Balancing paranoia with manageability.
Adding bitlocker to a server and so far I’m comfy with this:
1 Do not bitlocker the C boot drive. I want the drive to be able to automatically reboot.
2. Bitlockered the data drives. One can also add a script or task to mount the bitlockered drives. (script info from http://stackoverflow.com/questions/15324758/bitlocker-script-to-unlock-drive
for the value of -recoverypassword you enter in the recovery number that you saved to a usb flash drive or printed out.
So here’s how I set this up on a Gen7 microserver, the same TPM chip works for the Gen8.
(on and as an aside, installing 2012R2 on a Gen7, DISABLE the network card in the bios, install the OS, get the bios update on there, reboot the machine, install the nic driver. If you do not disable the network card the machine gets stuck on finding devices)
So you buy your TPM card. Cheapest price amazon.com. Newegg.com is more expensive.
Install the card in the slot right at the very very front of the box
That open slot right in front of the tray handle is your TPM chip location.
See it a bit better?
Put it in the slot, then put in that funky plastic thing that makes the TPM more stable. Once you install this, consider it ‘used forever’ and never move it from this server. You can’t play then move it to another server.
Go into the bios, enter advanced and enable the TPM security stuff
change disabled to enabled
Reboot the box
On a server you go into server manager and roles and enable the bitlocker role.
Here’s the next trick, once you reboot you expect that when you go into control panel, security that the bitlocker gui will be there. Oh no, it’s not.
You need to either stick in a previously bitlockered thumb drive for the bitlocker gui to show up – or you right mouse click a data drive and you get the option to now encrypt the drive.
But bottom line that info here:
at step three is wrong for Servers. There is no gui like that until you encrypt your first thing. Then you get that gui.
Once you encrypt your first drive, then you get the manage section
Make sure you save the encryption key.
And finally decide how you want to manage this. Manually mounting each drive? Balancing the need of use by setting up a script or a task to auto mount the drives?
Bottom line you have to find the right balance.