Configuring Bitlocker with the graphical interface (GUI) available in Windows Server 2008(R2), Server 2012 as well as Windows Vista, 7 and 8 is quite an easy affair. You just follow the prompts and your drive will be encrypted without too much hassle.
Configuring Bitlocker in a Server Core environment is slightly different. The GUI isn’t available in a Core install of Windows and Hyper-V Server, so administrators are forces to utilize Bitlocker via the command line.
The following is a small summary of information I have compiled for my own use, however this may be of use to someone else, so here it is.
I will also mention that the method described here will work perfectly fine on virtual guests running on either Hyper-V or VMWare/ESXi.
Installing Bitlocker on Server Core 2012
Seeing as Bitlocker isn’t installed by default on Server Core you will have to add the feature through Powershell.
Start a Powershell session in the command line windows by typing “powershell”.
Your promt will now change to a “PS”
From the Powershell console type the following command to install Bitlocker on the server.
If you would like to add the management tools as well you can add the “-IncludeAllManagementTools” option at the back of the above command. Restart the server if told to do so. You can also add the “-Restart” option at the end of the command to restart automatically.
Getting ready to encrypt a drive with Bitlocker
To utilize Bitlocker encryption through Powershell or the command line you will need to use the command line script “manage-bde”. That is available directly from the command line and powershell and for those interested, it’s stored here:
Script location: Ccscript WindowsSystem32manage-bde.wsf
My home server doesn’t have a Trusted Platform Module (TPM), so i have enabled Bitlocker with the use of a password which i define myself. However to be allowed to use Bitlocker without a TPM we have to jump through a little hoop!
If you don’t have a TPM you will need to allow the use of Bitlocker without a TPM via group policy. Either in your domain or via the local group policy snapin on the machine in question. To do that edit the following group policy key to “Enabled”.
Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives > Require additional authentication at startup
Enable the policy and be sure that “Allow Bitlocker without a compatible TPM” is checked.
Once that is completed it will now be possible to enable and use Bitlocker to protect system volumes running Windows without a TPM.
NOTE: Set policy via PowerShell (Thanks to GrangerG for the comment)
#If you want Bitlocker without TPM and you want to do this all from the command-line (because it’s Hyper-V Server and gpedit.msc doesn’t exist), you just need to set two registry values at “HKLM:\SOFTWARE\Policies\Microsoft\FVE”. On Hyper-V Server 2012 r2, the key/folder won’t exist, so that explains the first line.
# Using PowerShell:
Set-ItemProperty FVE -Name UseAdvancedStartup -Value 1
Set-ItemProperty FVE -Name EnableBDEWithNoTPM -Value 1
#Immediately after setting those 2 values, you’ll be able to run “manage-bde” to protect the drive you want and use the startupkey and recoverykey options to save the keys to your USB drive.
Encrypting a drive with Bitlocker
Encrypting a drive with Bitlocker requires that a system administrator provides Bitlocker with one or more security protectors to protect the drive. I will be using a password, however one can also use a USB key and other methods to lock and unlock the Bitlocker volume.
What do i mean by password protection?
By password protection i mean that an administrator will be forced to type in a password to unlock the volume at boot time. This password can also be used to unlock the volume on another machine if need be.
In addition to adding my own personal password i will also add a Bitlocker recovery password which can be used to recover the volume in case the self defined password is forgotten.
To add security protectors to the hard drive we will be using the following command.
manage-bde -protectors -add C: -password -recoverypassword
- manage-bde: invokes the script
- -protectors: defines what we are going to do (add protectors to the drive)
- -add: lets manage-bde know we are going to add a protectors to the drive
- C: defines which drive should receive the new protector
- -password: will allow us to set a self defined password to unlock the drive
- -recoverypassword: will tell manage-bde to generate a random recovery key for the volume
You should be prompted to enter you self defined password twice and you should receive a randomly generated recovery key printed on the screen. You should copy this down immediately so it’s not lost as it will be the only way to recover the volume if the user password is forgotten.
TIP: To have the recovery key automatically saved to a USB thumb drive add the following to the end of the command: -RecoveryKeyPath X:
Where X: should be the drive letter of the USB thumb drive.
Once the protectors have been put in place we can start the encryption of the volume with the following command:
manage-bde -on C:
- -on: Lets manage-bde know we want to enable Bitlocker on the drive
- C: defines the drive which will be encrypted using Bitlocker
In case you are encrypting a thin-provisioned virtual machine you will have to add the -usedspaceonly trigger at the end of the command to encrypt the volume.
After the command is executed you will be prompted to restart your computer to complete the Bitlocker drive test. The test checks that you are able to log in to your system with Bitlocker enabled. Once the computer has restarted and you have made it back into Windows Bitlocker should start encrypting the drive.
You can keep an eye on the status of the encryption process with the following command: