It gets a bit confusing if you want to improve the security of your Windows Server 2008 virtualization server and the VMs on it by running BitLocker Drive Encryption. Windows BitLocker Drive Encryption is a feature that encrypts one or more volumes (drives) attached to your computer and that can use a Trusted Platform Module (TPM) to verify the integrity of early startup components. Because BitLocker encrypts the entire volume of data, it requires the computer to be configured with an active partition, used for startup, which is separate from the operating system volume.

If you didn't set up BitLocker when you set up the machine, before you started running VMs, you'll need to download the BitLocker Drive Preparation Tool and run it to configure BitLocker. If you read the KB930063 "Description of the BitLocker Drive Preparation Tool" you can learn a lot about the tool, except where to download it! And that you'll need to verify that you have the hardware support (TPM) to make it work. The Windows Server 2008 Hyper-V and BitLocker Drive Encryption white paper also says "Obtain the BitLocker Drive Preparation Tool and install it."

After you get the drive prepared, and start the tool (Start>All Programs>Accessories>System Tools>BitLocker>BitLokcer Drive Preparation Tool - easy, right?) you can click the "What should I know about BitLocker Drive Encryption before I turn it on?" help link to learn: "During computer startup, if BitLocker detects a system condition that could represent a security risk (for example, disk errors, a change to the BIOS , or changes to any startup files), it will lock the drive and require a special BitLocker recovery password to unlock it. Make sure that you create this recovery password when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files." A little farther on, a warning states "BitLocker Drive Encryption reduces disk throughput. It should be used on high performance servers only if the computer is not in a physically secure location."

Ummm...kay....

Best to first read the Windows BitLocker Drive Encryption Design and Deployment Guides that describe the various aspects of planning for deploying Windows BitLocker Drive Encryption. The document is organized in two guides, and you should carefully consider each guide before you deploy BitLocker Drive Encryption. If your virtualization server is encrypted, and you don't have the recovery credentials, all your VMs are offline till you do. Ponder that before you enable BL. You can read more here about the BitLocker Drive Encryption Algorithm.

If you do get into trouble with a  domain-joined machine, you'll need the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.

Hope you never need the BitLocker Repair Tool: This tool helps access data encrypted with BitLocker if the hard disk has been physically damaged. This tool attempts to reconstruct critical data from the drive and salvage any recoverable data. To decrypt the data, a recovery password or recovery key is required. In some cases, a backup of the key package is also required. Use this command-line tool if the following conditions are true:

  • A volume has been encrypted by using BitLocker Drive Encryption.
  • Windows does not start, or you cannot start the BitLocker recovery console.
  • You do not have a copy of the data that is contained on the encrypted volume.