Windows Server 2012 Added Bitlocker to CSV How to configure Encrypted bitlocker CSV   11 comments

Bitlockering the CSV and there problems. the Do’s and Don’ts Or how to destroy your cluster unplanned and not prepared Winking smile 

One Of the Big improvements of server 2012 is the security, Bitlocker CVS volumes

 

image

BitLocker encrypted cluster disks

Support for traditional failover disks

Support for Cluster Shared Volumes

Volumes decrypted by each node using the Cluster Name Object (CNO) common identity

Enables physical security for deployments outside of secure datacenters

Branch office deployments

Volume level encryption for compliance requirements

 

But How to setup this ? easy Yes But Will it work ? there are a lot of bad configured configurations and problems and no real word solutions.

Well I made a guide on what to expect and what not.

Well I deployed a fresh new cluster and put in a few disk and we are ready to go.

My Cluster disk image  and what more do I need this is it.

So go to powershell and do manage-bde

image Nice overview of the command and what you can do with it.

Ok lets see what the status is of a CSV

manage-bde.exe -status c:\clusterstorage\volume5

image Ok not encrypted (yet )

this is nice what else can we do ? Encrypt ?

yes lets do this.

most common mistake is to do the wrong steps If you do this at your first step.

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

Key Protectors Added:

ERROR: An error occurred (code 0x803100ad):

This command can only be performed from the coordinator node for the specified CSV volume.ge-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

clip_image002

Yes as always with CSV do this on the coordinator node image

So I flip the disk to the right node and start again

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

ERROR: An error occurred (code 0x803100ae):

This command cannot be performed on a volume when it is part of a cluster.

clip_image002[6] Ok I forget to use maintanance mode image

and I seams that I was using the Wrong command !

now lets do this : manage-bde.exe -on c:\clusterstorage\volume5 –recoverypassword

this option –on is enable bitlocker  on CSV volume 5 and show me the recoverypassword

Numerical Password:

ID: {2C7A5860-8856-42FB-BDBE-15AAFA2DE1FD}

Password:

663278-615318-333696-462077-196240-510444-269610-301004

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from

your computer:

663278-615318-333696-462077-196240-510444-269610-301004

To prevent data loss, save this password immediately. This password helps

ensure that you can unlock the encrypted volume.

Encryption is now in progress.

clip_image002[8] image

now a common mistake is that you can enable the disk for usage. DO NOT DO THIS.

but you nee to run this :

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

this command will give the Cluster access to the encrypted volume.

if you don’t know the cluster name : get-cluster  fill in this with a $

you will see this error

ERROR: An error occurred (code 0x80090034):  ( means you do not have a Windows 2012 DC )

So do I need 2012 as a DC eh yes I did not try this with only a forestprep and a domain prep but the best way to go is get your DC to Windows 2012

But it can be run in windows 2008R2 mode image

 

But how do I get a good Bitlocker encrypted CSV configured cluster disk

This is how

first get the disk that will be encrypted

turn the disk in maintenance mode or do this in Powershell

Get-ClusterSharedVolume "cluster disk 4" |suspend-clusterresource -force

clip_image002[16]

find the  status of the disk

manage-bde.exe -status c:\clusterstorage\volume1

the CSV volume number is not the same as the cluster disk number !

clip_image002[14]

manage-bde.exe -on c:\clusterstorage\volume1 –recoverypassword

clip_image002[12]

write the password to a text file or put is somewhere save in a recovery you need this.

Numerical Password:

ID: {5DAE43EF-6495-4D1D-8914-F3549BCD5D88}

Password:

050160-565081-401269-567600-006600-688479-006831-304645

clip_image002[10]

and the last step
manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$

give your cluster access to the bitlocker disk.

that is all but as always on a cluster keep in mind what you are doing.

today the MBAM 2.0 Beta 2 is also released play with it and test it before production.

Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 beta

Advertisements

Posted November 6, 2012 by Robert Smit [MVP] in Bitlocker

11 responses to “Windows Server 2012 Added Bitlocker to CSV How to configure Encrypted bitlocker CSV

Subscribe to comments with RSS.

  1. Great Article. Very helpful. I needed to setup this for the first time to reproduce a customer environment and you helped me. You are awesome Mr. Smith.

  2. Hello.
    How now disable Bitlocker?
    Command “Disable-BitLocker-MountPoint “X:” gives the error:
    “Disable-BitLocker : A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)”

  3. I turned on maintenance mode for the drive.
    And execute the command “Disable-BitLocker-MountPoint” X: ”
    I do it on the coordinator node.

    As a result, I receive an error

  4. $BLV = Get-BitLockerVolume
    Disable-BitLocker -MountPoint $BLV

    or

    Disable-BitLocker -MountPoint “x:”

    this should work. if it is not working open a support case with Microsoft. To solve this I need more info as “Disable-BitLocker : A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)”

    eventlog errors etc

  5. Pingback: Bitlocker на кластере виртуализации Hyper-V 2012 | SibRoot

  6. Hi Robert

    we restarted the server and we get “username or password is wrong” message next to the cluster volume ,

    it worked fine for couple of months and now we have this error , any ideas as we couldnt find anything online

  7. I’ve SharePoint 2013 cluster set running MS SQL Std 2014 cluster with CSV. I want to implement “data at rest” encryption on data volume on CSV. Totally 8 Windows servers 2012 R2 (2 for SharePoint Web-FrontEnd, 2 for Index servers, 2 for OWA, 2 for MS SQL Std 2014) are running on VMWare ESXi 5.5. The existing data volume for MS SQL are using HP StoreVirtual with CSV. I want to encrypt the data volume on CSV for data protection to meet “data at rest” security level instead of TDE. Please help to explain how to implement bitlocker on existing CSV for SharePoint 2013 system.

    • As described in the blog for bitlocker put the CSV in maintenance mode To enable bitlocker on the CSV owner node run $SecureString = ConvertTo-SecureString thispasswordshouldbebetter -AsPlainText -Force
      Enable-BitLocker C:\ClusterStorage\CSV001 -PasswordProtector –Password $SecureString

      and make sure the GPO setting is done else it won’t work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

  • Twitter

  • %d bloggers like this: