I'm looking into how to encrypt data at rest in our environment, ideally keeping everything on-premises. We're thinking about using BitLocker on our file server VM, but I'm not experienced with virtual Trusted Platform Modules (vTPM), and I want to ensure that my approach is sound for disaster recovery (DR) scenarios.
Currently, we have an ESXi host running a Windows Server VM that acts as our file server, with an iSCSI SAN for storage and Veeam backups for complete VM recovery. My main goals are to encrypt the data at rest efficiently and maintain a workable DR process.
I plan to enable BitLocker on the VM, attach a vTPM, and use it without any additional PIN or password, relying instead on the automatic unlock for normal operations. However, my concern is how this will play out in a DR scenario—specifically, the use of the BitLocker recovery key and whether I am missing any critical considerations or potential pitfalls.
I've outlined my assumptions about this plan, including how Veeam handles the BitLocker-encrypted disks and the implications of losing the vTPM.
8 Answers
My experience is leaning toward Hyper-V with vTPM, but you might face issues migrating VMs if you don’t export and import your server’s TPM certificates correctly. I suspect VMWare has similar requirements, so check their documentation.
I’m a bit puzzled about the need for BitLocker in a VM context. Isn’t BitLocker mainly for protecting against physical theft? In a VM scenario, should you not focus on storage-level encryption instead?
That’s a fair point! While BitLocker does protect your data in many scenarios, the ideal protection combines both storage level and volume-level encryption for comprehensive security.
I recently faced a similar situation since our SAN lacked built-in encryption. Using BitLocker is straightforward. Just store your recovery key securely—like in a password manager—and consider making the boot key easy to input. The biggest hassle might be entering the recovery key after each reboot, so account for that in your workflow.
I’d suggest focusing on encrypting at the storage layer first. It’s simpler if all you need is encryption at rest. If you're concerned about data loss from your VMDK files, then also applying BitLocker is beneficial—just be aware of the potential downsides, like losing file-level recovery options with Veeam.
Using VMWare's TPM can be useful, but I recommend considering VMDK encryption instead for your file servers. It handles things at the datastore level, which simplifies DR and aligns better with compliance requirements like FIPS. Just remember, if you go with BitLocker, enable it after turning on FIPS to avoid compatibility issues. Overall, focusing on HW/VMWare-level encryption first might keep your setup cleaner for DR scenarios.
Your assumptions look good! Veeam does restore the encrypted disks just fine, assuming you have that recovery key handy. Just make sure that key isn't lost—that’s critical for recovery.
Make sure your backup software supports encrypted volumes well. Veeam does, but if you change backup solutions later, it’s essential to test that the recovery processes work with BitLocker-enabled VMs. For added security, consider using TPM with a PIN alongside the recovery keys.
Have you thought about using OPAL disks for your servers? They could provide you with some advantages in management and security, depending on your specific environment and goals.
BitLocker is indeed an encryption-at-rest solution that guards against unauthorized access if a disk is disposed of improperly, or if someone steals your drive or backups. It's an extra layer of security and helps to deter intruders who might access the data directly.