in any of the following states:

  • CSV volume or the physical disk resource is offline from the cluster
  • CSV or physical disk resource is in maintenance mode

Summary

In this Part 3 of our series on the enhancements Microsoft has made to BitLocker in Windows Server 2012, we took a look at how BitLocker drive encryption can now be enabled on Cluster Shared Volumes, using the graphical management interface, PowerShell and/or the manage-bde command line tool.

All of these improvements, taken together, mean that BitLocker is more useful than ever for protecting server machines and storage volumes that are shared across the nodes of a failover cluster. Once upon a time, deploy BitLocker on servers was an exercise in frustration, but new features that were added with the enterprise datacenter in mind remove a great deal of the hassle factor from the process, so that now encrypting server volumes with BitLocker is finally a viable option in that environment.

If you would like to be notified of when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real-Time Article Update newsletter.

If you would like to read the other parts in this series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top