0

I have a new health care IT customer requirement. They're file server is a virtual 2012 R2 running on a Dell PE with 2012 R2 Hyper-V. The Dell PE with 2012 R2 Hyper-V server has two partitions. 1st partition is for the 2012 R2 OS and the 2nd partition is where the Windows 2012 R2 hosts the Virtual machines. Is it a good idea to enable Bitlocker on the 2nd partition where the virtual machines reside? What are the pros and cons? Are there other solutions?
Need to have their data encrypted by mid-June. Thanks.

Envision IT
  • 9
  • 5
  • 1
    I can't really evaluate how 'effective' it is from a HIPAA standpoint. But I have been using bitlocker encryption of the parent partitions of Hyper-V servers we have at some of our remote sites for ~4 years. It seems stable enough. You are running Dell equipment, meaning you probably have a TPM, which is really is a hard requirement for servers since you probably need it to restart without requiring a password be provided at boot up. – Zoredache May 08 '17 at 23:26
  • Your question looks too broad, you know anybody has an opinion, but nobody wants to hear the others. :-) Try to make it more specific, add details of your specific case, and so on. – peterh Aug 30 '17 at 13:26

1 Answers1

4

Yes you should use Bitlocker from the Hyper-V parent partition to encrypt drives that store VM files/virtual hard drives.

From TechNet:

You should use BitLocker Drive Encryption on all volumes that store VM files.

The article is a little old, but it's still relevant. Both Bitlocker and Hyper-V have each gotten better since the time of that writing.

Bitlocker encrypts the data at rest. Once the operating system is booted, the drive is "unlocked" and is still susceptible to being compromised while it's running. But when the server is powered down, the data will be locked up tight.

You need a TPM chip before Bitlocker becomes really effective. It can technically be used with a USB stick, but that has serious drawbacks... you really want a TPM on your server's motherboard.

If you have really new hardware and can upgrade to Server 2016, you can have Shielded VMs, which is also dependent on modern TPM hardware and can encrypt the VMs so that they are shielded even from the host OS.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • The hardware isn't all that new. Does that mean I'll have to manually enter a Bitlocker password into the system each time the server is rebooted? And, be physically present in front of the server to enter the Bitlocker password in order for the server to boot up into the OS? – Envision IT May 08 '17 at 23:40
  • 1
    If you don't have a TPM at all in your server, then you can store your key on a USB stick, but it will require the USB stick either stay inserted into the server, or for someone to be physically present to boot the machine. – Ryan Ries May 08 '17 at 23:50