How Windows Server 2016 Solves this with vTPMĮnter Windows Server 2016. The VHD for this key is not itself encrypted, so anyone with access to this system or the small VHD key file would pwn the virtual machine in pretty short order.
UBUNTU 16.04 BITLOCKER READER GUI PASSWORD
Since you can permanently affix a VHD file to the virtual server, some people have done this to get around the need for entering a password each time. With BitLocker, a key can be stored on a floppy or USB disk, which is then inserted in order to allow the computer to boot. 2012 R2 Work-Around #2: Attach a floppy disk as VHD to be your startup key scripting automatic reboots w/ suspension). So if you’re going to enable a startup password, that’s fine, just don’t do that other thing (e.g. Therefore, by suspending BitLocker, the next reboot would occur without requiring a password, meaning that disks could be taken from the host server, and booted elsewhere, without that protection kicking in. BitLocker is an encryption technology meant to protect against loss/theft, and it makes it difficult or practically impossible for someone to boot the device with an alternate OS (Linux, etc.) and read/copy the data from the disk. Most people don’t realize this, but when the Windows OS is booted, BitLocker is essentially off and the data on your disk is fully accessible. If this process were scripted, as I’ve seen in a few cases, it can really put a damper on the protections BitLocker has to offer. Nothing inherently wrong with this I suppose, but it means that every reboot (due to updates or otherwise) would require someone to key in the password, or suspend BitLocker and then reboot. 2012 R2 Work-Around #1: Require a startup password / PIN In earlier versions, admins who wanted to encrypt their guest virtual machines had a couple of workarounds, and there were problems with each of them. The reason is, Hyper-V in Windows Server 2016 is the first time we’ve been able to enable a virtual TPM (vTPM) in guest virtual machines. if an attacker were to gain access to an online Hyper-V host and export the VHDX files).Īs I mentioned in my previous post, I wouldn’t recommend this option unless you have Windows Server 2016. Why would an admin want to do this? Because while encrypting the Hyper-V Host itself can protect against stolen physical disks, enabling BitLocker inside your virtual machines protects against stolen virtual disks as well (e.g. Encrypting guest virtual machines is another layer of protection you can add in Hyper-V.
0 kommentar(er)
