4

Disclaimer: I realize that I posted this question on ServerFault, but I have not received any response there. I am hoping that this forum might be a more appropriate place to post this for a response. If I am incorrect, please let me know and I'll delete this post.

We have a need to enforce resting encryption on an iSCSI LUN that is accessible from within a Hyper-V virtual machine.

We have implementing a working solution using BitLocker, using Windows Server 2012 on a Hyper-V Virtual Server which has iSCSI access to a LUN on our SAN. We were able to successfully do this by using the "floppy disk key storage" hack as defined in THIS POST. However, this method seems "hokey" to me.

In my continued research, I found out that the Amazon Corporate IT team published a WHITEPAPER that outlined exactly what I was looking for in a more elegant solution, without the "floppy disk hack". On page 7 of this white paper, they state that they implemented Windows DPAPI Encryption Key Management to securely manage their BitLocker keys. This is exactly what I am looking to do, but they stated that they had to write a script to do this, yet they don't provide the script or even any pointers on how to create one.

Does anyone have details on how to create a "script in conjunction with a service and a key-store file protected by the server’s machine account DPAPI key" (as they state in the whitepaper) to manage and auto-unlock BitLocker volumes? Any advice is appreciated.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
bigmac
  • 141
  • 2

1 Answers1

3

DPAPI functions basically two ways, either the info you're protecting is encrypted at a machine level, or a user level.

If you're running as a service, you need to use machine level. If your running under a user, you can use the user level. The difference is that for the user level, the user's password basically provides the encryption for the data you pass to the API. At the machine level it has something to do with the hardware or Windows installation (I'm not sure).

If someone had physical access to the computer, they would not be able to decrypt your BitLocker password without knowing your Windows password (or being logged in as you already). With Machine-Level encryption, it's a bit weaker. Anyone with physical access can get the key. But it does protect against scenarios where the attacker is in a remote location.

Here is your link for using DPAPI with .NET:

http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.protect.aspx

And here is a link for the BitLocker Win32 API:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376483.aspx

You'll need to do some work on how to use the BitLocker API, because you have to call unmanaged Win32 functions from the managed .NET Framework.

John
  • 2,242
  • 2
  • 28
  • 45