Introduction : In this section let's see how BitLocker is configured in Server 2012 and Windows 8
When a laptop is stolen or lost, this enables
unauthorized users access to personal and corporate data. Even when a
computer is password protected, data can be easily retrieved by
removing the hard drive and mounting it on a different computer.
BitLocker is an encryption platform
developed by Microsoft that mitigates these type of issues. This
feature was introduced in Windows Vista and allows users to encrypt
data natively. BitLocker has improved over years and I will go over
these features in this article. Bitlocker can also be used with
hardware encryption devices such as TPM – Trusted Platform Module. Most
Enterprise level laptops such as Lenovo T410 are built with TPM
device. By combining these two technologies, it provides best offline
protection against data theft. On consume class computer that doesn’t
have a TPM device can untilize a USB drive to work with BitLocker
encryption.
BitLocker Requirements
- TMP version 1.2 or later for TPM system integrity check
- If TMP is not available , USB drive for startup key
- NTFS File System
- System partition (350MB) and OS partition must be separate
Below are new Bitlocker features that’s introduced in Windows Server 2012 and windows 8:
Shared Storage Support
BitLocker now allows encryption of Windows Failover Cluster shared volmes.
BitLocker Preprovision
Allows system administrators to deploy Windows 2012 to encrypted state during installation.
Faster Encryption Time
Windows Server 2012 introduces the used diskspace encryption
feature that encrypts only used diskspace. This leads to much faster
enduser experience.
PIN or Password change for users
This enables regular users to change PIN or password bitlocker volumes.
Hardware Encrypted Drives Support
Windows Server 2012 now supports encrypted hard drives at hardware level.
How BitLocker Works
TPM as known as Trusted Platform Module is a
hardware chip that is usually connected to the mainboard. This device
allows management of encryption keys. TPM purpose is to store
encryption keys that can only be decrypted the encrypted device. This
double protection architecture provides high security without complex
management. TPM must be in “Owned and turned on” for BitLocker to
encrypt a drive. TMP Management console on Windows Server 2012/ Windows
8 allows users to initialize TPM and change states. Additionally you
can change the state of TPM, change owner password and reset TPM
lockout.
Configuring TPM
You can use the “Prepare the TPM” option
under “Actions” to initialize the TPM module. Once it’s initialized,
configure TPM ownership password and store the .TPM file in a secure
location. Note that you can store TPM ownership password can be stored
in AD which uses the “ms-TPM-OwnerInformationForComputer” property.
Disabling TPM
To disable TPM, simply use the “Turn TPM”
option under Actions pane un TPM management console. You need the owner
password or the owner password file.
To Install BitLocker in Windows Server 2012
- Install “BitLocker Drive Encryption” and “Enhanced Storage”
note you can also use below PowerShell command
Install-WindowsFeature BitLocker -IncludeAllSubFeature - Now you can turn on BitLocker by going to Control Planel > BitLocker Drive Encryption
- Or you can right click on any hard drive and choose “Manage BitLocker”
No comments:
Post a Comment