4

We are studying the possibility of using BitLocker inside the guest OS of VM (i.e. not the parent OS on the VM host). We have both Win2008R2 VM and Win2012(not R2) VM.

And we found this link: https://books.google.com.hk/books?id=Y0TfBgAAQBAJ&pg=PA112&lpg=PA112&dq=Using+Microsoft+BitLocker+In+a+hyper+v+guest&source=bl&ots=gxPNsAlgQn&sig=yvQGkqNkK1q2aOCVnlDZr7ltmTg&hl=zh-TW&sa=X&ved=0ahUKEwjZvL_N8ZzPAhWFl5QKHfJPCyc4FBDoAQhFMAU#v=onepage&q=guest&f=false "BitLocker encryption can be applied to Hyper-V hosts to ensure data protection. The Hyper-V guest encryption is not supported." (the books said in its first few pages that it's based on Win2012R2)

Does that mean BitLocker should not be used inside a Hyper-V guest OS?

But we also found the BitLocker FAQ: https://technet.microsoft.com/en-us/library/hh831507.aspx "Does BitLocker support virtual hard disks (VHDs)? BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2."

It's talking about VHD, which we guess means using BitLocker inside the guest OS?

Any advice?

Lapson
  • 41
  • 1
  • 1
  • 3

2 Answers2

3

Does that mean BitLocker should not be used inside a Hyper-V guest OS?

Yes, that is what it means.

It should not be used because it isn't supported in Windows versions prior to Windows Server 2016. It isn't supported because Microsoft doesn't want customers to do something that would not provide any actual protection. A guest cannot be configured to startup unattended unless the Startup key is stored on the recovery partition or removable media. A more accurate name for the Startup key is "Startup and Recovery key", because it enables anyone with access to the recovery partition if the keys are stored there to decrypt the drive. And you probably don't want to enter a recovery key every time your guest starts.

Also, "attaching a virtual floppy disk" accomplishes the same amount of nothing. If the keys are stored on a device on an unencrypted partition attached to the host, the data is not protected.

Windows Server 2016 introduces Virtual TPM, which enables secure encryption of guest partitions with unattended startup. You can read more about it here:

https://blogs.technet.microsoft.com/hybridcloudbp/2016/11/07/shielded-vms-in-windows-server-2016/

"BitLocker Virtual Disk encryption using vTPM. No need to provide an unlock code after reboot – use guest disk encryption everywhere without any administration overhead. Encryption keys are securely sealed inside virtual TPM device, that moves when the VM moves to another host."

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • 1
    Does that mean, if we accept entering a recovery key every time a VM startup, it's OK to use BitLocker inside a guest OS, even for Win2012 host? i.e. the content are really encrypted, it's just inconvenient for us server operators/admins, right? – Lapson Nov 15 '17 at 04:37
  • @Lapson No it does not. An attacker with physical access can hybernate the host. Detach the host OS hard drive onto another computer. Modify Windows SAM file to reset host OS administrator password. Reboot the host and login to gain control of the VM. Save the VM state for a memory dump. Extract bitlocker key from the memory dump. – fjch1997 Jul 03 '19 at 02:14
1

When I've dealt with encrypting VMs in the past I've generally found it easy to use the built in Bitlocker feature provided by Windows. I never ran into any issues doing this, and it is even possible to avoid having to enter the encryption key on boot if you configure a virtual floppy and save the key to that. To copy the key run the following (assuming A: is the floppy drive):

manage-bde.wsf -on C: -rp -sk A:

Once that is done you can just leave the floppy attached to the VM. Note that you'll want to ensure you have a backup of the key in case anything happens to the virtual floppy.

Jenos
  • 626
  • 3
  • 5
  • Thanks Jenos. Another link about Win2008 we found (https://technet.microsoft.com/en-us/library/cc974516.aspx?f=255&MSPPError=-2147217396) also said that BitLocker should not be used inside a VM. It told you not to do it instead of saying there would be error. That's why we are not sure if it is safe to do so, even if no error shows up after enabling the BitLocker. – Lapson Sep 21 '16 at 05:16
  • 2
    As for the virtual floppy solution, if the VM was stolen, wouldn't it be very probable that the virtual floppy was stolen altogether, which defeats the purpose of encryption with a key? – Lapson Sep 21 '16 at 05:19
  • The post you are references looks to be for running hyper-v on 2008. A lot changed between 2008 and 2012, and I've never had issues with it on a 2012 host. As for the floppy, it depends on how you're concerned with the VM being stolen and how you're storing the VMs themselves compared to the hyper-v host. – Jenos Sep 21 '16 at 05:45
  • The encyption key has to exist somewhere in the memory. If the unencrypted host is compromised (stolen or hacked), the encryption key can be easily extracted by dumping the VM's memory. That's no encryption. – fjch1997 Jul 03 '19 at 02:17