ad-assurance - [AD-Assurance] RE: BitLocker operational issues
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] RE: BitLocker operational issues
- Date: Fri, 24 Jan 2014 19:43:43 +0000
- Accept-language: en-US
Yes, exactly. Thank you. Although I was wondering if that defeats the purpose behind using VM’s? I suppose it should make for simpler/common operating system management for the servers hosting the DC’s, at least. From: [mailto:]
On Behalf Of Brian Arkills I think you meant: Would it work to add additional physical servers (HyperV hosts) and then perhaps restrict the DC’s to the subset of HyperV hosts that have Bitlocker full disk encryption, and not host other VMs on those HyperV
hosts? From:
[]
On Behalf Of Capehart,Jeffrey D Ron, [resurrecting discussion from last summer…] Any update on BitLocker operational issues when using VM’s for Domain Controllers? Would it work to add additional physical servers and then perhaps restrict the DC’s to the subset of VM’s that have Bitlocker
full disk encryption, and not share other tenants? Jeff From:
[]
On Behalf Of Ron Thielen Let me also be clear. I am not saying that we shouldn’t point out that BitLocker may be reasonable for some institutions. However as we used to say when presenting performance and capacity planning studies,
YMMV (Your Mileage May Vary). We should point that out as well. Ron From:
[]
On Behalf Of Ron Thielen That depends on the risk you’re mitigating and how BitLocker on the Hyper-V host actually worked, regarding which I have no clue. For example, would that still means that sectors were only decrypted when the
virtual machine when to read a VHD sector which needed to be brought in from physical disks. It is sort of analogous to the question of whether using TPM protected disks is sufficient. The answer is “it depends.” In my case, since we have a sort of site license for VMWare, it isn’t relevant. We aren’t going to use Hyper-V. We actually found the links I cited by going to VMWare first and checking whether they supported
BitLocker on VMs. Ron From:
[]
On Behalf Of Michael W. Brogan This link has a doc from MS that describes how to install Bitlocker on a Windows 2008 Hyper-V host.
http://www.microsoft.com/en-us/download/details.aspx?id=6416 The link you cited below says “BitLocker does not support the encryption of VHDs, but does permit storage of VHDs on a BitLocker-protected drive.” and “BitLocker is not supported for use within a virtual machine. Do not run BitLocker Drive Encryption within a virtual machine. You can use BitLocker in the virtual machine management operating system to protect
volumes that contain configuration files, virtual hard disks, and snapshots.” So, just to understand better, is it the case that you can’t install Bitlocker in the tenant OS but it can be installed on the Hyper-V host? And, if the latter is true, wouldn’t the tenant benefit from the disk
encryption provided by the host? --Michael From:
[]
On Behalf Of Ron Thielen I raised the question about BitLocker operational issues, because something was nagging at the back of my mind. I asked the Windows admins and they pointed me in the right direction. It turns out that there is a significant issue that may affect some institutions. BitLocker is not supported in virtual environments by either Microsoft or VMware. We run some of our domain controllers on VMware VMs, so this is certainly
an issue for us. http://technet.microsoft.com/en-us/library/hh831507.aspx#BKMK_VHD and I guess we have to decide whether to move our VMs to physical hardware and lose the advantages that virtualization provides or submit an alternative means statement for RC4. Ron |
- [AD-Assurance] RE: BitLocker operational issues, Capehart,Jeffrey D, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Brian Arkills, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Capehart,Jeffrey D, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Brian Arkills, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Ron Thielen, 01/27/2014
- [AD-Assurance] RE: BitLocker operational issues, Ron Thielen, 01/29/2014
- [AD-Assurance] RE: BitLocker operational issues, Brian Arkills, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Capehart,Jeffrey D, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Brian Arkills, 01/24/2014
- [AD-Assurance] RE: BitLocker operational issues, Brian Arkills, 01/24/2014
Archive powered by MHonArc 2.6.16.