If you’re looking at ways to protect the data in your virtual machines, and have noticed that you can’t use BitLocker within the VMs, you’ll be looking for a way to encrypt the volume holding the VMs. On a stand-alone box, this is fairly easy, but on a cluster this requires a few extra steps. This is to make it so that the cluster account can unlock the drives.
The first step is to get the cluster nodes ready. Make sure your server has a TPM chip, and that it is enabled in the BIOS. You’ll then need to add the BitLocker feature to the box, and then you’ll want to encrypt the boot drive. This PowerShell snippet will install BitLocker, suspend the cluster node (you’ll want it paused until BitLocker is setup), and do the first (of two) reboots.
Suspend-ClusterNode $env:computername –Drain
Shutdown /r /t 0
After it restarts, BitLocker is installed, but won’t work yet. BitLocker won’t appear in context menu and the tool crashes. So restart again to finish the setup.
Now you’ll need to encrypt your system drive. If you’re in a domain environment, make sure you’ve setup the domain to automatically store the BitLocker keys in the AD computer account. If you don’t do that make sure you record the key somewhere manually.
Enable-BitLocker -MountPoint C: -RecoveryPasswordProtector -Confirm –UsedSpaceOnly
At this step, I confirm that the key was stored in AD correctly before proceeding. Then check that the drive is encrypting, and resume the node.
Repeat on all cluster nodes before proceeding.
Now that all the nodes are ready, you’re ready to encrypt the CSVs. During this process the CSV will go into maintenance mode, this will automatically stop the VMs, but it’s a good idea to do that manually to make sure they come down cleanly. Also, make sure you have a Windows 2012 / 2012 R2 domain controller or else you’ll get a 0x80090034 error when trying to add the cluster account protector to the volume. Note, this must be a domain controller that is installed as 2012 and not upgraded to it. Don’t ask me why, it just doesn’t work.
Now run this script, from the node that is assigned the CSV. It will prompt for the CSV name you want to encrypt, put it into maintenance mode. Then it encrypts the volume, if you aren’t storing them in AD, make sure you record the recovery password. Next, it adds the cluster account as a protector on the volume, so the cluster can access the drives. Finally, it takes the drive out of maintenance.
$voltoencrypt = Read-Host “Enter the name of the volume to encrypt”
$bitlockerlocation = Get-ClusterSharedVolume $voltoencrypt | Select -expandproperty SharedVolumeInfo | Select -ExpandProperty FriendlyVolumeName
Get-ClusterSharedVolume $voltoencrypt | suspend-clusterresource -force
Enable-BitLocker $bitlockerlocation -RecoveryPasswordProtector -Confirm –UsedSpaceOnly
$cno = (Get-Cluster).name + “$”
Add-BitLockerKeyProtector -ADAccountOrGroup $cno -ADAccountOrGroupProtector -MountPoint $bitlockerlocation –Confirm
Get-ClusterSharedVolume $voltoencrypt | Resume-ClusterResource $voltoencrypt
Note: until the drive finishes the encryption process, it will be in redirected access mode.