Xelon Blog | Xelon AG

Hard disk encryption in the cloud | Blog | Xelon AG

Written by Matias Meier | Nov 14, 2019 3:37:00 PM

Every administrator has encrypted a hard disk at some point, be it on a notebook or a computer. But what does it look like in a virtual environment? We'll show you step by step how hard disk encryption in the cloud works and what advantages it has, using Bitlocker as an example.

 

Bitlocker is often used with Windows operating systems because Bitlocker is very easy to use. Bitlocker is also present in Windows server operating systems and can therefore be used. On a root server, it is like on a notebook or computer, the authenticity is checked by means of a TPM module. The advantage is that no password is required when starting the system.

However, there is no TPM module available for virtual systems, such as our cloud servers and our virtual data center Xelon HQ. But there is still a way to use Bitlocker with Windows servers.

Bitlocker hard disk encryption in the cloud

You can use Bitlocker on Windows servers after installing the Windows feature Bitlocker Drive Encryption via the Server Manager.

After the installation and a restart of the operating system, 'BitLocker Drive Encryption' is now available for selection in the control panel. You can now encrypt the system drive, you only get the note that no compatible TPM module was found. In the local group policy editor, you must now configure that a password may be used for startup.

Activate the setting under: Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives -> Require additional authentication at startup.

After updating the local GPOs or rebooting the system, the system drive can now be encrypted with a password.

Always store recovery key

It is mandatory to store the recovery key, otherwise, the drive encryption process cannot be started. Bitlocker does not allow you to store the key on the hard disk to be encrypted. This makes sense and it is recommended to 'print' the recovery key. As a printer you can then use the 'Microsoft Print to PDF' printer, then save the generated PDF and have the key when needed.

Then you should run the "Boot Check". This way you are sure that the assigned password can be entered via the console (the VDC uses the HTML5 console for this). After a reboot, the encryption will be started. Depending on the size of the drive, this will be completed in a few minutes.

At each boot, the password must now be entered via the console so that the system can be started. If the password is lost, the system can be unlocked using the recovery key previously saved as a PDF. If both components are lost, there is no way to access the data.

Of course, you can also use third-party tools like VeraCrypt for Linux/Windows or the standard tool LUKS for Linux.

All right? If not, feel free to send us your question by mail , we will be happy to help you.