Difference between revisions of "Configuring BitLocker Drive Encryption on Windows Server 2008"
(→Creating Partitions for Bitlocker Drive Encryption) |
(→Creating Partitions for Bitlocker Drive Encryption) |
||
| Line 45: | Line 45: | ||
BitLocker Drive Encryption requires that there be two partitions on the hard disk drive. The first partition is referred to as the ''system volume'' and contains the unencrypted boot information. The second partition is referred to as the ''operating system volume''. This is the volume which will be encrypted and contains the operating system and user data. | BitLocker Drive Encryption requires that there be two partitions on the hard disk drive. The first partition is referred to as the ''system volume'' and contains the unencrypted boot information. The second partition is referred to as the ''operating system volume''. This is the volume which will be encrypted and contains the operating system and user data. | ||
| − | The system volume must be at least 1.5Gb in size and must be created before proceeding with the | + | The system volume must be at least 1.5Gb in size and must be created before proceeding with the BitLocker Drive Encryption process. This volume can be created either by using unallocated space on a drive, taking space from an existing volume, or the boot files can be ''merged'' into an another existing volume (other than the operating system volume). In order to ease the process of creating the system volume Microsoft provides a tool called the ''Bitlocker Driver Preparation Tool''. This tool may be downloaded from the [http://www.microsoft.com/downloads/details.aspx?FamilyID=320b9aa9-47e8-44f9-b8d0-4d7d6a75add0&displaylang=en Microsoft website]. |
Once the tool has been downloaded and installed it should appear in ''Start->Accessories->System Tools->BitLocker->BitLocker Drive Preparation Tool''. The tool itself is installed as the executable ''%ProgramFiles%\BitLocker\BdeHdCfg.exe''. The tool may either be run as a graphical tool or run from a command prompt with a variety of command-line options to perform the required task. | Once the tool has been downloaded and installed it should appear in ''Start->Accessories->System Tools->BitLocker->BitLocker Drive Preparation Tool''. The tool itself is installed as the executable ''%ProgramFiles%\BitLocker\BdeHdCfg.exe''. The tool may either be run as a graphical tool or run from a command prompt with a variety of command-line options to perform the required task. | ||
| Line 73: | Line 73: | ||
<pre> | <pre> | ||
bdehdcfg -target c: shrink -newdriveletter s: -size 1500 | bdehdcfg -target c: shrink -newdriveletter s: -size 1500 | ||
| + | </pre> | ||
| + | |||
| + | Finally, if a partition other than the operating system volume exists the boot files can be merged onto this partition. Once the merge is complete the partition must be assigned as the active partition. This process can be achieved using the ''-merge'' option. For example, the following command merges the boot files onto the D: volume: | ||
| + | |||
| + | <pre> | ||
</pre> | </pre> | ||
== Enabling Bitlocker Drive Encryption == | == Enabling Bitlocker Drive Encryption == | ||
Revision as of 18:48, 10 July 2008
Bitlocker Drive Encryption is a security feature feature first introduced in the Ultimate and Enterprise editions Windows Vista and subsequently incorporated into all editions of Windows Server 2008.
Bitlocker performs a number of functions depending on the hardware support of the system on which Windows Server 2008 is running. At the most basic level, Bitlocker encrypts entire disk volumes so that the operating system files and user data contained on a disk drive cannot be accessed if the computer and/or drive are lost or stolen. In addition a key is written to a USB flash drive during the Bitlocker configuration process. This flash drive must be inserted into a USB port on the computer at system startup in order to gain access to the system.
When used in conjunction with a computer system which has a Trusted Platform Module (TPM) together with a Trusted Computing Group (TCG) compatible BIOS, Bitlocker also provides additional features including verifying the integrity of the boot files prior to system startup. In addition, TPM support also provides the option to specify a PIN that must be entered on system start up in addition to the flash drive containing the key.
This chapter of Windows Server 2008 Essentials provides a detailed overview of the steps necessary to configure Bitlocker Drive Encryption.
Bitlocker Prerequisites
Unfortunately Bitlocker Drive Encryption is not supported on all systems. In fact, the following are mandatory prerequisites for using Bitlocker:
- A minimum of 1.5Gb of available disk space (either unallocated or available for reallocation from an existing partition).
- A BIOS which supports clearing of system RAM on reboot.
While not required to use Bitlocker, in order to take advantage of the full range of Bitlocker protection features the following optional requirements are also necessary:
- Trusted Platform Module (TPM) Chip
- Trusted Computing Group BIOS
Enabling Bitlocker Drive Encryption
The first step in configuring Bitlocker Drive Encryption involves enabling this particular feature within Windows Server 2008. This is achieved using the Server Manager. To access the Server Manager either open the Start menu and select server manager or click on the Server manager icon in the task bar. In the tree hierarchy located in the left hand panel of the Server Manager select the Features option. Once selected the Server Manager will display the status of current feature configurations and provide options to add and remove features. The following figure illustrates the Server Manager in Features mode with no features currently installed:
To add the Bitlocker feature, begin by clicking on the Add New Features option to invoke the New Features Wizard as shown below.
Select the Bitlocker Drive Encryption option and click on the Next button. On the resulting Confirmation screen verify that that you wish to enable Bitlocker support by clicking on the Install button. The wizard will subsequently work through the installation process. The amount of time required to complete this task will vary depending on system speed. Overall progress can be tracked via the progress bar displayed on the Process screen.
Upon Completion of the installation process it will be necesary to reboot the system to implement the change. The restart can be triggered by clicking the You must restart this server to finish the installation link shown on the wizard's Results page. Alternatively, close the wizard and select the restart from from the Start menu when it is convenient to do so.
After the restart has completed the Add Features Wizard will restart and complete the final phases of the feature installation process. Once completed click on the Close button to exit from the wizard.
Creating Partitions for Bitlocker Drive Encryption
BitLocker Drive Encryption requires that there be two partitions on the hard disk drive. The first partition is referred to as the system volume and contains the unencrypted boot information. The second partition is referred to as the operating system volume. This is the volume which will be encrypted and contains the operating system and user data.
The system volume must be at least 1.5Gb in size and must be created before proceeding with the BitLocker Drive Encryption process. This volume can be created either by using unallocated space on a drive, taking space from an existing volume, or the boot files can be merged into an another existing volume (other than the operating system volume). In order to ease the process of creating the system volume Microsoft provides a tool called the Bitlocker Driver Preparation Tool. This tool may be downloaded from the Microsoft website.
Once the tool has been downloaded and installed it should appear in Start->Accessories->System Tools->BitLocker->BitLocker Drive Preparation Tool. The tool itself is installed as the executable %ProgramFiles%\BitLocker\BdeHdCfg.exe. The tool may either be run as a graphical tool or run from a command prompt with a variety of command-line options to perform the required task.
To obtain a list of the command-line options available run the toll with the -? command-line option:
bdehdcfg -?
To obtain information about the existing disk drive configuration, run the BdeHdCfg.exe command with the -driveinfo command-line option:
bdehdcfg -driveinfo
This output tells us that the only option for this disk drive is to shrink the C: volume and the maximum amount by which it may be shrunk.
1.5Gb of any unallocated space on the disk drive can be assigned to the system volume with a drive letter 'S:' using the following command:
bdehdcfg -target unallocated -newdriveletter s: -size 1500
Alternatively, free space from an existing volume can assigned to the system volume. This is referred to as performing a split. In practice the volume is shrunk and a new volume created with the freed space. In order to perform a split successfully the volume from which the space is to be removed must have 10% of free space still available after the 1.5Gb split has been performed. The following command splits 1.5Gb from the C: volume and assigns it to a new system volume with drive letter 'S:'.
bdehdcfg -target c: shrink -newdriveletter s: -size 1500
Finally, if a partition other than the operating system volume exists the boot files can be merged onto this partition. Once the merge is complete the partition must be assigned as the active partition. This process can be achieved using the -merge option. For example, the following command merges the boot files onto the D: volume:
