Using BitLocker under Virtual PC / Virtual Server

MSDN Blogs > Ben Armstrong > Using BitLocker under Virtual PC / Virtual Server
Live Now on Server & Tools Blogs
Menu
Twitter Feed
Recent Posts
Tags
More
Archives
Archives
More

Using BitLocker under Virtual PC / Virtual Server

Rate This
23 Jan 2008 9:21 PM
  • Comments 11

Up until recently, I thought it was impossible to use BitLocker drive encryption under Virtual PC / Virtual Server (because the virtual machines do not have a TPM for BitLocker to use).  However, thanks to Pascal Sauliere, I now know how to do this.  It is a bit complicated - so let’s get started:

  1. Create a new virtual machine.

    Configure the virtual machine with the appropriate amount of memory and disk space for the Vista configuration that you want to use.

    Note - enabling BitLocker will cause a dynamically expanding virtual hard disk to grow to its maximum size - so make sure you choose a small enough virtual hard disk size / have enough space on your physical hard disk.

  2. Create a new virtual floppy disk.

    From the Virtual PC Console select File and Virtual Disk Wizard.  Then select Create a new virtual disk, A virtual floppy disk and specify a file name and location for the new virtual floppy disk (leave it to be a 1.44 megabyte (high density) floppy).

  3. Configure the BIOS boot options for the virtual machine.

    In order for BitLocker to work, the virtual machine needs to be configured to not try to boot off of a floppy disk.  You will need to start the new virtual machine and immediately press the ‘DEL’ key.  Once you see the BIOS configuration page, change to the Boot page and press enter on Boot Device Priority.  Select the Floppy Drive option and change it to Disabled.  Finally - press F10 to save changes and exit the BIOS.

  4. Install Windows Vista.

    Next you will need to install Windows Vista Enterprise or Ultimate Edition (only these editions support BitLocker).  But there is one trick to be aware of: The partition that is used to actually boot the system cannot be encrypted.  So when you get to the Where do you want to install Windows? press Shift + F10.  This will open a command prompt where you will need to type in:

    diskpart
    select disk 0
    clean
    create partition primary size=1500
    assign letter=S
    active
    create partition primary
    assign letter=C
    exit
    format c: /y /q /fs:NTFS
    format s: /y /q /fs:NTFS
    exit

    Now click on Refresh then complete the installation of Windows Vista on the second partition (and install Virtual Machine Additions when you are done).

  5. Attach the virtual floppy disk to the virtual machine.

    Open the Floppy menu and use Capture Floppy Disk Image to attach the virtual floppy disk created in step 2.

  6. Setup BitLocker (configured to use the floppy disk for the security key).

    Run gpedit.msc and go to Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components and then BitLocker Drive Encryption.  Double click on Control Panel Setup: Enable advanced startup options, select Enabled and make sure Allow BitLocker without a compatible TPM is checked.

    Once you have done this, open an administrative command prompt and run:

    cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:

    Then reboot the virtual machine

    Note - you should take a copy of your rescue key - otherwise you will be in a lot of trouble if you lose the virtual floppy disk.

  7. Confirm that BitLocker is enabled.

    After booting Windows, open the Control Panel, click on Security and then on BitLocker Drive Encryption.  This should tell you that C: is either encrypted, or currently being encrypted.

And there you have it - BitLocker is now enabled on your virtual machine.  If you have the virtual floppy disk attached - the virtual machine will boot.  If you do not have the virtual floppy disk attached - you will need to provide the security code generated by BitLocker in order to access Windows.

Cheers,
Ben

Leave a Comment
  • Please add 7 and 6 and type the answer here:
  • Post
Comments
  • Alf
    24 Jan 2008 12:39 AM

    Great. I guess it's working the same way in Hyper-V, right?

  • Joe
    24 Jan 2008 2:56 AM

    Is there happened some changes to EULA, which allow this configuration?

  • 24 Jan 2008 4:28 AM

    Alf - Yes, this would work on Hyper-V too.

    Joe - Yes, the EULA has been updated to allow this configuration: http://download.microsoft.com/documents/useterms/Windows%20Vista_Ultimate%20and%20Ultimate%20SP1,%20Supplemental_English_d512375b-79d7-41e5-852d-45f69f7378dd.pdf

  • Erik Rozman
    25 Jan 2008 11:54 AM

    Thanks!

    That's a great tip-Do you know wether a virtual TPM is in the works?

  • alt-92
    26 Jan 2008 1:56 PM

    Erik:

    Not sure why you would want that.

    A TPM is supposed to be a hardware device suitable for storing your encryption keys.

    In essence, using a USB drive (and especially in this case with a simulated floppy) is already a virtual TPM.

    To do that in software would negate the whole principle behind Bitlocker (imho).

  • Harry Johnston
    29 Jan 2008 5:24 PM

    If you configure BitLocker to require a password to boot, this should make it difficult to compromise the VM if the host machine is physically stolen, provided the host was logged out or locked or (preferably) switched off.

    Similarly it should be difficult to compromise the VM if you keep the virtual floppy disk image on removable media, unless of course said removable media was stolen along with the machine!

    If the VM can boot without a password or physical media, e.g., if you stored the encryption information on a virtual TPM or kept the virtual floppy image on the physical HDD, BitLocker will provide only weak protection.  Once the VM is booted, the host is always going to be able to take control of the guest, if necessary by directly modifying the guest's memory contents.

    Question:- wouldn't it usually be preferable to use BitLocker on the host instead of the guest?

  • Harry Johnston
    29 Jan 2008 5:44 PM

    alt-92:

    If I've understood matters correctly, the TPM also ensures that the boot sequence has not been interfered with; that is, if someone has inserted malicious code into the boot loader the TPM is supposed to refuse to disgorge the encryption keys.  That's something a virtual TPM could do that a virtual floppy can't.

    However, in a VM scenario it doesn't really help all that much as the attacker can insert the malicious code after the VM has booted.

  • Doug
    5 Feb 2008 2:22 AM

    Technically there is nothing to it. BL could always be enabled in a VM and basically it amazes me a bit as if something really new has been found.

    From a BL product group prespective, it is still not supported!

  • John
    10 Feb 2008 7:31 PM

    It worked on a fresh install of Vista Ent., but not on my company's Vista Ent. image.  I get stuck when I run the cscript command as admin. Look are the error I get:

    [URL=http://img169.imageshack.us/my.php?image=errorjs8.png][IMG]http://img169.imageshack.us/img169/2124/errorjs8.th.png[/IMG][/URL]

    Any Suggestions?

    Thank you for the help.

  • John
    11 Feb 2008 12:31 PM

    Here's a screenshot of my group policy settings specific to bitlocker:

    [URL=http://imageshack.us][IMG]http://img338.imageshack.us/img338/4579/gpeditrj0.png[/IMG][/URL]

    I'm thinking my error is a result of some configuration settings.  Please help...thanks!

  • John
    11 Feb 2008 5:18 PM

    Just wanted to post the solution I found to my problem.  check your group policy settings under group policy (start>run, type "gpedit.msc", hit enter, computer configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption.

    With the exception of "Control Panel Setup: Enable advanced startup options," change all the other settings to "Not Configured." After this, reboot (not sure why.....but it would only work after a reboot for me) and then run the cscript command again.

    BOOM!!! It works =)

Page 1 of 1 (11 items)