Bitlockering the CSV and there problems. the Do’s and Don’ts Or how to destroy your cluster unplanned and not prepared
One Of the Big improvements of server 2012 is the security, Bitlocker CVS volumes
BitLocker encrypted cluster disks
Support for traditional failover disks
Support for Cluster Shared Volumes
Volumes decrypted by each node using the Cluster Name Object (CNO) common identity
Enables physical security for deployments outside of secure datacenters
Branch office deployments
Volume level encryption for compliance requirements
But How to setup this ? easy Yes But Will it work ? there are a lot of bad configured configurations and problems and no real word solutions.
Well I made a guide on what to expect and what not.
Well I deployed a fresh new cluster and put in a few disk and we are ready to go.
My Cluster disk and what more do I need this is it.
So go to powershell and do manage-bde
Nice overview of the command and what you can do with it.
Ok lets see what the status is of a CSV
manage-bde.exe -status c:\clusterstorage\volume5
this is nice what else can we do ? Encrypt ?
yes lets do this.
most common mistake is to do the wrong steps If you do this at your first step.
manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
Key Protectors Added:
ERROR: An error occurred (code 0x803100ad):
This command can only be performed from the coordinator node for the specified CSV volume.ge-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
Yes as always with CSV do this on the coordinator node
So I flip the disk to the right node and start again
manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
ERROR: An error occurred (code 0x803100ae):
This command cannot be performed on a volume when it is part of a cluster.
Ok I forget to use maintanance mode
and I seams that I was using the Wrong command !
now lets do this : manage-bde.exe -on c:\clusterstorage\volume5 –recoverypassword
this option –on is enable bitlocker on CSV volume 5 and show me the recoverypassword
Numerical Password:
ID: {2C7A5860-8856-42FB-BDBE-15AAFA2DE1FD}
Password:
663278-615318-333696-462077-196240-510444-269610-301004
ACTIONS REQUIRED:
1. Save this numerical recovery password in a secure location away from
your computer:
663278-615318-333696-462077-196240-510444-269610-301004
To prevent data loss, save this password immediately. This password helps
ensure that you can unlock the encrypted volume.
Encryption is now in progress.
now a common mistake is that you can enable the disk for usage. DO NOT DO THIS.
but you nee to run this :
manage-bde.exe c:\clusterstorage\volume5 -protectors -add -sid MVPHIGHSEC01$
this command will give the Cluster access to the encrypted volume.
if you don’t know the cluster name : get-cluster fill in this with a $
you will see this error
ERROR: An error occurred (code 0x80090034): ( means you do not have a Windows 2012 DC )
So do I need 2012 as a DC eh yes I did not try this with only a forestprep and a domain prep but the best way to go is get your DC to Windows 2012
But it can be run in windows 2008R2 mode
But how do I get a good Bitlocker encrypted CSV configured cluster disk
This is how
first get the disk that will be encrypted
turn the disk in maintenance mode or do this in Powershell
Get-ClusterSharedVolume "cluster disk 4" |suspend-clusterresource -force
find the status of the disk
manage-bde.exe -status c:\clusterstorage\volume1
the CSV volume number is not the same as the cluster disk number !
manage-bde.exe -on c:\clusterstorage\volume1 –recoverypassword
write the password to a text file or put is somewhere save in a recovery you need this.
Numerical Password:
ID: {5DAE43EF-6495-4D1D-8914-F3549BCD5D88}
Password:
050160-565081-401269-567600-006600-688479-006831-304645
and the last step
manage-bde.exe c:\clusterstorage\volume1 -protectors -add -sid MVPHIGHSEC01$
give your cluster access to the bitlocker disk.
that is all but as always on a cluster keep in mind what you are doing.
today the MBAM 2.0 Beta 2 is also released play with it and test it before production.
Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 beta