To enable BitLocker encryption on Windows Server, you need to install the BitLocker feature.
Furthermore, all disks encrypted with BitLocker must use the NTFS file system. To do this in Server Manager, select Add Roles And Features and then follow these steps:
1. Select Role-Based Or Feature-Based Installation.
2. On the Select Features page, select BitLocker Drive Encryption. You’ll be prompted to add additional supporting features, as shown in Figure 2-30.
FIGURE 2-30 The Add Features That Are Required For BitLocker Drive Encryption? page 3. The actual supporting features that will be added will depend on which features are already
installed on the server. Click Add Features and then click Next.
4. Click Install to complete the installation. At least one restart is required. To install BitLocker using Windows PowerShell, use the following command:
Install-WindowsFeature -Name BitLocker -IncludeAllSubFeature ` -IncludeManagementTools -Restart
Enabling BitLocker protectors
When enabling BitLocker from the command line, it’s a good practice to add BitLocker protectors prior to enabling BitLocker on a volume. At a minimum, you should add the recovery password
protector to ensure that you have a way to recover if your hardware changes. Even very small changes can trigger a BitLocker failure. Keep a copy of the recovery password in a safe place that is
accessible in an emergency, but not with the computer you’re trying to protect.
The other protector you should add is the recovery key protector. This protector writes a recovery key to a USB key, allowing you to recover and boot by inserting the USB key. Keep this key in a safe place separate from the server it is protecting.
You can add a BitLocker protector with the Add-BitLockerKeyProtector cmdlet or with the
manage-bde.exe command-line utility. You can add only one protector at a time. To add the recovery password protector with a default, generated, numerical key and add the recovery key protector to the operating system drive (C:), use the following Windows PowerShell commands:
Click here to view code image
Add-BitLockerKeyProtector -MountPoint C: -RecoveryPasswordProtector
Add-BitLockerKeyProtector -MountPoint C: -RecoveryKeyProtector -RecoveryKeyPath <string> In the second of these commands, <string> should be replaced with the path to the USB key onto which you want to write the recovery key.
To add the same protectors by using the manage-bde command, use the following:
Click here to view code image
manage-bde -protectors -add C: -RecoveryPassword
manage-bde -protectors -add C: -RecoveryKey <string> The available protectors are as follows:
Recovery password Recovery key
Startup key Certificate
TPM (operating system drive only) Password (data drives only)
TPM and pin
TPM and startup key
TPM and pin and startup key AD DS (data drives only)
Enabling BitLocker encryption of the operating system drive
You can enable BitLocker from the command line, with the manage-bde command, or with the Windows PowerShell Enable-BitLocker cmdlet.
Note: Using the BitLocker Drive Encryption control panel
When you install the BitLocker feature in Windows Server 2012 R2, the control panel application is not normally visible until you encrypt your first volume unless you have the Desktop Experience feature installed (you normally would not, except on a Remote Desktop Session Host computer). If you have Desktop Experience installed, you can use the BitLocker Drive Encryption control panel application for your first volume
encryption.
BitLocker works best with a TPM of at least version 1.2. This hardware encryption module works with BitLocker to do full volume encryption. If the hardware changes in any significant way,
BitLocker will not recognize an encrypted volume. If the encrypted volume is the operating system volume, Windows Server can’t boot.
Suspending BitLocker
Whenever you need to make changes to the hardware or BIOS of a BitLocker-protected server, or install system updates, you should suspend BitLocker on the operating system drive to ensure that you can boot after the change. You can suspend BitLocker for a single restart (the default) or for more than a single restart by using the -RebootCount parameter. When BitLocker is suspended, the data on the volume is not decrypted; instead, the BitLocker encryption key is available to everyone in the clear. New data written to the volume is still encrypted, and BitLocker does not do a system integrity check on startup, allowing you to start Windows Server even though there has been a change that would have normally triggered an integrity check. To suspend BitLocker, use the BitLocker Drive Encryption control panel item or use the Suspend-BitLocker cmdlet. For a suspension on the C: drive of three restarts, use this:
Click here to view code image
Suspend-BitLocker -MountPoint C: -RebootCount 3
If you specify a RebootCount of 0, BitLocker is suspended until you resume BitLocker protection by using the Resume-BitLocker cmdlet.
Locking or unlocking BitLocker volumes
You can lock a BitLocker volume to prevent any access to the volume by using the Lock-BitLocker cmdlet. The volume remains locked until it is unlocked with the Unlock-BitLocker cmdlet. Operating system volumes can’t be locked.
Enabling and disabling auto-unlock of a BitLocker volume
Data volumes and removable drives that are encrypted by BitLocker can be automatically unlocked whenever they are present in the host computer. You can’t automatically unlock the operating system volume. After a user unlocks the operating system volume, BitLocker uses encrypted information in the registry and volume metadata to unlock any data volumes that have automatic unlocking enabled. To enable auto-unlock of a BitLocker volume, use the BitLocker Drive Encryption control panel item or use the Enable-BitLockerAutoUnlock cmdlet. You can disable the auto-unlock feature of one or more BitLocker volumes by using the Disable-BitLockerAutoUnlock cmdlet. You can clear all automatic unlocking keys on a server with the Clear-BitLockerAutoUnlock cmdlet. Clear BitLocker automatic unlocking keys prior to disabling BitLocker on a volume.
Disabling BitLocker encryption on a volume
When you want to remove the BitLocker encryption on a volume, you can disable BitLocker on that volume by using the BitLocker Drive Encryption control panel item or by using the Disable-BitLocker cmdlet. Disabling BitLocker encryption on a volume removes all key protectors on the volume and begins decrypting the data on the volume.