If you ever built an Application with sensitive data hosted in your DMZ you might have considered encrypting the data drive. Chances also are you’re using a virtual machine to host your application.
>skip the blah, give me the scripts!<
While the preferred option would be to use the encryption capabilities built into the latest version of Hyper-v and using a virtual TPM you might not want the extra hassles. Especially when you are using the Hyper-V replication capabilities to build a DR farm, getting the vTPM working across servers can be a major headache.
So here are some simple lines of powershell goodness you can use to enable BitLocker on a guest without needing a TPM (using a password). The only catch: when you reboot the vm, you need to manually enter the password to unlock the drive. Why Powershell? Well, since there is no GUI on Windows Server 2016 Core, and Core is by now the default install for Windows Server, need I say more?
First, add Bitlocker to the VM, then reboot the VM
Next, enable the use of Bitlocker without a TPM, by making some registry changes
New-Item HKLM:SOFTWARE/Policies/Microsoft/FVE Set-Location HKLM:SOFTWARE/Policies/Microsoft Set-ItemProperty FVE -Name UseAdvancedStartup -Value 1 Set-ItemProperty FVE -Name EnableBDEWithNoTPM -Value 1
Finally, enable and activate the encryption. In the below example I tell the command to encrypt the d drive with a simple password and to generate the recoverypassword for me. Make sure you keep that recovery password in a safe place!
The last line activates encryption, but only on the existing data, not the whole volume. Important, when using dynamically expanding vhdx disks.
manage-bde -protectors -add d: -password -recoverypassword manage-bde -on d: -usedspaceonly
If you need more advanced options or want to store the key in AD, I recommend using Enable-Bitlocker to configure the drive.
oh, and before I forget, the command to unlock the drive after a reboot is
manage-bde -unlock d: -password
followed by the top secret password of yours.
scripts can also be downloaded from: https://github.com/alxdean/powerblogger/tree/master/bitlocker