VMware Cloud Community
AlbertWT
Virtuoso
Virtuoso
Jump to solution

Implementing Windows Server 2012 Virtual Machine Deployment with Bit Locker Data Encryption ?

Hi All,

Is it possible to implement the Bit Locker Data Encryption feature on my Windows Server 2012 Std Virtual Machine on VMware vSphere ESXi 5.1 Update 1 platform ?

The Hypervisor currently runs on top of HP Blade BL 460c G8 servers. Reading though the Hardware Specs: http://h18001.www1.hp.com/products/quickspecs/14208_na/14208_na.pdf I can see that there is TPM socket installed in the Blade server, but I'm not sure how to make sure that it is enabled or in used by the Virtual Machine ?

Any kind of help would be greatly appreciated.

Thanks in advance

/* Please feel free to provide any comments or input you may have. */
1 Solution

Accepted Solutions
Josh26
Virtuoso
Virtuoso
Jump to solution

I had a few goes at this and it doesn't look like you can virtualise a TPM. This would make sense if it was the case - the TPM wasn't designed to handle more than one OS instance.

I ended up performing USB passthrough on a USB stick and having the Bitlocker key stored on that stick as a demo. Certainly not a supported operation but it did demonstrate that key storage appears to be the only issue.

View solution in original post

8 Replies
Josh26
Virtuoso
Virtuoso
Jump to solution

I had a few goes at this and it doesn't look like you can virtualise a TPM. This would make sense if it was the case - the TPM wasn't designed to handle more than one OS instance.

I ended up performing USB passthrough on a USB stick and having the Bitlocker key stored on that stick as a demo. Certainly not a supported operation but it did demonstrate that key storage appears to be the only issue.

AlbertWT
Virtuoso
Virtuoso
Jump to solution

Cool, so in this case if somehow I selected a shared network drive or just another small VMDK disk 1.5 GB stored in the same VMFS, is that going to be working ?

I need to prepare this VM for the base of my Exchange Server 2013 secure messaging configuration architecture with the encrypted data at rest.

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
Josh26
Virtuoso
Virtuoso
Jump to solution

I don't believe so Albert, Bitlocker searches for USB devices at a hardware level, I'd be interested in whether you can have any luck having it store the key on anything else.

What is the realistic goal of this encryption though? If someone hacks your server - they are left looking at unencrypted data. If someone hacks an adjacent server and starts snooping on traffic, they are watching unencrypted data. If someone walks in and physically steals your entire server, they take it along with the USB dongle. I don't understand who this form of "encryption" satisfies outside of a marketing department.

AlbertWT
Virtuoso
Virtuoso
Jump to solution

Exactly Josh, I am confused as well here.

I am under the impression that this BitLocker can do the data encryption at rest for the PCI-DSS compliance requirements.

The only solution that I can see supported with Exchange Server 2013 is BitLocker.

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
Josh26
Virtuoso
Virtuoso
Jump to solution

What PCI-DSS requirement suggests you should encrypt your Exchange data?

Nothing covered by PCI - such as credit card numbers - should ever (EVER!) end up in email, which means your Exchange server should not be covered. I have several PCI audited infrastructures I look after, and I've never encrypted anything that but POS databases.

AlbertWT
Virtuoso
Virtuoso
Jump to solution

Josh, in my company, External people / customer send their Credit card number through email, the current employee internally doesn't. That is why, it needs to be in scope for PCI compliance project.

Any idea of what can I do to encrypt the data at rest ?

Apart from using BitLocker VMware KB: BitLocker support in a virtual machine in the Virtual Machine.

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
Josh26
Virtuoso
Virtuoso
Jump to solution

AlbertWT wrote:

Josh, in my company, External people / customer send their Credit card number through email,

This is a security disaster and there is no way to perform this in any PCI compliant manner. The data is in cleartext from the time it leaves the client to the time it arrives at your server, which is a PCI violation to the point of negligence no matter what you do with your Exchange server.

AlbertWT
Virtuoso
Virtuoso
Jump to solution

I know, there is no way to prevent our customer sending their Credit Card number to my CreditCard Fraud and Support mailbox. Blocking/ dropping the email at the Excahnge Server 2013 with DLP feature is not acceptable by the business owner.

Hence this Email server is now in scope of PCI compliance.

What would people do to secure the Exchange Server in the PCI-DSS project ?

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos