Bitlocker Drive Encryption Sunday, March 15, 2015 5:11 AM
Bit locker is a drive encryption feature which was introduced in Windows vista Windows Server 2008, but Bitlocker is available only with the selected versions of Windows only. Using bit locker user can protect unauthorized access to the disk drives.Bitlocker has following features
• Bitlocker can encrypt entire hard disk or utilized portion of the hard disk. • Can be combined with EFS(Encrypted File System). • Bitlocker is fully compatible with TPM which is the hardware device we can use for encryption. Using this feature we can encrypt system drive even • Using group policy we can configure Bitlocker options • Centrally we can manage the recovery keys
In Windows 2012/2012 R2 Server operating system, Bitlocker is a on demand feature. Also using group policy we can centrally manage Bitlocker encryption also.
Step by step for configure Bit locker in Enterprise environment.
Configure Group policy for Bitlocker
i. Creaet a group policy(GP name-Bitlockerconfig) ii. Assign policy to the domain
iii. Do the following changes a. All the Bitlocker related settings are coming uner "Computer configuration>Administrative Tempplates> Windows Components > Bitlocker Drive Encryption"
LabGuides Page 1 b. With Bit locker group policy configuration can be configured with Fixed drives, Removable Data drives or Operating system Drives separately. Expanding BitLocker Drive Encryption folder will show all the available options. In this guide we are going to manage bitlocker on fixed drive.
c. Inside the fixed drive folder there are some group policy settings available.We are going to enable last policy setting(Chose how BitLocker-Protected fixed drives can be recovered).Using this setting we can mentioned that how to can recover passwords of Bitlocker encrypted fixed drives. Here I used to save all the Bitlocker recovery information with ADDS .
LabGuides Page 2 Enable Bitlocker in Server 2012 R2(File Server)
a. Open server manager and go to the Manage > Select "Add Roles And Features" and add "BitLocker Drive Encryption" from features list, It will automatically add "Enhanced Storage" Feature also
LabGuides Page 3 a. Once its complete, we have to restart the server
Bitlocker encryption on disk drive
a. Now we can enable the bitlocker on our data drive(E Drive).Just right click on the drive and select "Turn on BitLocker"
LabGuides Page 4 b. Enter password for Bitlocker encryption for this E drive
c. We have three options for keep this recovery key
LabGuides Page 5 a. Now we can start the encryption
Manage Bitlocker
For manage the Bitlocker, easiest way is to use powershell cmdlets wich are coming under Bitlocker module. We can view those commands using Get-Command -Module Bitlocker cmdlet
LabGuides Page 6 When we are login to our server, its showing that E drive as unlocked drive
How to lock Bitlocker encrypted drive
a. Open Powershell > we can use "Lock-Bitlocker -MountPoint "e:\" cmdlet to lock the drive
LabGuides Page 7 b. After that its locked and prompt a password when we are trying to open it
LabGuides Page 8 *If we don’t have the password, forgotten password we have to click on more option and think about the recovery key
How to recover the Bitlocker encryption drive, in case of password forgotten or loss scenario
a. We can use saved recovery key in the local drive
*But this is not a good practice, file can be missing at any time
a. From the Administrators point of view, easiest way is to recover the encryption key from the Active Directory(We have enabled it from Group Policy).To get the recovery key from Active Directory, Open the "Active Directory Users and Computers" > Right click on the computer which we want to recover the Bitlocker recovery key > Select "Bitlocker Recovery" Tab and get the recovery key
LabGuides Page 9 LabGuides Page 10