1

I'm running a small Windows Server machine with two disks - one for OS and applications, one for data.

I want to encrypt the data drive with BitLocker (using a password would be just fine, no TPM present), but as far as I'm concerned, I will only be able to unlock the drive after logging into the machine. Since there are some services running on the machine which have their data on the data drive (i.e. MSSQL instance), this would probably break services startup on the machine.

I'd be fine entering a password at boot time (i.e. pre-services startup) since I can access the machine via VPN and a network KVM switch from anywhere.

I've read about a way to do this via a boot-time task in task scheduler, but I'm afraid this might still be too late in the boot process to ensure services relying on the data on the drive to start up properly.

I'd like to avoid encrypting the OS drive (which, in turn, would of course enable the possibility of auto-unlocking the secondary drive) because of the performance impact.

How can I achieve encrypting the data drive and have it readily unlocked as early as possible in the boot process?

Nico R
  • 121

1 Answers1

0

This solution seems to require your machine to have joined a domain. (Sorry, if this is not the case in your situation.)

Special service protector

You refered to the task scheduler, which would use an -unlock command. (Example)

I propose a different protector, however, I am unable to test this but: you could work toward trying:

manage-bde -protectors -add E: -sid Domain\Machine$ -service

E: being your small empty experimental partition so you can try something out first ;).

You could use windows GUI to normally encrypt the E: partition; you can use a PDF printer to get beyond the 'save the recovery password' part. Don't lock yourself out though.

From scratch: (you will be required to enter a password in the terminal; save the outputted recovery key.)

manage-bde -on E: -UsedSpaceOnly -RecoveryPassword -Password -sid Domain\Machine$ -service

or in steps, first:

manage-bde -on E: -UsedSpaceOnly -RecoveryPassword -Password

manage-bde -protectors -add E: -sid Domain\Machine$ -service

If something goes wrong (with this experimental partition), simple run manage-bde -off E: first before trying again.

Now I know that -sid user reference unlock drives after the first logins; I am hoping the machine/service sid unlocks the drive during boot.

Additionals:

Is your machine not in a domain? I am afraid this won't work. I have never got any -sid commands to work on a non-domain-joined computer or vm.

Community
  • 1
A71
  • 560