Windows Server 2008 BitLocker

I would like to configure whole disk encryption on all of my Domain Controllers. Is BitLocker an acceptable method to do this? What are the potential problems with whole disk encryption on a Domain Controller?

Solution 1:

Yes, using BitLocker for Whole disk encryption on a DC is acceptable. However, Keep in mind that BitLocker encryption is for OFFLINE disk protection. Once the DC boots, it will run with the file system unencrpyted. The potential problems are based on how you configure BitLocker. For example, if you don't have a physical TPM in your servers, you will need a startup key saved on a USB device that would need to be inserted for bootup. This could potentially circumvent your protection if left in the server. Say if your DC is physically stolen and you left the USB startup key in. Your drive encryption is then useless, as the USB key is already inserted. Also, remember to keep your recovery key around, in case you forget a PIN (optional requirement), or need to move the disks to new hardware.

There is also a slight performance hit when encrypting the drive.

If you are worried about security on your DCs in a low security site, you may want to consider using Read-Only DCs instead.

Solution 2:

I am generally very against FDE on servers. Servers should have tight logical security to keep out electronic attacks, and reasonable physical security to keep people from stealing the whole thing. In the rare situation where you can't implement reasonable physical security, then FDE is appropriate.

BitLocker combined with TPM stored keys works extremely well. If the server doesn't support TPM it will not be able to boot automatically, which may be a serious problem depending on your environment.