Best practice for installing bitlocker Server 2019 Data Center with Hyper-V VM's.

Jon Mercer 971 Reputation points
2021-10-07T16:54:45.327+00:00

We have a PowerEdge R640 server that has the TPM on, that is running Server 2019 Data Center. On it are a couple VM's created with Hyper-V.

Due to HIPPA requirements, we need to protect one of the VM's from being able to be copied off the server if the whole computer or just the drive is stolen.

Would best practice be to Bitlocker the host server, which would encrypt the virtual drive files, or is it better to just encrypt the VM? I am leaning toward the first option, but wanted to see what Microsoft's thought is on this.

Outside of a bit of a performance hit, is there anything else that is of concern for doing this?

Your available tags is wanting. Could use a Bitlocker one.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Ronald Schilf 1 Reputation point
    2021-10-08T07:01:16.73+00:00

    If your VM is a Gen2 VM, you may add a vTPM to it and enable Bitlocker inside the VM, which would, in addition to encrypting the Host, be the safest option.
    Best practice has always been "encrypt all partitions". So at least the host OS should be encrypted and also the VM storage of the host.

    Now how will you encrypt the host? Usually, you will use Bitlocker without preboot authentification, so the host may reboot hands-free after nightly automated updates or OS crashes. Imagine you had to enter a PIN each time you wanted to reboot the host - for most people, this is unthinkable.
    So without preboot authentification, you will rely on a TPM protector only and that means, the encryption key will reside inside RAM after booting and can potentially be read by technically versatile attackers that have physical access to the server ("cold-boot-attack" / "DMA-attack").
    Encrypting the VM in addition will make it very hard to get to it from an attackers perspective, even with physical access. Please see if you find any information on successful attacks on a virtual TPM / the virtual RAM of a VM - I have not yet seen any.

    Read this for a start on how to add a vTPM: https://charbelnemnom.com/how-to-enable-virtual-tpm-vtpm-in-windows-server-2016-hyper-v-vm-hyperv-ws2016/

    0 comments No comments

  2. Limitless Technology 39,501 Reputation points
    2021-10-08T09:55:53.627+00:00

    Hello JonMercer,

    There are different ways and softwares, but Bitlocker and vTPM is one way to go. You can read more about the Gen2 security capabilities here: https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v

    From the VM's properties, in the Security option from the left, you can Enable Trusted Platform Module. The you can configure normally Bitlocker in the guest OS to encrypt the drive and be linked to the physical hardware of the server.

    ---------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  3. Jon Mercer 971 Reputation points
    2021-10-08T15:15:34.613+00:00

    It is a Gen2 VM.

    Thanks, I was talking to someone else about this last night, and something to add, is that the VM has a SQL Database on it, and they were not sure if even just bitlockering the host could cause an issue, much less encrypting the actual VM using a vTPM.

    @Ronald Schilf I have read up on a couple ways that people can get around a TPM, from scrapping the surface off the TPM and using a signal analyzer, to linking in to the bus leading out from the chip, since that information isn't encrypted. Given where the server is located, it would have to be the preboot authentication.

    0 comments No comments