Can bitlocker be used in the guest OS of HyperV Windows VM?

windows-server-2008-r2 windows-server-2012 virtual-machines hyper-v bitlocker
19,673

Solution 1

Does that mean BitLocker should not be used inside a Hyper-V guest OS?

Yes, that is what it means.

It should not be used because it isn't supported in Windows versions prior to Windows Server 2016. It isn't supported because Microsoft doesn't want customers to do something that would not provide any actual protection. A guest cannot be configured to startup unattended unless the Startup key is stored on the recovery partition or removable media. A more accurate name for the Startup key is "Startup and Recovery key", because it enables anyone with access to the recovery partition if the keys are stored there to decrypt the drive. And you probably don't want to enter a recovery key every time your guest starts.

Also, "attaching a virtual floppy disk" accomplishes the same amount of nothing. If the keys are stored on a device on an unencrypted partition attached to the host, the data is not protected.

Windows Server 2016 introduces Virtual TPM, which enables secure encryption of guest partitions with unattended startup. You can read more about it here:

https://blogs.technet.microsoft.com/hybridcloudbp/2016/11/07/shielded-vms-in-windows-server-2016/

"BitLocker Virtual Disk encryption using vTPM. No need to provide an unlock code after reboot – use guest disk encryption everywhere without any administration overhead. Encryption keys are securely sealed inside virtual TPM device, that moves when the VM moves to another host."

Solution 2

When I've dealt with encrypting VMs in the past I've generally found it easy to use the built in Bitlocker feature provided by Windows. I never ran into any issues doing this, and it is even possible to avoid having to enter the encryption key on boot if you configure a virtual floppy and save the key to that. To copy the key run the following (assuming A: is the floppy drive):

manage-bde.wsf -on C: -rp -sk A:

Once that is done you can just leave the floppy attached to the VM. Note that you'll want to ensure you have a backup of the key in case anything happens to the virtual floppy.

Share:
19,673

Related videos on Youtube

Lapson
Author by

Lapson

Updated on September 18, 2022

Comments

  • Lapson
    Lapson over 1 year

    We are studying the possibility of using BitLocker inside the guest OS of VM (i.e. not the parent OS on the VM host). We have both Win2008R2 VM and Win2012(not R2) VM.

    And we found this link: https://books.google.com.hk/books?id=Y0TfBgAAQBAJ&pg=PA112&lpg=PA112&dq=Using+Microsoft+BitLocker+In+a+hyper+v+guest&source=bl&ots=gxPNsAlgQn&sig=yvQGkqNkK1q2aOCVnlDZr7ltmTg&hl=zh-TW&sa=X&ved=0ahUKEwjZvL_N8ZzPAhWFl5QKHfJPCyc4FBDoAQhFMAU#v=onepage&q=guest&f=false "BitLocker encryption can be applied to Hyper-V hosts to ensure data protection. The Hyper-V guest encryption is not supported." (the books said in its first few pages that it's based on Win2012R2)

    Does that mean BitLocker should not be used inside a Hyper-V guest OS?

    But we also found the BitLocker FAQ: https://technet.microsoft.com/en-us/library/hh831507.aspx "Does BitLocker support virtual hard disks (VHDs)? BitLocker is not supported on bootable VHDs, but BitLocker is supported on data volume VHDs, such as those used by clusters, if you are running Windows 8, Windows 8.1, Windows Server 2012 or Windows Server 2012 R2."

    It's talking about VHD, which we guess means using BitLocker inside the guest OS?

    Any advice?

  • Lapson
    Lapson over 7 years
    Thanks Jenos. Another link about Win2008 we found (technet.microsoft.com/en-us/library/…) also said that BitLocker should not be used inside a VM. It told you not to do it instead of saying there would be error. That's why we are not sure if it is safe to do so, even if no error shows up after enabling the BitLocker.
  • Lapson
    Lapson over 7 years
    As for the virtual floppy solution, if the VM was stolen, wouldn't it be very probable that the virtual floppy was stolen altogether, which defeats the purpose of encryption with a key?
  • Jenos
    Jenos over 7 years
    The post you are references looks to be for running hyper-v on 2008. A lot changed between 2008 and 2012, and I've never had issues with it on a 2012 host. As for the floppy, it depends on how you're concerned with the VM being stolen and how you're storing the VMs themselves compared to the hyper-v host.
  • Lapson
    Lapson over 6 years
    Does that mean, if we accept entering a recovery key every time a VM startup, it's OK to use BitLocker inside a guest OS, even for Win2012 host? i.e. the content are really encrypted, it's just inconvenient for us server operators/admins, right?
  • fjch1997
    fjch1997 almost 5 years
    @Lapson No it does not. An attacker with physical access can hybernate the host. Detach the host OS hard drive onto another computer. Modify Windows SAM file to reset host OS administrator password. Reboot the host and login to gain control of the VM. Save the VM state for a memory dump. Extract bitlocker key from the memory dump.
  • fjch1997
    fjch1997 almost 5 years
    The encyption key has to exist somewhere in the memory. If the unencrypted host is compromised (stolen or hacked), the encryption key can be easily extracted by dumping the VM's memory. That's no encryption.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can I PXE-boot a desktop PC into a Hyper-V VM?
How to install windows server 2008 r2 Hyper-V on Windows 7, through virtual machine?
virtual machines and windows update
Hyper-V can't work external network
Direct boot into VM from cold start on Hyper-V host
hyper-v could not initialize memory there is not enough space on the disk (0x80070070)‎
Export VM from Hyper-v as OVF
Can Windows Server 2012 run as a guest VM under Server 2008 R2 Hyper-V Host?
How to Shrink large Hyper-V VM
Hyper-V back up VHD live with PowerShell