Impact of Bitlocker deployment on logical disk and OS (root)

-1

Good Day!

We have a project to encrypt only logical disk and we are planning also to encrypt the OS (C:). (for PC's, Server and Laptop)

  1. If we fully encrypted logical disk (D:) first, what are the impact when we encrypt next the system drive (C:)?

  2. What will be the impact when we run to encrypt both logical disk (D:) and system drive (C:) together?

Has anyone tried above process of bitlocker deployment? what are your observation or any recommendation?

Thank you so much!

mayiask

Posted 2017-11-28T08:46:08.147

Reputation: 3

Answers

-1

BitLocker generally won't permit encrypting a built-in drive unless the system drive is also encrypted. If you manage to encrypt the D: drive without the C: drive anyhow, D: will be unavailable after reboot until somebody enters the passcode to unlock it. With C: also encrypted, the OS can store the unlock code for D: in the (encrypted) C: drive, then use one of BitLocker's standard unlock methods (such as TPM, hardware key, etc.) to unlock the C: drive (and from there the D: drive).

Encrypting any drive takes time, and attempting to encrypt two different partitions on the same physical drive will take longer than if the partitions are on separate drives. SSDs will also be much faster than HDDs. However, the impact of the encryption process is fairly light unless you continuously have high disk I/O. Disk seek times for HDDs will be worse than usual while encryption is in process, though.

CBHacking

Posted 2017-11-28T08:46:08.147

Reputation: 5 045

Thank you for your response. We actually planning to encrypt D: first then next the system drive C: using HDDs. is that ok? – mayiask – 2017-11-28T14:50:32.780

@mayiask As I said, odds are you won't be able to encrypt an internal drive (D:) without first encrypting the system drive, because the OS would have nowhere safe to store the key. Is there some reason you want to do it in that order? – CBHacking – 2017-11-28T22:57:38.917

upon our testing, I encrypted first the D: and the key was on another server. we also used AD GP for BDE. the system drive C: was not encrypted yet. are these steps ok? if the C: is recommended to encrypt first, we'll do it. thanks – mayiask – 2017-11-28T23:26:53.910

Hi CBH, above concern was clear already from us thank you. If you have time to visit: https://superuser.com/questions/1272734/impact-and-observations-of-encrypted-disks-bitlocker-on-wansync-servers

Thank you so much!

– mayiask – 2017-11-29T10:07:01.580

Asked: 2017-11-28T08:46:08.147

Viewed: 167 times

Active: 2017-11-28T10:22:16.280