When using Hyper-V Server 2012 R2 (Server Core) I was able to use the following command to encrypt the boot drive (C:) -
manage-bde -on C: -rp
The motherboards I've been using have a TPM 2.0 installed. With Server 2012 R2 I was able to encrypt the C: drive with either a BIOS or UEFI configuration.
But now with Hyper-V Server 2016 (Server Core) I get the following error message when I try to use the same command to encrypt the boot drive (C:) -
C:\>manage-bde -on C: -rp
BitLocker Drive Encryption: Configuration Tool version 10.0.14393
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Volume C: []
[OS Volume]
ERROR: Specifying the parameter '-StartupKey' or '-Password' is required to BitLocker-protect the OS volume.
Type "manage-bde -on -?" for more information.
NOTE: If the -on switch has failed to add key protectors or start encryption,
you may need to call "manage-bde -off" before attempting -on again.
With Hyper-V 2016 the motherboard is configured for UEFI and Secure Boot and I used MSINFO32 to confirm both are on as expected.
I have a single RAID10 drive that has a logical C: (Boot) and D: (Data) drive on it. With Hyper-V Server 2012 R2 the C: drive only needed the TPM to be encrypted and for the D: drive I entered the following commands which allowed it to be automatically
unencrypted via the C: drive.
manage-bde –on d: -pw (entered password - which I believe was stored on the encrypted C: drive?)
manage-bde –autounlock –enable d:
The motherboard configuration was setup to automatically reboot if there was a power outage.
With the Sever 2016 limitation it looks like I cannot use the TPM alone to encrypt the boot drive? I'd have to use a method like one of those below to encrypt the boot drive and automatically reboot after a power outage?
a) I could either add a 3rd logical drive (for example X:) to my RAID10 drive and use that to store the recovery key for the C: drive. Or I could leave a USB drive plugged in at all times and it would also contain the recovery key to allow the C: drive
to boot.
But in both cases it seems I would be leaving something potentially exposed in an unencrypted location that a hacker could potentially exploit (given both the X: or USB drives would be unencrypted)?
b) I could use the -TPMAndPIN, -TPMAndStartupKey, or -TPMAndPINAndStartupKey options to encrypt the C: drive. But that would require me to manually enter in some additional information in order to allow the Hyper-V Server 2016
to reboot (which would be a nuisance).
With Hyper-V Server 2016 is there some way to encrypt the boot drive (C:) with the TPM alone such that these type of issues (a and b above) aren't a problem? Or am I overlooking something in how this can be done on Hyper-V Server 2016?
Thanks for any insight you can provide.
P.S. I saw there was an option (-sid) that looked like it might depend upon something in an AD domain to allow the C: drive to be encrypted/unencrypted. But I just have a small home office network and don't have that type of sophisticated environment.
WindOfChange