I have a new health care IT customer requirement. They're file server is a virtual 2012 R2 running on a Dell PE with 2012 R2 Hyper-V. The Dell PE with 2012 R2 Hyper-V server has two partitions. 1st partition is for the 2012 R2 OS and the 2nd partition is where the Windows 2012 R2 hosts the Virtual machines.
Is it a good idea to enable Bitlocker on the 2nd partition where the virtual machines reside?
What are the pros and cons?
Are there other solutions?
Need to have their data encrypted by mid-June. Thanks.
Does disk encryption on a hyper-v partition work and is it effective and stable
bitlockerdisk-encryptionhipaahyper-vwindows-server-2012-r2
Best Answer
Yes you should use Bitlocker from the Hyper-V parent partition to encrypt drives that store VM files/virtual hard drives.
From TechNet:
The article is a little old, but it's still relevant. Both Bitlocker and Hyper-V have each gotten better since the time of that writing.
Bitlocker encrypts the data at rest. Once the operating system is booted, the drive is "unlocked" and is still susceptible to being compromised while it's running. But when the server is powered down, the data will be locked up tight.
You need a TPM chip before Bitlocker becomes really effective. It can technically be used with a USB stick, but that has serious drawbacks... you really want a TPM on your server's motherboard.
If you have really new hardware and can upgrade to Server 2016, you can have Shielded VMs, which is also dependent on modern TPM hardware and can encrypt the VMs so that they are shielded even from the host OS.