Bitlockering the CSV and there problems. the Do’s and Don’ts Or how to destroy your cluster unplanned and not prepared
One Of the Big improvements of server 2012 is the security, Bitlocker CVS volumes
BitLocker encrypted cluster disks
Support for traditional failover disks
Support for Cluster Shared Volumes
Volumes decrypted by each node using the Cluster Name Object (CNO) common identity
Enables physical security for deployments outside of secure datacenters
Branch office deployments
Volume level encryption for compliance requirements
But How to setup this ? easy Yes But Will it work ? there are a lot of bad configured configurations and problems and no real word solutions.
Well I made a guide on what to expect and what not.
Well I deployed a fresh new cluster and put in a few disk and we are ready to go.
My Cluster disk and what more do I need this is it.
So go to powershell and do manage-bde
Nice overview of the command and what you can do with it.
Ok lets see what the status is of a CSV
manage-bde.exe -status c:\clusterstorage\volume5
this is nice what else can we do ? Encrypt ?
yes lets do this.
most common mistake is to do the wrong steps If you do this at your first step.
manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
Key Protectors Added:
ERROR: An error occurred (code 0x803100ad):
This command can only be performed from the coordinator node for the specified CSV volume.ge-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
Yes as always with CSV do this on the coordinator node
So I flip the disk to the right node and start again
manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
ERROR: An error occurred (code 0x803100ae):
This command cannot be performed on a volume when it is part of a cluster.
Ok I forget to use maintanance mode
and I seams that I was using the Wrong command !
now lets do this : manage-bde.exe -on c:\clusterstorage\volume5 –recoverypassword
this option –on is enable bitlocker on CSV volume 5 and show me the recoverypassword
Numerical Password:
ID: {2C7A5860-8856-42FB-BDBE-15AAFA2DE1FD}
Password:
663278-615318-333696-462077-196240-510444-269610-301004
ACTIONS REQUIRED:
1. Save this numerical recovery password in a secure location away from
your computer:
663278-615318-333696-462077-196240-510444-269610-301004
To prevent data loss, save this password immediately. This password helps
ensure that you can unlock the encrypted volume.
Encryption is now in progress.
now a common mistake is that you can enable the disk for usage. DO NOT DO THIS.
but you nee to run this :
manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
this command will give the Cluster access to the encrypted volume.
if you don’t know the cluster name : get-cluster fill in this with a $
you will see this error
ERROR: An error occurred (code 0x80090034): ( means you do not have a Windows 2012 DC )
So do I need 2012 as a DC eh yes I did not try this with only a forestprep and a domain prep but the best way to go is get your DC to Windows 2012
But it can be run in windows 2008R2 mode
But how do I get a good Bitlocker encrypted CSV configured cluster disk
This is how
first get the disk that will be encrypted
turn the disk in maintenance mode or do this in Powershell
Get-ClusterSharedVolume "cluster disk 4" |suspend-clusterresource -force
find the status of the disk
manage-bde.exe -status c:\clusterstorage\volume1
the CSV volume number is not the same as the cluster disk number !
manage-bde.exe -on c:\clusterstorage\volume1 –recoverypassword
write the password to a text file or put is somewhere save in a recovery you need this.
Numerical Password:
ID: {5DAE43EF-6495-4D1D-8914-F3549BCD5D88}
Password:
050160-565081-401269-567600-006600-688479-006831-304645
and the last step
manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$
give your cluster access to the bitlocker disk.
that is all but as always on a cluster keep in mind what you are doing.
today the MBAM 2.0 Beta 2 is also released play with it and test it before production.
Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 beta
Great Article. Very helpful. I needed to setup this for the first time to reproduce a customer environment and you helped me. You are awesome Mr. Smith.
Well thanks but call me Robert 😉 the other part makes me OLD 😉
Hello.
How now disable Bitlocker?
Command “Disable-BitLocker-MountPoint “X:” gives the error:
“Disable-BitLocker : A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)”
that is a problem.
did you do this from the node that is holding the disk ? (coordinator node)
I turned on maintenance mode for the drive.
And execute the command “Disable-BitLocker-MountPoint” X: ”
I do it on the coordinator node.
As a result, I receive an error
$BLV = Get-BitLockerVolume
Disable-BitLocker -MountPoint $BLV
or
Disable-BitLocker -MountPoint “x:”
this should work. if it is not working open a support case with Microsoft. To solve this I need more info as “Disable-BitLocker : A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)”
eventlog errors etc
Hi Robert
we restarted the server and we get “username or password is wrong” message next to the cluster volume ,
it worked fine for couple of months and now we have this error , any ideas as we couldnt find anything online
Hi,
Are you sure you have the right key. and the AD connection is fine ? what errors do you see in the event log
I’ve SharePoint 2013 cluster set running MS SQL Std 2014 cluster with CSV. I want to implement “data at rest” encryption on data volume on CSV. Totally 8 Windows servers 2012 R2 (2 for SharePoint Web-FrontEnd, 2 for Index servers, 2 for OWA, 2 for MS SQL Std 2014) are running on VMWare ESXi 5.5. The existing data volume for MS SQL are using HP StoreVirtual with CSV. I want to encrypt the data volume on CSV for data protection to meet “data at rest” security level instead of TDE. Please help to explain how to implement bitlocker on existing CSV for SharePoint 2013 system.
As described in the blog for bitlocker put the CSV in maintenance mode To enable bitlocker on the CSV owner node run $SecureString = ConvertTo-SecureString thispasswordshouldbebetter -AsPlainText -Force
Enable-BitLocker C:\ClusterStorage\CSV001 -PasswordProtector –Password $SecureString
and make sure the GPO setting is done else it won’t work.
Hi Robert – great article. I am having a problem with bringing the cluster disk online, It will only come online if I move the cluster member servers and clustername into the Computers folder.
Hi,
Thanks for reading my blog.
This looks like the key is not there on all the servers, guess it only comes online on the node that you used to set the bitlocker key. Important is that all nodes needs access this is normaly the CNO who needs access. this will bring your resource online. Incase od an deny the resource will fail. manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$ ( add the CNO and nodes)
I have a 2-node Hyper-V cluster with shared storage provided by the Virtual SAN on the same hosts.
What’s the better way to encrypt the storage: CSV level or on the DAS partition level?
when doing this in das level, the load is on the DAS. and when adding a new node the key is already there. BUT can the users access this as you have two locations to manage. the DAS has probably no AD integration. Harder to config is this on the CSV level, but easier to mange with theAD
i seem to be suffering from ERROR: An error occurred (code 0x80090034) i have all server 2012 R2 or higher domain controllers, any idea what might cause this?
HI Bob,
I assume you have done this in my blog :manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
this command will give the Cluster access to the encrypted volume. if you don’t know the cluster name : get-cluster fill in this with a $
you will see this error ERROR: An error occurred (code 0x80090034): ( means you do not have a Windows 2012 DC )
It’s a while a go that I wrote the blog, but it seems that there is no link to the cluster, created it on one node and it worked and then fail-over and stopped working, that is an indicator that it is configured on the node and not on the cluster. There is very little info about this.
The sample that is I showed in the blog is 100% working and should work. keep in mind that forestlevel and functional level must also be 2012.