Archive for the ‘Bitlocker’ Category

Windows Server 2012 Added Bitlocker to CSV How to configure Encrypted bitlocker CSV

Bitlockering the CSV and there problems. the Do’s and Don’ts Or how to destroy your cluster unplanned and not prepared Winking smile 

One Of the Big improvements of server 2012 is the security, Bitlocker CVS volumes

 

image

BitLocker encrypted cluster disks

Support for traditional failover disks

Support for Cluster Shared Volumes

Volumes decrypted by each node using the Cluster Name Object (CNO) common identity

Enables physical security for deployments outside of secure datacenters

Branch office deployments

Volume level encryption for compliance requirements

 

But How to setup this ? easy Yes But Will it work ? there are a lot of bad configured configurations and problems and no real word solutions.

Well I made a guide on what to expect and what not.

Well I deployed a fresh new cluster and put in a few disk and we are ready to go.

My Cluster disk image  and what more do I need this is it.

So go to powershell and do manage-bde

image Nice overview of the command and what you can do with it.

Ok lets see what the status is of a CSV

manage-bde.exe -status c:\clusterstorage\volume5

image Ok not encrypted (yet )

this is nice what else can we do ? Encrypt ?

yes lets do this.

most common mistake is to do the wrong steps If you do this at your first step.

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

Key Protectors Added:

ERROR: An error occurred (code 0x803100ad):

This command can only be performed from the coordinator node for the specified CSV volume.ge-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

clip_image002

Yes as always with CSV do this on the coordinator node image

So I flip the disk to the right node and start again

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

ERROR: An error occurred (code 0x803100ae):

This command cannot be performed on a volume when it is part of a cluster.

clip_image002[6] Ok I forget to use maintanance mode image

and I seams that I was using the Wrong command !

now lets do this : manage-bde.exe -on c:\clusterstorage\volume5 –recoverypassword

this option –on is enable bitlocker  on CSV volume 5 and show me the recoverypassword

Numerical Password:

ID: {2C7A5860-8856-42FB-BDBE-15AAFA2DE1FD}

Password:

663278-615318-333696-462077-196240-510444-269610-301004

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from

your computer:

663278-615318-333696-462077-196240-510444-269610-301004

To prevent data loss, save this password immediately. This password helps

ensure that you can unlock the encrypted volume.

Encryption is now in progress.

clip_image002[8] image

now a common mistake is that you can enable the disk for usage. DO NOT DO THIS.

but you nee to run this :

manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$

this command will give the Cluster access to the encrypted volume.

if you don’t know the cluster name : get-cluster  fill in this with a $

you will see this error

ERROR: An error occurred (code 0x80090034):  ( means you do not have a Windows 2012 DC )

So do I need 2012 as a DC eh yes I did not try this with only a forestprep and a domain prep but the best way to go is get your DC to Windows 2012

But it can be run in windows 2008R2 mode image

 

But how do I get a good Bitlocker encrypted CSV configured cluster disk

This is how

first get the disk that will be encrypted

turn the disk in maintenance mode or do this in Powershell

Get-ClusterSharedVolume "cluster disk 4" |suspend-clusterresource -force

clip_image002[16]

find the  status of the disk

manage-bde.exe -status c:\clusterstorage\volume1

the CSV volume number is not the same as the cluster disk number !

clip_image002[14]

manage-bde.exe -on c:\clusterstorage\volume1 –recoverypassword

clip_image002[12]

write the password to a text file or put is somewhere save in a recovery you need this.

Numerical Password:

ID: {5DAE43EF-6495-4D1D-8914-F3549BCD5D88}

Password:

050160-565081-401269-567600-006600-688479-006831-304645

clip_image002[10]

and the last step
manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$

give your cluster access to the bitlocker disk.

that is all but as always on a cluster keep in mind what you are doing.

today the MBAM 2.0 Beta 2 is also released play with it and test it before production.

Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 beta

Posted November 6, 2012 by Robert Smit in Bitlocker

Windows Server 2012 Added Bitlocker to CSV How to configure Encrypted bitlocker CSV

Bitlockering the CSV and there problems. the Do’s and Don’ts Or how to destroy your cluster unplanned and not prepared Winking smile 

One Of the Big improvements of server 2012 is the security, Bitlocker CVS volumes

 

image

BitLocker encrypted cluster disks

Support for traditional failover disks

Support for Cluster Shared Volumes

Volumes decrypted by each node using the Cluster Name Object (CNO) common identity

Enables physical security for deployments outside of secure datacenters

Branch office deployments

Volume level encryption for compliance requirements

 

But How to setup this ? easy Yes But Will it work ? there are a lot of bad configured configurations and problems and no real word solutions.

Well I made a guide on what to expect and what not.

Well I deployed a fresh new cluster and put in a few disk and we are ready to go.

My Cluster disk image  and what more do I need this is it.

So go to powershell and do manage-bde

image Nice overview of the command and what you can do with it.

Ok lets see what the status is of a CSV

manage-bde.exe -status c:clusterstoragevolume5

image Ok not encrypted (yet )

this is nice what else can we do ? Encrypt ?

yes lets do this.

most common mistake is to do the wrong steps If you do this at your first step.

manage-bde.exe c:clusterstoragevolume5 -protectors -add -sid MVPHIGHSEC01$

Key Protectors Added:

ERROR: An error occurred (code 0x803100ad):

This command can only be performed from the coordinator node for the specified CSV volume.ge-bde.exe c:clusterstoragevolume5 -protectors -add -sid MVPHIGHSEC01$

clip_image002

Yes as always with CSV do this on the coordinator node image

So I flip the disk to the right node and start again

manage-bde.exe c:clusterstoragevolume5 -protectors -add -sid MVPHIGHSEC01$

ERROR: An error occurred (code 0x803100ae):

This command cannot be performed on a volume when it is part of a cluster.

clip_image002[6] Ok I forget to use maintanance mode image

and I seams that I was using the Wrong command !

now lets do this : manage-bde.exe -on c:clusterstoragevolume5 –recoverypassword

this option –on is enable bitlocker  on CSV volume 5 and show me the recoverypassword

Numerical Password:

ID: {2C7A5860-8856-42FB-BDBE-15AAFA2DE1FD}

Password:

663278-615318-333696-462077-196240-510444-269610-301004

ACTIONS REQUIRED:

1. Save this numerical recovery password in a secure location away from

your computer:

663278-615318-333696-462077-196240-510444-269610-301004

To prevent data loss, save this password immediately. This password helps

ensure that you can unlock the encrypted volume.

Encryption is now in progress.

clip_image002[8] image

now a common mistake is that you can enable the disk for usage. DO NOT DO THIS.

but you nee to run this :

manage-bde.exe c:clusterstoragevolume5 -protectors -add -sid MVPHIGHSEC01$

this command will give the Cluster access to the encrypted volume.

if you don’t know the cluster name : get-cluster  fill in this with a $

you will see this error

ERROR: An error occurred (code 0x80090034):  ( means you do not have a Windows 2012 DC )

So do I need 2012 as a DC eh yes I did not try this with only a forestprep and a domain prep but the best way to go is get your DC to Windows 2012

But it can be run in windows 2008R2 mode image

 

But how do I get a good Bitlocker encrypted CSV configured cluster disk

This is how

first get the disk that will be encrypted

turn the disk in maintenance mode or do this in Powershell

Get-ClusterSharedVolume "cluster disk 4" |suspend-clusterresource -force

clip_image002[16]

find the  status of the disk

manage-bde.exe -status c:clusterstoragevolume1

the CSV volume number is not the same as the cluster disk number !

clip_image002[14]

manage-bde.exe -on c:clusterstoragevolume1 –recoverypassword

clip_image002[12]

write the password to a text file or put is somewhere save in a recovery you need this.

Numerical Password:

ID: {5DAE43EF-6495-4D1D-8914-F3549BCD5D88}

Password:

050160-565081-401269-567600-006600-688479-006831-304645

clip_image002[10]

and the last step
manage-bde.exe c:clusterstoragevolume1 -protectors -add -sid MVPHIGHSEC01$

give your cluster access to the bitlocker disk.

that is all but as always on a cluster keep in mind what you are doing.

today the MBAM 2.0 Beta 2 is also released play with it and test it before production.

Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 beta

Posted November 6, 2012 by Robert Smit in Bitlocker

  • Tag