Free VMware Encryption – Bitlocker

You have a requirement for Full Disk Encryption, but have no Budget (like with all other IT related items)
Its free and Easy.
This is assuming your system is standalone and you have full control of the vCenter Server, cluster, and storage. Also assumes you know what your doing and take responsibilities for your own actions.
Some changes would need to be made if integration of AD.

  1. Set Encryption settings and policies
      • Run gpedit.msc
      • Click on Computer Configuration –> click Administrative Templates –> click Windows Components –> click on Bitlocker Drive Encryption.
      • Modify “Choose drive encryption method and cipher strength” and set it to Enabled, AEC 256-bit (Do the same for the Vista, 2008, 7 & 2008R2 entry if using older version)
      • Click OK to save
      • Click on Operating System Drives
      • Modify “Require Additional Authentication at Startup”
        • Set to Enable:
        • Allow BitLocker without compatible TPM (requires…….)
        • Leave the rest at defaults
        • Click OK
      • Modify “Choose How BitLocker-protected operating system drives can be recovered
        • Allow data recovery agent
        • Omit recovery options from BitLocker setup wizard (everything should be done command line anyway)
        • Save BitLocker recovery information to AD DS for Operating system drives
        • Do not enable BitLocker until recovery information is stored in AD DS for Operating system drives
      • Navigate Back to BitLocker Drive Encryption –> Fixed Data Drives
      • Modify “Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
        • Enable
        • Leave checkbox unchecked for “Do not install BitLocker…”
        • Click OK
      • Modify “Configure use of passwords for fixed data drives”
        • Enable
        • Click OK
      • Modify “Choose how BitLocker-protected fixed drives can be recovered
        • Enable
        • Check “Allow data recovery agent”
        • Check “Omit recovery options from the BitLocker setup wizard”
        • Check “Do not install BitLocker…”
        • Click OK
      • Close gpedit.msc
  2. Create Virtual Floppy drive in Vmware
    • Connect to vSphere web server (using the old Flash one as of 6.5 works, the HTML5 doesn’t have the floppy options)
    • Shutdown the VM
    • Add a Floppy drive to the VM, Creating a New Image and saving it on your data-store (somewhere you feel safe storing the keys) MAKE SURE YOU HAVE IT SET TO CONNECT AT POWER ON.
    • Set the VM to go into the BIOS at next power on
    • Power on the VM, it should go into the BIOS config automatically
    • Change the Boot Order to Hard Disk First (move the Removable media below the hard drive)
    • Save and exit the BIOS and let windows boot normally.
    • Once in Windows you will need to “Format” the A: Drive, you can just right click on it, select Format, and accept the default values.
  3. Enable the Encryption
    • Login to Windows with admin account
    • Open Command prompt with Elevated Administrative rights
    • The Following command will Create the keys and instruct Windows to save the Key to the A: drive, and Display the Recovery password to you.
      • manage-bde.exe –on C: -rp –sk A:
    • If your hard disk is Thin Provisioned and not Think Provisioned, you will need to use this command
      • Option:manage-bde.exe –on C: -used -rp –sk A:
    • TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your Floppy image ever gets lost/corrupted/etc.
    • You will need to reboot windows to get the initial Test completed so it can start encrypting your Disks.
    • Windows should boot up normally.  Log into windows
    • Windows will automatically start the encryption process after a minuet or so. Run this command to Monitor its progress.
      • manage-bde -status
    • You should see the Percentage increase as it goes.  Also Verify you see External Key & Numerical Password under the “Key Protectors”
    • That’s it. Just keep that Recovery key handy, you will need it one day.  Two Different Locked Draws at Two different buildings is best.
  4. Enable Encryption for Secondary hard drives.
    • If your C drive is already encrypted, this process is fairly smooth. This Example the Second drive is letter “E”
    • Login to Windows, Verify the C drive is 100% encrypted
      • manage-bde -status
    • The Following command will Create the keys and instruct Windows to save the Key, and Display the Recovery password to you, as well as start the Encryption Process.
      • manage-bde.exe –on E: -rp
      • If you have Thin provisioned hard drive
      • manage-bde.exe –on E: -used -rp
    • TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your key ever gets lost/corrupted/etc.
    • Then you need to set it to Auto unlock so you don’t have to manually enter that password
      • manage-bde.exe -autounlock E: -enable
    • This will create an ‘External Key’ that is stored on your C drive (which is encrypted) that is used to decrypt the drive when the server boots.
    • Monitor the progress
      • manage-bde -status
    • It should go to 100% Encrypted.
    • Verify you see External Key & Numerical Password under the “Key Protectors”
    • Also Verify Automatic Unlock shows Enabled.
  5. Keep Those Floppy Images safe.  One way would be to put them on a ‘nas’ that has a NFS share, only accessible from the IP(s) of the ESXi servers.  The NAS is located in a different area of your building, and then is backed up/snapshots & replicated to another Building

ESXi 5.1 u1 LSI 3ware SAS 9750 Driver custom ISO build

Requirements:

PowerCLI 5.0.1
http://communities.vmware.com/community/vmtn/server/vsphere/automationtools/powercli

3ware 9750 SAS driver for ESXi5.0
http://downloads.vmware.com/d/details/dt_esx50_lsi_3w_sas_32600003vm50/dHRAYndkKmRiZHAlZA==

 

Extract the offline bundle from the driver zip file

 

Add-EsxSoftwareDepot -DepotUrl https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Get-EsxImageProfile

New-EsxImageProfile -CloneProfile ESXi-5.1.0-20130504001-standard -Name ESXi-5.1u1-3ware-9750

add-EsxSoftwareDepot .\LSI_3.26.00.003vm50-offline_bundle-646893.zip

Get-EsxSoftwarePackage -Vendor LSI

Add-EsxSoftwarePackage -ImageProfile ESXi-5.1u1-3ware-9750 -SoftwarePackage scsi-3w-sas

Export-EsxImageProfile -ImageProfile ESXi-5.1u1-3ware-9750 -ExportToIso .\ESXi-5.1.0-20121204001-3w-sas.iso

 

Burn the ISO and your set.

install Dell Server Admin on ESXi5

http://www.journeyofthegeek.com/?p=204

 

All right folks, I’ve decided to save you hours of time once again and provide a comprehensive guide to installing the Dell OpenManage Server Administrator (OMSA) client on ESXi 5. I pieced this together from a variety of user guides and forum posts and have tested it on an ESXi 5 box I use for labs. Instructions are as follows:

  1. Download the latest version of “Dell OpenManage Offline Bundle and VIB for ESXi”. The easiest way to find it is to go to the Dell Support homepage. Select the model of the Dell server you are working with, filter the operating system to your version of ESXi, expand the System Management section, and do a search for “offline bundle”. Once you download the file, rename it to something simple like omsa.zip. This will make your life easier during the later steps where you will be typing out the file path and filename.
    Continue reading “install Dell Server Admin on ESXi5”