Devi Injamuri

Bitlocker – VM encryption

In this post, we are going to see how to encrypt a Virtual Machines using Bitlocker (OS level Encryption).

In High level this consists of 3 steps.

  1. Add KeyProviders in Vcenter
  2. Add vTPM module in VM
  3. Install Bitlocker and encrypt the drives.
Configuring KeyProviders:

Starting from vSphere 7.0U2 we have Native Key Provider. The below article explains pre-requisites and steps to configure Native key provider in vCenter.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-1C3B2BAC-A2D1-4F15-86AF-1E7DE9F850D8.html

Configuring vTPM:

Once Keyprovider is added successfully, go to VM edit settings and add a TPM Module. Below document explains the Pre-requisites and steps to add TPM.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.vm_admin.doc/GUID-4DBF65A4-4BA0-4667-9725-AE9F047DE00A.html

Once these are Configured, OS team should be able to encrypt VMs using Bitlocker.

By Default, Virtual machine disks are detected as Removable drives in OS. Due to this reason, you will not find an option to Auto Unlock drive while enabling Bitlocker. To detect this as Fixed Data drives, please add devices.hotplug = FALSE entry to vmx configuration file. Below KB article explains the same.

https://kb.vmware.com/s/article/1012225

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: