Windows Server 2012 Added Bitlocker to CSV How to configure Encrypted bitlocker CSV

Bitlockering the CSV and there problems. the Do’s and Don’ts Or how to destroy your cluster unplanned and not prepared Winking smile 

One Of the Big improvements of server 2012 is the security, Bitlocker CVS volumes

 

image

BitLocker encrypted cluster disks

Support for traditional failover disks

Support for Cluster Shared Volumes

Volumes decrypted by each node using the Cluster Name Object (CNO) common identity

Enables physical security for deployments outside of secure datacenters

Branch office deployments

Volume level encryption for compliance requirements

 

But How to setup this ? easy Yes But Will it work ? there are a lot of bad configured configurations and problems and no real word solutions.

Well I made a guide on what to expect and what not.

Well I deployed a fresh new cluster and put in a few disk and we are ready to go.

My Cluster disk image  and what more do I need this is it.

So go to powershell and do manage-bde

image Nice overview of the command and what you can do with it.

Ok lets see what the status is of a CSV

manage-bde.exe -status c:\clusterstorage\volume5

image Ok not encrypted (yet )

this is nice what else can we do ? Encrypt ?

yes lets do this.

most common mistake is to do the wrong steps If you do this at your first step.

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

Key Protectors Added:

ERROR: An error occurred (code 0x803100ad):

This command can only be performed from the coordinator node for the specified CSV volume.ge-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

clip_image002

Yes as always with CSV do this on the coordinator node image

So I flip the disk to the right node and start again

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

ERROR: An error occurred (code 0x803100ae):

This command cannot be performed on a volume when it is part of a cluster.

clip_image002[6] Ok I forget to use maintanance mode image

and I seams that I was using the Wrong command !

now lets do this : manage-bde.exe -on c:\clusterstorage\volume5 –recoverypassword

this option –on is enable bitlocker  on CSV volume 5 and show me the recoverypassword

Numerical Password:

ID: {2C7A5860-8856-42FB-BDBE-15AAFA2DE1FD}

Password:

663278-615318-333696-462077-196240-510444-269610-301004

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from

your computer:

663278-615318-333696-462077-196240-510444-269610-301004

To prevent data loss, save this password immediately. This password helps

ensure that you can unlock the encrypted volume.

Encryption is now in progress.

clip_image002[8] image

now a common mistake is that you can enable the disk for usage. DO NOT DO THIS.

but you nee to run this :

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

this command will give the Cluster access to the encrypted volume.

if you don’t know the cluster name : get-cluster  fill in this with a $

you will see this error

ERROR: An error occurred (code 0x80090034):  ( means you do not have a Windows 2012 DC )

So do I need 2012 as a DC eh yes I did not try this with only a forestprep and a domain prep but the best way to go is get your DC to Windows 2012

But it can be run in windows 2008R2 mode image

 

But how do I get a good Bitlocker encrypted CSV configured cluster disk

This is how

first get the disk that will be encrypted

turn the disk in maintenance mode or do this in Powershell

Get-ClusterSharedVolume "cluster disk 4" |suspend-clusterresource -force

clip_image002[16]

find the  status of the disk

manage-bde.exe -status c:\clusterstorage\volume1

the CSV volume number is not the same as the cluster disk number !

clip_image002[14]

manage-bde.exe -on c:\clusterstorage\volume1 –recoverypassword

clip_image002[12]

write the password to a text file or put is somewhere save in a recovery you need this.

Numerical Password:

ID: {5DAE43EF-6495-4D1D-8914-F3549BCD5D88}

Password:

050160-565081-401269-567600-006600-688479-006831-304645

clip_image002[10]

and the last step
manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$

give your cluster access to the bitlocker disk.

that is all but as always on a cluster keep in mind what you are doing.

today the MBAM 2.0 Beta 2 is also released play with it and test it before production.

Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 beta

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009. Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries. Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications: MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization. Follow Robert on Twitter @ClusterMVP Or follow his blog https://robertsmit.wordpress.com Linkedin Profile Http://nl.linkedin.com/in/robertsmit Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues. A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. " Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project

17 thoughts on “Windows Server 2012 Added Bitlocker to CSV How to configure Encrypted bitlocker CSV”

  1. Great Article. Very helpful. I needed to setup this for the first time to reproduce a customer environment and you helped me. You are awesome Mr. Smith.

  2. Hello.
    How now disable Bitlocker?
    Command “Disable-BitLocker-MountPoint “X:” gives the error:
    “Disable-BitLocker : A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)”

  3. I turned on maintenance mode for the drive.
    And execute the command “Disable-BitLocker-MountPoint” X: ”
    I do it on the coordinator node.

    As a result, I receive an error

  4. $BLV = Get-BitLockerVolume
    Disable-BitLocker -MountPoint $BLV

    or

    Disable-BitLocker -MountPoint “x:”

    this should work. if it is not working open a support case with Microsoft. To solve this I need more info as “Disable-BitLocker : A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)”

    eventlog errors etc

  5. Hi Robert

    we restarted the server and we get “username or password is wrong” message next to the cluster volume ,

    it worked fine for couple of months and now we have this error , any ideas as we couldnt find anything online

  6. I’ve SharePoint 2013 cluster set running MS SQL Std 2014 cluster with CSV. I want to implement “data at rest” encryption on data volume on CSV. Totally 8 Windows servers 2012 R2 (2 for SharePoint Web-FrontEnd, 2 for Index servers, 2 for OWA, 2 for MS SQL Std 2014) are running on VMWare ESXi 5.5. The existing data volume for MS SQL are using HP StoreVirtual with CSV. I want to encrypt the data volume on CSV for data protection to meet “data at rest” security level instead of TDE. Please help to explain how to implement bitlocker on existing CSV for SharePoint 2013 system.

  7. As described in the blog for bitlocker put the CSV in maintenance mode To enable bitlocker on the CSV owner node run $SecureString = ConvertTo-SecureString thispasswordshouldbebetter -AsPlainText -Force
    Enable-BitLocker C:\ClusterStorage\CSV001 -PasswordProtector –Password $SecureString

    and make sure the GPO setting is done else it won’t work.

  8. Hi Robert – great article. I am having a problem with bringing the cluster disk online, It will only come online if I move the cluster member servers and clustername into the Computers folder.

  9. Hi,
    Thanks for reading my blog.

    This looks like the key is not there on all the servers, guess it only comes online on the node that you used to set the bitlocker key. Important is that all nodes needs access this is normaly the CNO who needs access. this will bring your resource online. Incase od an deny the resource will fail. manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$ ( add the CNO and nodes)

  10. I have a 2-node Hyper-V cluster with shared storage provided by the Virtual SAN on the same hosts.
    What’s the better way to encrypt the storage: CSV level or on the DAS partition level?

  11. when doing this in das level, the load is on the DAS. and when adding a new node the key is already there. BUT can the users access this as you have two locations to manage. the DAS has probably no AD integration. Harder to config is this on the CSV level, but easier to mange with theAD

  12. i seem to be suffering from ERROR: An error occurred (code 0x80090034) i have all server 2012 R2 or higher domain controllers, any idea what might cause this?

  13. HI Bob,
    I assume you have done this in my blog :manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
    this command will give the Cluster access to the encrypted volume. if you don’t know the cluster name : get-cluster fill in this with a $
    you will see this error ERROR: An error occurred (code 0x80090034): ( means you do not have a Windows 2012 DC )

    It’s a while a go that I wrote the blog, but it seems that there is no link to the cluster, created it on one node and it worked and then fail-over and stopped working, that is an indicator that it is configured on the node and not on the cluster. There is very little info about this.
    The sample that is I showed in the blog is 100% working and should work. keep in mind that forestlevel and functional level must also be 2012.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: