Secure Your Data with Windows Server Encryption & BitLocker. Windows Server Encryption, combined with the powerful encryption tool BitLocker, offers a comprehensive solution to safeguard our data on Windows Server operating systems. Encrypting files, folders, and disk volumes ensures that our sensitive information remains inaccessible and unreadable, protecting it from unauthorized access and potential breaches. This article discusses the idea of Windows Server Encryption, showcase BitLocker’s features, and bring readers through the process of putting encryption measures into practice, giving them the tools they need to safeguard their data properly.
Windows Server Encryption: Secure Your Data with Windows Server Encryption & BitLocker
BitLocker isn’t just a Windows desktop, laptop, and tablet computer feature. It’s also available for Windows Server as an installable feature. It is a great way to protect servers if we deal with remote locations or hard-to-secure server closets or if we want to save the drives of racked servers. This article covers installing BitLocker and configuring it on Windows Server 2012 R2 but should also work on later versions.
Overview of BitLocker
BitLocker Drive Encryption gets a lot of attention when it comes to end-user devices such as tablets, laptops, and desktop computers. However, it needs more attention when protecting data on Windows Servers. Do we have a strategy to protect the data stored on our servers using disk encryption?
Most of us tend to have server racks, which makes unauthorized physical access for things such as removing or stealing servers a much harder proposition than with smaller user-type devices. But, since most rack mount servers have hot-swappable hard drives, it becomes very easy for someone with malicious intent to pull hard drives that could contain sensitive data.
Protecting server data is also problematic if we have to deal with shared rooms/closets where we store office equipment. Especially if those are remote/satellite offices without a full-time IT person on staff or where multiple people have access to the room. We use BitLocker to protect our company’s data in these situations.
Prerequisites
As with client systems, BitLocker requires a Trusted Platform Module (TPM) version 1.2 or later. TPM version 2.0 adds some additional features, such as Connected Standby, but most servers use something other than that. Without the TPM, a USB startup key or startup password is necessary for the server at every boot.
The server also needs to be domain-joined because we need a way to back up the BitLocker recovery keys if the server runs into trouble and needs those keys.
For encrypting boot volumes, we have to use physical hardware. Microsoft does not support BitLocker Drive Encryption for booting VHD/VHDX files, but they keep it for data drives. The same applies if we are using VMware.
Importance of Encryption and Bitlocker
Encryption and BitLocker play a crucial role in Windows Servers for several reasons. Firstly, encryption ensures the confidentiality of sensitive data by converting it into an unreadable format that we only decipher with the appropriate decryption key. This process is vital in protecting information such as personal and financial data, trade secrets, and intellectual property from unauthorized access or data breaches.
Secondly, encryption enhances data integrity, ensuring the information remains unchanged and uncorrupted during storage or transmission. We detect any unauthorized modifications or tampering attempts, maintaining the integrity and trustworthiness of the data.
Furthermore, encryption assists in meeting regulatory compliance requirements. Many industries, such as healthcare, finance, and government sectors, have specific data security regulations mandating encryption to protect sensitive information. Organizations fulfil these requirements by implementing encryption with BitLocker on Windows Servers and avoid potential legal and financial consequences.
Additionally, encryption mitigates the risks associated with physical theft or loss of hardware. Suppose a server or storage device containing encrypted data falls into the wrong hands. In that case, the encrypted content remains inaccessible without the proper decryption key, providing extra protection against data breaches.
Overall, encryption and BitLocker are vital tools for Windows Servers as they safeguard confidential data, maintain data integrity, comply with regulations, and provide an additional defence against unauthorized access and potential security incidents.
Installing Bitlocker
Microsoft doesn’t include BitLocker Drive Encryption by default on Windows Server. We need to either use the GUI or run a PowerShell command to install it.
Using the GUI
In the Server Manager, click Add Roles and Features. Click Next on the Before You Begin screen and Next again on the installation type, leaving Role-based or feature-based installation as the default. Select our server and click Next again. Skip Server Roles by clicking Next.
On the Features window, click the BitLocker Drive Encryption check box.
When prompted, select the Include management tools (if applicable) check box and click Add Features.
Click Next when we return to the Select Features window. The install process requires a reboot; select Restart the destination server automatically if required and choose Install. Accept the reboot warning by clicking Yes, then click Install one last time.
Using PowerShell
To install BitLocker Drive Encryption using PowerShell, open the PowerShell console with Administrator rights and run the Install-WindowsFeature command:
Install-WindowsFeature BitLocker –IncludeAllSubFeature -IncludeManagementTools -Restart
Frequently Encountered Error
If we try to use the BitLocker GUI tools by going to Control Panel > BitLocker Drive Encryption or by going to the Start screen and searching for the BitLocker tools by typing “BitLocker,” we may receive some variation of the error below:
If we have encountered this error, we resolve it by rebooting after the initial reboot needed to install BitLocker on Windows Server.
Configuring Backup of BitLocker Recovery Information
Escrowing our BitLocker recovery information is a crucial step in encrypting our servers. Should something happen to a server that requires this information, not having it means we have to recover the system from a backup. If the machine is in Active Directory, we configure a few settings in Group Policy to ensure we save the recovery information.
In a Group Policy Object (GPO) linked to the Organizational Unit (OU) where we sort our servers, right-click the GPO and choose Edit. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Choose how we recover BitLocker-protected operating system drives and set it to Enabled.
In addition to the default settings, select the Do not enable BitLocker until recovery information is stored to AD DS for operating system drives check box. I also like to choose Omit recovery options from the BitLocker setup wizard.
Next, we need to do the same for fixed/data drives. Go to Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives > Choose how we recover BitLocker-protected fixed drives and set it to Enabled.
As we did for the operating system drives, select the Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives check box. I also like to Omit recovery options from the BitLocker setup wizard for fixed/data drives.
Also Read Use InfraSOS Active Directory OU Reports
Enabling Bitlocker
The last step in setting up BitLocker on our server is encrypting the drive. As with installing BitLocker, we accomplish this with either the GUI or PowerShell.
Enable BitLocker with the GUI on the OS Drive
To encrypt the operating system drive in the GUI, go to the Control Panel, change the view to Large (or Small) icons, and go to BitLocker Drive Encryption. Click Turn on BitLocker in the Operating System Drive section.
Next, we must select whether we want to Encrypt used disk space only or Encrypt the entire drive. If we work with a brand-new server, used disk space encrypts the drive faster. If we work with a server that has been in use, the entire drive option is preferred so that all space (including free space) is encrypted. Click Next after we have made our selection.
On the last screen, we run a hardware system check by selecting the Run BitLocker system check box. If we choose this box, we have to reboot. Click Start Encrypting to start the encryption process.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Enable BitLocker with PowerShell on the OS Drive
To enable BitLocker on the operating system drive, run the following Enable-Bitlocker command:
Enable-BitLocker -MountPoint "C:" -UsedSpaceOnly -RecoveryPasswordProtector
If we are working with an existing server that’s been in use, we omit the -UsedSpaceOnly parameter so that all drive space on C:\ is encrypted in case any old data is lingering on now-unused portions of the disk. We also add -SkipHardwareTest to remove the required reboot for a hardware check.
Enable BitLocker with the GUI on a Fixed Data Drive
To encrypt a fixed data drive in the GUI, go to the Control Panel, change the view to Large (or Small) icons, and go to BitLocker Drive Encryption. Click Turn on BitLocker in the Fixed Data Drives section.
Next, we discuss how to unlock the fixed data drive. Because this is a server, and we don’t want to have to log in every time it reboots to enter a password to unlock the data drive, select Automatically unlock this drive on this computer and then click Next.
Next, we must select whether we want to Encrypt used disk space only or Encrypt the entire drive. If we work with a brand-new server, used disk space encrypts the drive faster. If we are working with a server that has been in use, the entire drive option is preferred so that all space (including free space) is encrypted. Click Next after we have made our selection.
On the last screen, click Start Encrypting to start the encryption process.
Enable BitLocker with PowerShell on a Fixed Data Drive
To enable BitLocker on a fixed data drive, run the following PowerShell command:
Enable-BitLocker -MountPoint "D:" -UsedSpaceOnly –RecoveryPasswordProtector
Enable-BitlockerAutoUnlock –Mount "D:"
The first PowerShell line is the same as encrypting an operating system drive. Using a brand-new server or a data drive without data speeds up the encryption process by omitting -UsedSpaceOnly. The second line allows the drive to be automatically unlocked when the server reboots.
View BitLocker Recovery Passwords
If we need to view the BitLocker recovery passwords, we need to install the BitLocker Recovery Password Viewer to use in Active Directory Users and Computers (ADUC). Microsoft installs the viewer if we use a system we have just encrypted using these instructions. We also use the following PowerShell command:
Install-WindowsFeature RSAT-Feature-Tools-BitLocker
In ADUC, we double-click any BitLocker-encrypted system that has recovery data backed up in AD DS and go to the BitLocker Recovery tab to view the recovery passwords.
Secure Your Data with Windows Server Encryption & BitLocker Conclusion
In conclusion, in conjunction with the powerful encryption tool BitLocker, Windows Server Encryption offers a robust and effective solution for securing data on Windows Servers. Organizations and individuals ensure their sensitive information’s confidentiality, integrity, and compliance by implementing encryption measures. With the ability to encrypt files, folders, and disk volumes, Windows Server Encryption and BitLocker provide a solid foundation for protecting data from unauthorized access, data breaches, and potential security risks, ultimately granting peace of mind and heightened data security.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
