In this article we will review the installation of Bitlocker with the TPM module on the Hyper-V Server 2012 R2 Core.
Bitlocker is a built-in Windows utility that allows you to protect data with encryption. Bitlocker uses the AES algorithm with 128-bit keys. To achieve greater data security, the key length can be increased to 256 bits. By default, the TPM stores and ensures the integrity of the encryption key. This module is a chip built into the PC motherboard that checks running code when the OS is loaded, calculates the hash value, and stores the result in special registers called PCRs (Platform Configuration Registers). More information on TPM and Bitlocker is available on Microsoft’s official website
Preparing the Hyper-V Server 2012 R2, Server Core
Typically, TPM support in Windows is turned off. It must be enabled in the BIOS settings. In our case, we are using the Core version of the operating system, and therefore will not be able to check the standard Device Manager to determine whether the TPM is on. Instead, we will use a PowerShell module developed in the Microsoft Partner & Customer Solutions Blog:
Install the module with the following command:
Ipmo .\ScriptName.psd1 –Verbose
PS C:\> Ipmo .\DeviceManagement.psd1 -Verbose
VERBOSE: Loading module from path
'C:\DeviceManagement.psd1'.
VERBOSE: Importing cmdlet 'Disable-Device'.
VERBOSE: Importing cmdlet 'Enable-Device'.
VERBOSE: Importing cmdlet 'Get-Device'.
VERBOSE: Importing cmdlet 'Get-Driver'.
VERBOSE: Importing cmdlet 'Get-NUMA'.
VERBOSE: Importing cmdlet 'Install-DeviceDriver'.
To view all devices in the system, use this command:
Get-Device | Sort-Object -Property Name | ft Name, DriverVersion
If the TPM is enabled, it will appear in the list of devices:
PS C:\> Get-Device | Sort-Object -Property Name | ft Name, DriverVersion
…
Trusted Platform Module 1.2 6.3.9600.16384
The TPM is configured in the Hyper-V 2012 R2 Server Core operating system using special cmdlets activated by the following command:
dism /online /enable-feature /FeatureName:tpm-psh-cmdlets
PS C:\> dism /online /enable-feature /FeatureName:tpm-psh-cmdlets
Deployment Image Servicing and Management tool
Version: 6.3.9600.16384
Image Version: 6.3.9600.16384
Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
A detailed description of all TPM-cmdlets — http://blogs.technet.com/b/wincat/archive/2012/09/06/device-management-powershell-cmdlets-sample-an-introduction.aspx
To view the TPM settings, use this command:
PS C:\ > Get-TPM
Protector configuration
For disk encryption, you need to specify where to store the encryption key. In our case, we will specify the TPM and the recovery password as key protectors, which will help us to decrypt the drive.
To configure the protectors, we will use the system utility: manage-bde
Add the TPM module as the protector:
manage-bde –protectors –add C: -tpm
PS C:\Users\Administrator> manage-bde -protectors -add G: -tpm
BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Key Protectors Added:
TPM:
ID: {BC0479C0-96DB-42D4-8C28-957385B9D8D9}
PCR Validation Profile:
0, 2, 4, 8, 9, 10, 11
After the key protector has been added, we initiate the encryption process with the following command:
manage-bde –on –recoverypassword C:
Following the instructions, save the auto-generated password and complete the procedure as described in the figure below.
To view the drive encryption process after you restart the server, use this command:
manage-bde.exe -status C:
PS C:\> manage-bde.exe -status C:
BitLocker Drive Encryption: Configuration Tool version 6.3.9600
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: []
[OS Volume]
Size: 464.44 GB
BitLocker Version: 2.0
Conversion Status: Fully Encrypted
Percentage Encrypted: 100.0%
Encryption Method: AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
Key Protectors:
TPM
Numerical Password