Jump to content
RESET Forums (homeservershow.com)

BitLocker


Recommended Posts

Drashna Jaelre

 

A couple of thoughts:

  1. Would it be possible to make the DrivePool service dependent on the BitLocker service?

     

  2. What about setting the DrivePool service to Automatic (Delayed Start)?

     

  3. Doesn't DrivePool have some feature for delaying the service from enumerating the pools?

 

http://wiki.covecube.com/StableBit_DrivePool_Advanced_Settings

Set "BitLocker" to "true"

http://wiki.covecube.com/StableBit_DrivePool_2.x_Advanced_Settings

Set "BitLocker_PoolPartUnlockDetect" to "true"

 

Depending on the version you're using ... this should configure DrivePool to wait and detect the unlocking better. There is additional overhead for doing this, and is why it's disabled by default.

 

Also, if you're having issues with this... then please let us know.

 

 

 

I also use the "automatic unlock" option, because I encrypt the system drive as well. This also helps with systems with DrivePool (or other solutions) as it should be unlocked before most of the services are started (including DrivePool).

 

 

 

As for enabling BitLocker on the 8.1 machine, just run "gpedit.msc" to bring up Group Policy Management. There you can set all of the BitLocker policy settings for operating system/boot drives, fixed disks and removable (USB, FireWire) disks. I set options for using 256-bit with Diffuser (Windows 7 and Vista) and 256-bit (Windows 8/8.1) encryption, allow BitLocker without TPM, etc. I try to make things as secure as possible. I know there is no such thing as 100% secure, but I'd rather be 90% secure than 30% secure. :)

For desktop/server machines, a LOT of motherboards support TPM modules. These are rather cheap, also. Usually around $20. The only issue is that ASRock doesn't sell them in the US. You can buy them off ebay or other places and have them shipped to the US... but it's a bit more expensive to do it that way (or if you have a MALABs account....)

 

But it's worth getting the modules, as it makes life a bit easier.

Link to post
Share on other sites
  • Replies 44
  • Created
  • Last Reply

Top Posters In This Topic

  • ServerRookie

    14

  • Drashna Jaelre

    11

  • ikon

    7

  • nrf

    5

Top Posters In This Topic

Popular Posts

Bitlocker protects against offline access to data - either by booting to a different device (USB or CD) or by pulling the hard drive and accessing it from another computer.  It does not protect agains

By default, BitLocker does require a TPM, which we discussed earlier; thankfully a simple GPO setting can resolve that. When there is no TPM on the mobo, you must have a USB stick. There's just no way

The TPM module is a cryptoprocessor for dealing with keys and signatures only. It isn't capable of helping with encryption/decryption of actual data on disk or network. The module is designed to be re

so if you have a tpm it lets your server unlock without some dongle etc, but do you make an unlock 'usb stick' for example to cover the case where your mobo has to be replaced?

Link to post
Share on other sites
Drashna Jaelre

so if you have a tpm it lets your server unlock without some dongle etc, but do you make an unlock 'usb stick' for example to cover the case where your mobo has to be replaced?

Yes, precisely.

 

Normally, you would have to use a passcode/pin or a USB "unlock" stick with BitLocker. however TPM module stores the key on the module directly, and is locked to the hardware (if you remove it and change hardware, you have to reset/clear it before you can actually use it).

But you can always make a recovery key, in the case of hardware change. But if you're changing hardware, you should suspend the protection, move it over, and re-take ownership of the TPM module on the new system.

 

 

 

The TPM makes everything much more streamline, and less dependant on external sources.

However, it is still secure. Even though somebody could turn the system one, they'd need to be able to log in. And since they couldn't run the offline password cracks, or change system file to load 3rd party tools from the login screen.... your system is as secure as the password you're using.

 

 

 

 

Though, if you're using UEFI and Windows 8... there are a couple of other options you may want to enable via the gpedit.msc stuff, to make sure that you don't keep getting prompted if you restore from sleep/hibernate (just discovered this, actually, as I was running into that issue).

Enable the "Allow Secure Boot for integrity validation" and "configure the tpm platform validation profile for native uefi firmware" and enable the options: 0,2,4,6,7,11

Link to post
Share on other sites
msawyer91

so if you have a tpm it lets your server unlock without some dongle etc, but do you make an unlock 'usb stick' for example to cover the case where your mobo has to be replaced?

 

By default, BitLocker does require a TPM, which we discussed earlier; thankfully a simple GPO setting can resolve that. When there is no TPM on the mobo, you must have a USB stick. There's just no way around it. And BitLocker seems picky enough that it needs to be a real flash drive, not just any USB-based drive. I know, I tried. I have an HP lappy with a built-in media card reader. According to Device Manager, the media card reader is connected to the USB bus, so I found an old 32MB (yes, megabytes, not gigabytes) SD card and put the BitLocker startup key file (a BEK file) on that card, making sure the card was FAT32 formatted. The computer wouldn't boot; it kept barking at me to either insert a flash drive containing the startup key, or press enter and manually key in the 48-digit recovery key. I figured the SD card would be more convenient, rather than having a flash driving protruding from the side of the lappy.

 

OK, so on to the TPM. If your computer has one, you should definitely use it. Now Microsoft has tweaked the options since Vista/2008, but basically when you have a TPM, you can set up the system drive to be encrypted using TPM only, TPM + PIN, TPM + flash drive or TPM + PIN + flash drive.

 

On my work-issued laptop, I use TPM + PIN. Why? Well, if someone stole my laptop and it just used the TPM, the laptop could still be booted into Windows. Maybe the attacker couldn't log in, but he could try to brute force crack the password or trying manipulating his way via the admin shares (\\computername\C$ for instance). By even allowing the machine to be booted into Windows removes a layer of protection. So for portable devices or desktops that are not in a secure area like a data center that has heavily armed guards, TPM-only isn't secure enough. With TPM + PIN, it's an extra password. TPM + USB key also offers additional security, and if you want the highest level of security before the machine can be booted, go the TPM + PIN + USB key. In other words, all three items must be present or else the machine cannot be booted (the 48-digit recovery password is always an option).

 

If the computer is in a secure area, especially a server in a data center, then TPM-only is the only practical option. Otherwise a server will reboot on Patch Tuesday and never come back up, as it will be waiting for someone's input, whether it's to enter a PIN or plug in a flash drive.

 

In all cases, if someone removes the drive from the source computer and tries to use it elsewhere, whether TPM-only or TPM + something else, it will be unreadable. Either a key file (BEK) or 48-digit recovery password will be required to unlock it. So your data is (most likely) safe.

 

What about if you don't have a TPM? In that case, a USB key is your only option. It's comparable to "TPM-only" in the sense that the computer can still be booted if the computer is stolen and the flash drive is left in it. If the drive is removed and placed somewhere else, and you left the flash drive in it, then the attacker will be able to unlock the drive. My servers at home all have flash drives that live in them full time because they're encrypted but I want them to come back up on their own after a reboot, rather than waiting on me.

 

My hope is that if someone ever breaks in my house and steals my computers, they'll just pull out everything like cables and such, and take only the computers, rather than trying to round up all the cables and flash drives. After all, most burglars are usually looking to be quick, not meticulous.

  • Like 1
Link to post
Share on other sites
Drashna Jaelre

Matt, well said!

 

Also, one thing that has been left out, in theory, the TPM module is a cryptoprocessor, so it should help encrypt and decrypt the drives faster than without a TPM module, on the same hardware. This would mean that any performance lost by encrypting would be minimized (or negated)  by having the TPM module. 

 

 

Also, I'm not sure about Win7/Server 2008R2 or earlier, but I believe you can use just a PIN without the TPM module. I'd have to double check... but I do have TPM modules, so I haven't really looked into it.

Link to post
Share on other sites
ServerRookie

> My servers at home all have flash drives that live in them because they are encrypted ...

 

How do you make the encrypted USB keys and how do you use them?

 

I made a Startup USB Key (+ backup) and a Recovery USB Key (+ backup). Either one of the USB keys has to be plugged in before booting the device, whether it is the server or the client. If I encrypt the Startup or Recovery USB key, can the pre-boot environment read/decrypt the encrypted USB key?

 

Moreover, my Startup USB Key holds at the moment 2 keys for starting the server and a client device. Same for the Recovery USB Key for recovering 2/multiple devices. Will encrypting USB multi-keys work?

-----------------------------

I tried to check whether the server backup (an external USB HDD) is encrypted or not. I plugged the USB HDD into one W7 and two W8.1 machines. The first W8.1 machine tries to load a USB driver for a long time, but eventually fails. The second W8.1 machine does not even try to load a USB driver. However, the W7 machine displays some folders (shadow volume copies) during a very long attempt to load a USB driver before failing. The fact hat I saw the folders makes me think that the USB HDD is not encrypted.

 

How do I get the server backup encrypted? It would kind of defeat the purpose of encrypting the server if the (local) server backup is not encrypted.

 

I do NOT see the USB HDD in Control Panel > System and Security > BitLocker Drive Encryption but server backup does work. I manually initiated a server backup after the entire BitLocker hoopla and Administrative Tools > Windows Server Backup confirms that server backup is successful.

Link to post
Share on other sites
Drashna Jaelre

No, the startup key for bitlocker MUST NOT BE ENCRYPTED.

 

Since this is all running at a VERY earily stage of the boot process, there is no way to unlock or decrypt the usb drives.

 

 

As for keys, yes, it should allow you to have multiple keys. IIRC, it asks you to hit an "F" key to specify which file, if you have more than one.

 

 

 

As for Server Backup:

No the drive is not encrypted by default. In fact, it's distinctly not.
so for optimal security, you'd need to encrypt that as well.

And you'd need to decrypt it to do a bare metal recovery, or integrate the bitlocker drive encryption tools into the recovery environment to unlock the drive.

That's what this link was for:

https://technet.microsoft.com/en-us/library/hh824926.aspx

You'd specifically need the "WinPE-FMAPI", "WinPE-EnhancedStorage". "WinPE-WMI", and "WinPE-SecureStartup" components to be installed. And to familiarize yourself with the commands required to unlock the drives.

Link to post
Share on other sites
msawyer91

> My servers at home all have flash drives that live in them because they are encrypted ...

 

Sorry, the servers themselves are encrypted. The flash drives are not. The flash drives just live in the servers all the time so they can be rebooted as necessary (Patch Tuesday) and come up on their own, rather than me having to babysit them.

Link to post
Share on other sites
ServerRookie

I still can't figure out how to encrypt the automated server backups.

 

I am not an IT-guy, I configured the trial server WS2012R2E always following the recommended options. BitLocker is my first attempt at going a little beyond that, and I need a bit more advice, thanks!

Link to post
Share on other sites
GotNoTime

Also, one thing that has been left out, in theory, the TPM module is a cryptoprocessor, so it should help encrypt and decrypt the drives faster than without a TPM module, on the same hardware. This would mean that any performance lost by encrypting would be minimized (or negated)  by having the TPM module.

The TPM module is a cryptoprocessor for dealing with keys and signatures only. It isn't capable of helping with encryption/decryption of actual data on disk or network. The module is designed to be relatively resistant to attack instead of high speed and sits on a low speed bus to the rest of the system. You need crypto accelerator cards such as the nCipher range or a drive that natively supports encryption.

 

There is one thing to be wary of when using full disk encryption such as Bitlocker and that is when you're pairing it with a SSD with a controller such as the SandForce range that uses compression + deduping to achieve the high throughput. The raw data is quite likely to be easily compressed but once encrypted, the data will appear to be random with no patterns. This will incur a performance penalty when using those types of SSD controllers.

 

If you want Bitlocker on a SSD then make sure to get a SSD that supports the Microsoft eDrive standard. This allows the Bitlocker system to offload the crypto to the drive itself from the CPU. This allows faster performance since it is done in dedicated hardware inside the drive and the drive has much greater control of the flash since it knows what is real data and what is junk that can be trimmed.

Edited by GotNoTime
  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...