5

I would like to configure whole disk encryption on all of my Domain Controllers. Is BitLocker an acceptable method to do this? What are the potential problems with whole disk encryption on a Domain Controller?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Fred Marr
  • 53
  • 3
  • Please read the [faq]. Open-ended questions asking for discussion are off-topic. If you have a technical question about it, that's fine, but just asking for people's experience and whether or not it's a "good idea" is entirely subjective. – MDMarra Feb 29 '12 at 15:47
  • 1
    Excellent edit to save the question :) – MDMarra Feb 29 '12 at 15:50

2 Answers2

2

I am generally very against FDE on servers. Servers should have tight logical security to keep out electronic attacks, and reasonable physical security to keep people from stealing the whole thing. In the rare situation where you can't implement reasonable physical security, then FDE is appropriate.

BitLocker combined with TPM stored keys works extremely well. If the server doesn't support TPM it will not be able to boot automatically, which may be a serious problem depending on your environment.

Chris S
  • 77,337
  • 11
  • 120
  • 212
2

Yes, using BitLocker for Whole disk encryption on a DC is acceptable. However, Keep in mind that BitLocker encryption is for OFFLINE disk protection. Once the DC boots, it will run with the file system unencrpyted. The potential problems are based on how you configure BitLocker. For example, if you don't have a physical TPM in your servers, you will need a startup key saved on a USB device that would need to be inserted for bootup. This could potentially circumvent your protection if left in the server. Say if your DC is physically stolen and you left the USB startup key in. Your drive encryption is then useless, as the USB key is already inserted. Also, remember to keep your recovery key around, in case you forget a PIN (optional requirement), or need to move the disks to new hardware.

There is also a slight performance hit when encrypting the drive.

If you are worried about security on your DCs in a low security site, you may want to consider using Read-Only DCs instead.

HostBits
  • 11,776
  • 1
  • 24
  • 39
  • Do you know if the performance hit is negligible? – Fred Marr Feb 29 '12 at 16:29
  • @FredMarr During the initial encryption process, the CPU and disks are put under much higher load than usual. That said, a DC should be able to keep its entire AD database in RAM, making high disk I/O not a problem at all. Unless you run other services on the DC, that is. – MDMarra Feb 29 '12 at 16:38