Free VMware Encryption – Bitlocker

You have a requirement for Full Disk Encryption, but have no Budget (like with all other IT related items)
Its free and Easy.
This is assuming your system is standalone and you have full control of the vCenter Server, cluster, and storage. Also assumes you know what your doing and take responsibilities for your own actions.
Some changes would need to be made if integration of AD.

  1. Set Encryption settings and policies
      • Run gpedit.msc
      • Click on Computer Configuration –> click Administrative Templates –> click Windows Components –> click on Bitlocker Drive Encryption.
      • Modify “Choose drive encryption method and cipher strength” and set it to Enabled, AEC 256-bit (Do the same for the Vista, 2008, 7 & 2008R2 entry if using older version)
      • Click OK to save
      • Click on Operating System Drives
      • Modify “Require Additional Authentication at Startup”
        • Set to Enable:
        • Allow BitLocker without compatible TPM (requires…….)
        • Leave the rest at defaults
        • Click OK
      • Modify “Choose How BitLocker-protected operating system drives can be recovered
        • Allow data recovery agent
        • Omit recovery options from BitLocker setup wizard (everything should be done command line anyway)
        • Save BitLocker recovery information to AD DS for Operating system drives
        • Do not enable BitLocker until recovery information is stored in AD DS for Operating system drives
      • Navigate Back to BitLocker Drive Encryption –> Fixed Data Drives
      • Modify “Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
        • Enable
        • Leave checkbox unchecked for “Do not install BitLocker…”
        • Click OK
      • Modify “Configure use of passwords for fixed data drives”
        • Enable
        • Click OK
      • Modify “Choose how BitLocker-protected fixed drives can be recovered
        • Enable
        • Check “Allow data recovery agent”
        • Check “Omit recovery options from the BitLocker setup wizard”
        • Check “Do not install BitLocker…”
        • Click OK
      • Close gpedit.msc
  2. Create Virtual Floppy drive in Vmware
    • Connect to vSphere web server (using the old Flash one as of 6.5 works, the HTML5 doesn’t have the floppy options)
    • Shutdown the VM
    • Add a Floppy drive to the VM, Creating a New Image and saving it on your data-store (somewhere you feel safe storing the keys) MAKE SURE YOU HAVE IT SET TO CONNECT AT POWER ON.
    • Set the VM to go into the BIOS at next power on
    • Power on the VM, it should go into the BIOS config automatically
    • Change the Boot Order to Hard Disk First (move the Removable media below the hard drive)
    • Save and exit the BIOS and let windows boot normally.
    • Once in Windows you will need to “Format” the A: Drive, you can just right click on it, select Format, and accept the default values.
  3. Enable the Encryption
    • Login to Windows with admin account
    • Open Command prompt with Elevated Administrative rights
    • The Following command will Create the keys and instruct Windows to save the Key to the A: drive, and Display the Recovery password to you.
      • manage-bde.exe –on C: -rp –sk A:
    • If your hard disk is Thin Provisioned and not Think Provisioned, you will need to use this command
      • Option:manage-bde.exe –on C: -used -rp –sk A:
    • TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your Floppy image ever gets lost/corrupted/etc.
    • You will need to reboot windows to get the initial Test completed so it can start encrypting your Disks.
    • Windows should boot up normally.  Log into windows
    • Windows will automatically start the encryption process after a minuet or so. Run this command to Monitor its progress.
      • manage-bde -status
    • You should see the Percentage increase as it goes.  Also Verify you see External Key & Numerical Password under the “Key Protectors”
    • That’s it. Just keep that Recovery key handy, you will need it one day.  Two Different Locked Draws at Two different buildings is best.
  4. Enable Encryption for Secondary hard drives.
    • If your C drive is already encrypted, this process is fairly smooth. This Example the Second drive is letter “E”
    • Login to Windows, Verify the C drive is 100% encrypted
      • manage-bde -status
    • The Following command will Create the keys and instruct Windows to save the Key, and Display the Recovery password to you, as well as start the Encryption Process.
      • manage-bde.exe –on E: -rp
      • If you have Thin provisioned hard drive
      • manage-bde.exe –on E: -used -rp
    • TAKE NOTE OF THE RECOVERY PASSWORD YOU RECEIVE ON SCREEN AFTER RUNNING THE ABOVE COMMAND. You will need this if your key ever gets lost/corrupted/etc.
    • Then you need to set it to Auto unlock so you don’t have to manually enter that password
      • manage-bde.exe -autounlock E: -enable
    • This will create an ‘External Key’ that is stored on your C drive (which is encrypted) that is used to decrypt the drive when the server boots.
    • Monitor the progress
      • manage-bde -status
    • It should go to 100% Encrypted.
    • Verify you see External Key & Numerical Password under the “Key Protectors”
    • Also Verify Automatic Unlock shows Enabled.
  5. Keep Those Floppy Images safe.  One way would be to put them on a ‘nas’ that has a NFS share, only accessible from the IP(s) of the ESXi servers.  The NAS is located in a different area of your building, and then is backed up/snapshots & replicated to another Building