One of the big misconceptions that I often hear regarding Microsoft Hyper-V is that BitLocker encryption is not supported for use on Generation 1 virtual machines. While this idea may have been true at one time, Windows Server 2016 makes it relatively easy to add BitLocker encryption through the use of a key storage drive.
A key storage drive is a special type of virtual disk that is designed to store the encryption keys that BitLocker depends on. If you look at the screenshot below, you can see that I have created a Generation 1 virtual machine, which I have named Gen 1. If you look at the virtual machine’s settings, you can see that the Security container includes a Key Storage Drive option. Click the Add Key Storage Drive button to create a key storage drive.
As previously noted, a key storage drive is a virtual hard disk that is dedicated to the task of storing encryption keys. Like any other virtual hard disk, it must be attached to the VM. As such, the Hyper-V Manager will prompt you to choose an IDE controller and location with which to attach the drive.
The thing that you have to understand about this process is that setting up a key drive does not by itself enable BitLocker. There are several other steps that must be performed, starting with preparing the disk for use.
To prepare the disk, open the Disk Management Console by entering the DiskMgmt.msc command at the Windows Run prompt. As you can see in the figure below, the key storage drive exists as an unpartitioned, 42 MB space. You will need to initialize the disk using the MBR partition style.
Once the disk has been initialized, right-click on the unpartitioned space and select the New Simple Volume command from the shortcut menu. This will cause Windows to launch the New Simple Volume wizard.
Click Next to bypass the wizard’s Welcome screen and you will be taken to a screen prompting you to specify the volume size. Go with the maximum size (which should be 39MB) and click Next.
The next screen will prompt you to specify a drive letter to assign to the key storage drive. It is really important to choose a drive letter that is not in use, either for local storage or as a mapped network drive. You should also try to choose a drive letter that you are unlikely to have to change in the future, as remapping a key storage drive is not a trivial matter.
Click Next again, and you will be prompted to choose a file system for your key storage drive. Be sure to choose NTFS, as shown in the next screenshot. Click Finish to complete the process.
Assign a drive
Now that you have prepared the drive, the next step in the process is to tell Windows to use the drive for BitLocker key storage. The exact method that you will need to use to accomplish this will vary depending on your network configuration. For the purposes of this article, I will be using the VM’s local security policy, but there will likely be situations in which you will have to use the Active Directory group policy instead.
To configure the policy settings, enter the GPEdit.msc command at the Windows Run prompt and then navigate through the console to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives. Now, locate the setting called Require Additional Authentication at Startup. Be sure to pay close attention to the setting that you choose, because there are two very similarly named settings. One of these settings applies only to Windows Server 2008 and Vista, while the other applies to everything else. You can see the correct setting in the figure below.
You will need to enable this policy setting and select the checkbox to allow BitLocker without a compatible TPM. There are several other configuration options available within this setting, but those can be left at their default values as shown below.
Now you will need to either reboot the server, wait for the Group Policy change to take effect or force the new policy setting to be applied by using the GPEdit /Force command. Upon doing so, it is time to install BitLocker.
Two ways to install
BitLocker is not installed by default on Windows Server 2016, so you will need to install it before you will be able to use it. If you don’t want to delve into PowerShell, then just open the Server Manager, and use the Add Roles and Features Wizard to install BitLocker, as shown in the next figure. If you do prefer PowerShell, then the command that you will need to use is shown below. Either method will require you to reboot the server.
Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
Once BitLocker has been installed, you will have to enable it. Unfortunately, the only way to enable BitLocker so that the key storage drive will be used is to use PowerShell. If you try to enable BitLocker through the GUI, you will be prompted to use a USB flash drive instead. The command that you will want to use is:
Enable-BitLocker <Drive letter to encrypt> -StartupKeyProtector -StartupKeyPath <key storage drive letter>
In my case, for example, I wanted to encrypt my C: drive and my key storage drive was E:. Therefore, the command that I used was:
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath E:
There a couple of things that are worth noting about adding BitLocker protection in the manner described in this article. First, when I enabled BitLocker on my system, I received an error message in PowerShell. After rebooting my server, however, I found that BitLocker was enabled.
Another thing worth noting is that if you do attempt to use PowerShell to enable BitLocker, you will have to use an elevated session.
Finally, keep in mind that using this method to secure a virtual machine provides limited protection. Although BitLocker does indeed encrypt the C: drive, anyone who has physical access to the storage volume on which the key storage drive resides could conceivably decrypt the virtual machine’s contents.
Featured image: Shutterstock