Skip to main content
Version: Archive

Using BitLocker Volumes with DxEnterprise

Summary

BitLocker is a Microsoft technology that integrates with the operating system to protect your data-at-rest. In general, deployment and management of BitLocker is completely external to DxEnterprise, and has no dependency requirement with DxEnterprise. This article is an example of how to setup BitLocker volumes with DxEnterprise, using a password and bypassing the use of a Trusted Platform Module (TPM). You may deploy any other type of key protector for BitLocker, as applicable to your environment.

Information

To setup BitLocker on a shared DxEnterprise volume follow the below steps.

  1. On each node, run gpedit.msc and browse to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives and enable the option named Configure use of passwords for fixed data drives. This setting allows the use of passwords without using TPM.

  2. On each node, open Server Manager and select Add roles and features. Using the installation wizard, when you get to the Select features page, check the BitLocker Drive Encryption feature and install it. Once complete the BitLocker Drive Encryption option will be available in Control Panel.

  3. On the primary node for the Vhost, where the volume you would like to encrypt is mounted and active, open Control Panel and select the BitLocker Drive Encryption option.

  4. Find the desired volume under the Fixed data drives section and select Turn on BitLocker.

  5. Enter the desired password for the volume. Click Next.

  6. Choose the desired recovery key backup. Click Next.

  7. Choose the desired encryption options. Click Next.

  8. Select the Compatible mode option. Click Next.

  9. Click Start encrypting.

  10. Once encryption is complete, open DxAdmin and select the Vhost where the encrypted volume is attached to the Vhost diskgroup.

  11. In the details pane for the Vhost select the Advanced bar.

  12. Under the Vhost Post-Start script select the "E" on the far right to embed a script.

  13. Select the script extension. In this example PowerShell is being used.

  14. Example PowerShell script to unlock the BitLocker volumes automatically on failover:

    Import-Module bitlocker  
    $SecureString = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
    Unlock-BitLocker -MountPoint "C:\Mounts\Volume-1" -Password $SecureString
  15. Click OK to close the Embedded Script dialogue.

  16. Test failover.

References