Bitlocker: Win10 and Windows Server Builtin-Harddrive Encryption (Restart safe)

This section contains user-submitted tutorials.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 1487
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Bitlocker: Win10 and Windows Server Builtin-Harddrive Encryption (Restart safe)

Post by Dravion » 2018-11-23 20:37

Lately we as Admins are challenged by new regulations like PCI DSS and GDPR and we need to address it.

In my previous Tutorial, i introduced VeraCrypt, a free OpenSource Solution which works fine on any recent Windows
version (including Homeversion) but it has the bottleneck that it requires Userinteraction or an Windows Autologin User to
mount formated VeraryCrypt Windows partitions or encrypted Containers. Its also not possible to use a USB stick as KeyFile
authenticator. In such Scenarios, Microsofts BuiltIn Solution "Bitlocker" is a usefull option.

Tutorial start
First we need atleast a Windows 10 Pro version or better like Enterprise Edition or Windows Server 2008 R2 2012 and 2016
You can use a VM with Windows 10 Pro installed to follow all steps. You need also a USB-Thumdrive.

Attention:
Any form of File Encryption and DeIncryption requires computation and can stress your CPU out, so decide wisely what to encrypt!

Lets begin:
1) Goto "This PC" and lookout for your Harddrive C:\
2) Rightclick on it click "Turn on Bitlocker"

Next you will probaly see a Dialog and a Error message because you have no TPM Chip on your Mainboard or dont want to use it.
In this case, close the Bitlocker Window and follow the instructions below:

1) In Windows Start menue, run type in: gpedit.msc and press ENTER
2) Navigate to the following Category/Option structure,

enable and click OK
BT_GPEdit_edit.jpg
Now repeat the initial steps and you will see
01) Goto "This PC" and lookout for your Harddrive C:\
02) Rightclick on it click "Turn on Bitlocker" and wait a few seconds
03) In the new Dialog click "USB-Flashdrive" (Password would require a person typing in a Password on every reboot)
04) Selec your USB-Thumbdrive youre just plugged in (it want be erased, Bitlocker only writes a cleartext file in it)
05) Click the "Save" Button
06) Select "Save to a USB flash drive" and click Next
07) Select Encrypt entire drive (slower but best for PC's and drives allready in use) and click Next
08) Unselect Run Bitlocker system check for this Tutorial but enable it on a Production System and click "Start encrypting"
09) The Bitlocker Dialog disapeared but in the lower right Taskmenue is a Key icon, click on it to see Bitlockers Progress and wait.

If Bitlockers has finished encrypting, you can check if everything works (keep in mind, your USB-Drive is your Password now,
Windows cannot start without the USB-Stick plugged in and will show a blue Screen with a recovery and Reboot again option.

As soon as you plug in the USB-Stick again, Windows is able to start again and everything looks normal, but now your have a
encrypted C: Drive and and nobody can unencrypt it without the Recovery code on your USB-Stick or without the USB-Stick.

Check your C: Drive, you should see a Lock Icon on your C:\ Drive now which means its encrypted by Bitlocker
BL_DriveLock.jpg
If you have more Harddrives you want to encrypt, repeat the above steps for each drive.

Now you can install hMailServer and use what ever Database you like, as long you install it on a Bitlocker encrypted drive

End of Tutorial

palinka
Senior user
Senior user
Posts: 1276
Joined: 2017-09-12 17:57

Re: Bitlocker: Win10 and Windows Server Builtin-Harddrive Encryption (Restart safe)

Post by palinka » 2018-11-24 15:07

Thank you for this tutorial. It's something I've been considering for a while but haven't done much research about.

1) what is the real world impact on performance? I'm running hmail on win 10 pro on a very basic machine. Definitely not a high performance computer.

2) is it advisable to encrypt if hmail is already set up and running? Or is this best done on a clean install?

Thanks.

User avatar
Dravion
Senior user
Senior user
Posts: 1487
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Bitlocker: Win10 and Windows Server Builtin-Harddrive Encryption (Restart safe)

Post by Dravion » 2018-11-24 15:12

palinka wrote:
2018-11-24 15:07
Thank you for this tutorial. It's something I've been considering for a while but haven't done much research about.

1) what is the real world impact on performance? I'm running hmail on win 10 pro on a very basic machine. Definitely not a high performance computer.

2) is it advisable to encrypt if hmail is already set up and running? Or is this best done on a clean install?

Thanks.
Regarding 1)
Performance is quite OK for hMailServer. I think if you play a Egoshooter the frame rate will drop but for hMailServer its ok.

Regarding 2)
Yeah, you can Bitlocker turn on encryption anytime. You dont have to stop or change anything, it encrypts in the background
until its done and a Popup is showing.

palinka
Senior user
Senior user
Posts: 1276
Joined: 2017-09-12 17:57

Re: Bitlocker: Win10 and Windows Server Builtin-Harddrive Encryption (Restart safe)

Post by palinka » 2018-11-24 15:17

Great. Thank you!

Post Reply