Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
Hyper-V

Using BitLocker with Hyper-V Key Storage Drive

In this step-by-step post, I will show you how to enable and configure BitLocker to provide at rest encryption inside of a Generation 1 virtual machine using Key Storage Drive on Windows Server 2016 (WS2016) Hyper-V hosts.

 

 

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Enabling Key Storage Drive

The easy part of deploying this solution for Generation 1 virtual machines is to enable Key Storage Drive in the settings of the virtual machine.

Adding a Key Storage Drive to a WS2016 Hyper-V Generation 1 virtual machine [Image Credit: Aidan Finn]
Adding a Key Storage Drive to a WS2016 Hyper-V Generation 1 virtual machine [Image Credit: Aidan Finn]
If you are curious, like I was, you’ll probably look for this new disk. You will not find a virtual floppy or hard disk file in the storage of the virtual machine. However, when you start up the virtual machine, sign in, and start Disk Management, you will find that a new 42MB disk was added.

The 42 MB disk in Disk Management [Image Credit: Aidan Finn]
The 42 MB disk in Disk Management [Image Credit: Aidan Finn]

Prepare the Disk

You can quickly prepare the disk using Disk Management or Diskpart. I prefer to use Disk Management:

  1. Initialize the disk with the MBR partition style.
  2. Bring the disk online.
  3. Create a new simple volume, filling the disk.
  4. Format the drive with an available volume letter, such as K or Z.
  5. Use NTFS as the file system and clearly label the volume, such as Key Storage Drive.
Formatting the key storage drive [Image Credit: Aidan Finn]
Formatting the key storage drive [Image Credit: Aidan Finn]

Local or Group Policy

By default, BitLocker requires you to have a TPM chip. Generation 2 virtual machines support virtual TPM (vTPM) on WS2016 Hyper-V, but Generation 1 virtual machines do not. Instead, Key Storage Drive does the equivalent of storing the keys on a USB drive, but in our case, it’s the 42MB virtual volume that we just formatted in Disk Management.

We need to configure Group or Local Policy to enable BitLocker without the presence of a TPM chip in the virtual machine. My machine is not domain joined, so I will use the Local Group Policy Editor (GPEDIT.MSC). You should use Group Policy Objects (GPOs) to configure domain-joined virtual machines. The required setting can be found at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\. The setting is Require Additional Authentication At Startup, which must be enabled and configured as shown in the screenshot below:

Enable Hyper-V Key Storage Drive using Require Additional Authentication At Startup policy [Image Credit: Aidan Finn]
Enable Hyper-V Key Storage Drive using Require Additional Authentication At Startup policy [Image Credit: Aidan Finn]
Remember to force a local/group policy update in the guest OS of the virtual machine by running GPUPDATE /FORCE.

Enable BitLocker

We will use PowerShell to enable the BitLocker feature in the guest OS of the virtual machine, and then run a second cmdlet to start the encryption process.

First, we will enable the BitLocker feature (and all the management pieces) and perform a reboot automatically; remove the -Restart flag if you want to delay the reboot until later, but you will need to reboot to encrypt the disks:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

You can then encrypt the C: drive of your virtual machine using PowerShell; note that Z: is my key storage drive:
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath Z:

You can re-run the Enable-BitLocker cmdlet to specify other volumes to encrypt in the virtual machine. I added a data volume (E:) to the virtual machine and encrypted it as follows:
Enable-BitLocker E: -StartupKeyProtector -StartupKeyPath Z: -UsedSpaceOnly

Note that the -UseSpaceOnly cmdlet must be used on thinly provisioned storage, but this also speeds up the initial encryption by only encrypting volume space after it is written to.

You can query the progress of the initial encryption of your virtual machine’s disks by running: Get-BitLockerVolume in the guest OS.

Testing Encryption

If you want to test out how well your Key Storage Drive and BitLocker solution is working, shutdown the virtual machine. Double-click one of the encrypted VHD/X files and see if you can browse it – you should not be able to browse the file system as you would with a non-encrypted volume in a VHD/X file.

Deleting the Key Storage Drive

If you have anything of value in the virtual machine, then do not delete the key storage drive. Doing so will result in a virtual machine that will not start and you will not be able to recover the data from the disk.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.

RSVP Now

Sponsored By