Jump to content
RESET Forums (homeservershow.com)

BitLocker


Recommended Posts

ServerRookie

I am evaluating the free trial of WS2012R2E in a very small network configuration with 1 administrator, 1 standard user, and 2 client devices, 1 running W7 (without BitLocker) and 1 running W8.1 that I have just upgraded to W8.1 Pro. When I tried to turn on BitLocker on the W8.1 Pro client device, I got the following error message:

-------------

This device can't use a Trusted Platform Module. Your administrator must set the "Allow BitLocker without a compatible TPM" option in the "Require additional authentication at startup" policy for OS volumes.

-------------

I am a true ServerRookie as my handle says, and I am completely lost as to what to do. Anyone care to prove step-by-step instructions? Thanks!

 

(FWIW, I have physical access to the server and can RDC from either client device as well. I have done the initial setup, backups and health monitoring are running fine, etc.)

Edited by ServerRookie
Link to post
Share on other sites
  • Replies 44
  • Created
  • Last Reply

Top Posters In This Topic

  • ServerRookie

    14

  • Drashna Jaelre

    11

  • ikon

    7

  • nrf

    5

Top Posters In This Topic

Popular Posts

Bitlocker protects against offline access to data - either by booting to a different device (USB or CD) or by pulling the hard drive and accessing it from another computer.  It does not protect agains

By default, BitLocker does require a TPM, which we discussed earlier; thankfully a simple GPO setting can resolve that. When there is no TPM on the mobo, you must have a USB stick. There's just no way

The TPM module is a cryptoprocessor for dealing with keys and signatures only. It isn't capable of helping with encryption/decryption of actual data on disk or network. The module is designed to be re

Drashna Jaelre

http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/

 

 

By default, it does require the TPM module. These are relatively cheap, depending on the board you're using. 

They have different brands, but they're basically interchangeable.

 

ASUS: http://www.amazon.com/Asus-Accessory-TPM-FW3-19-BitLocker/dp/B0085E4WQQ/ref=sr_1_1?ie=UTF8&qid=1428736829&sr=8-1&keywords=tpm+module

Gigabyte: http://www.amazon.com/Gigabyte-GC-TPM-Trusted-Platform-Module/dp/B00U07T0UE/ref=sr_1_3?ie=UTF8&qid=1428736829&sr=8-3&keywords=tpm+module\

 

And there are plenty other ones to buy from.

 

However, if you don't want to get a TPM module, or your motherboard doesn't support it, the first link should walk you through how to enable that on the server. The guide is for Windows 8, but applies to Windows Server 2012R2 Essentials as well.

Link to post
Share on other sites
ServerRookie

Thanks for the links, especially for the HTG link! Very useful for client devices that do not support TPM.

 

As to the server, if the server is in a physically safe place, what is the added value of turning BitLocker on on the server?

 

(Apart from end-of-life disposal issues)

Link to post
Share on other sites
Drashna Jaelre

Welcome!

 

 

As for bitlocker, the main use for it is theft protection. If they're able to get access to the hardware, encrypting the system disk means that they can't reset your passwords or access account settings (or stuff like Chrome's settings store). Encrypting the data disks protects those as well.

 

It also prevents law enforcement from accessing your data without your permission (there is some debate if Microsoft has back doors in bitlocker for law enforcement, which has never been officially confirmed from what I've seen).

 

Both of these boil down into the same stuff: Privacy.

 

 

Also, if you're encrypting a desktop or laptop, and you're backing them up .... the backups are NOT encrypted. So, you'd want to encrypt the server as well, otherwise .... 

Link to post
Share on other sites
ServerRookie

> backups are NOT encrypted

 

Ouch, does that mean that a hacker gaining remote access, copying data from your BitLocker encrypted drive, gets your data in unencrypted form? Note that a server is always on 24/7/365 and turning BitLocker on on the server does not help at all in this regard, is that correct?

Link to post
Share on other sites
Drashna Jaelre

Yes and no. 

 

To clarify, the client backup database sits on the server, and that data is NOT encrypted, unless you encrypt the server and it's drives, as well. If they could get access to the database, or to the restore feature from a client, then they can access the files.

however the database are 4GB chunks of data. So it's a lot of data to upload for a potentially small return, as these files are in a proprietary format, and generally require ALL files from the database to be present.

 

So, while it is possible, it's not as likely. The bigger issue being if somebody physically gained access to your server. 

 

However, to gain access to the database from another computer ... requires the administrative credentials. Both via the restore app, and via the hidden network share. If they don't have the credentials, then they're locked out.

 

 

Specifically, BitLocker's biggest protection is against password resetting. There a bunch of utilities out there to reset the Windows password on accounts. This is done via "offline" access of the system files. Enabling BitLocker means that they cannot gain access to these files. So it means that they must have the valid credentials for a user account, and don't have a good way to brute force the password.

Link to post
Share on other sites

so I can't put bitlocker on my server backup target?

You can certainly enable bitlocker separately on the server volume but I'm not at all sure as to what would happen if and when you need to do a restore.

 

The logic behind it works like this.

 

Imagine I have a PC with bitlocker enabled and I were to back it up onto a volume (be that a local disk or a server share) on which bitlocker was also used. The backup would then be encrypted, but what happens when I need to do a restore to new hardware or fix a completely trashed Windows installation. I'd boot from the DVD or do a PXE boot point the restore to the image and find that it couldn't read it as the image was encrypted with a key which is tied to the old Windows installation and/or the original user account. the decryption key would be part of the restore image which unfortunately I can't get to until I do the restore. It's a horrible chicken and egg situation.

 

So what actually happens is that if I try to backup a bitlocker encrypted PC onto a server share, the backup is automatically decrypted as it is written. So I can do a restore and then re-encrypt the new PC.

 

Now what we could do is to also enable bitlocker on the server so the unencrypted backups get separately encrypted. But in he event of needing to do a restore, I suspect (and I admit I've never actually tried this) that you would need to decrypt the volume first (which might take some time) and then restore the PC and then re-enable bitlocker on both it and the server volume.

 

All in all, as Drashna says, it's probably not worth the effort. The chances of anyone hacking into your server remotely and then spending the time to download the bit s of the backup images and then reassemble and restore a PC is very small.

Link to post
Share on other sites

Bitlocker protects against offline access to data - either by booting to a different device (USB or CD) or by pulling the hard drive and accessing it from another computer.  It does not protect against remote access to a computer, when the computer is on, the bitlocker-encrypted drive is accessible, so if someone is able to remotely access the computer they would also be able to read the data irregardless of whether or not the drive is encrypted with bitlocker.

  • Like 1
Link to post
Share on other sites
ServerRookie

Sounds like BitLocker makes good sense for theft-prone portable client devices to protect the data, but it makes little sense for the server.

----------------------

Another feature of W8.1 Pro is said to be Domain-Joining. How does that differ from Launchpad?

 

If this question can be answered quickly, I may be allowed to piggy-back it here, otherwise I'll start a new thread.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...