Improve your Cluster Shared Volume security with Microsoft BitLocker

Posted by Ivan Ischenko on January 4, 2018
Share on Facebook0Share on Google+0Share on LinkedIn1Share on Reddit2Tweet about this on Twitter0
5/5 (1)
5/51

Introduction

Nowadays, every company is doing its best to protect its data, which is pretty much its most valuable asset. As you know, data is vulnerable to unauthorized access and that’s when Microsoft BitLocker saves the day. BitLocker is the encryption technology from Microsoft, which makes possible to encrypt the Logical Volume on the transparent blade-based level (not physical disk). In this article, we will see how to encrypt Cluster Shared Volume (CSV) using Microsoft BitLocker to protect your data against unauthorized access.

Starting from Windows Server 2012, Microsoft has added the BitLocker support for Cluster Shared Volumes to create an additional layer of protection for sensitive, highly available data. It allows adding an extra barrier to security by allowing only certain user accounts access to unlock the BitLocker volume. BitLocker uses the Advanced Encryption Standard (AES) encryption algorithm with either 128-bit or 256-bit keys. As to authentication options…well, there are few to choose from. You can authenticate by specifying a PIN or by storing a key on a flash drive, which you would then need to insert in order to boot the system.

In my case, I have a two-node hyperconverged Hyper-V configuration with 2 StarWind devices (Witness and BitLocker-CSV) which are connected via iSCSI and presented to the Microsoft Failover Cluster.

Below, you can find two different ways to encrypt storage for your Cluster:

1. The first option is to encrypt the host’s underlying storage logical volumes (where StarWind devices are located). This way will improve the volume protection from an unauthorized access to the volume or from decrypting data without a specific password which you can set.

2. The second option is to encrypt a CSV inside a Failover Cluster, based on shared storage which is provided by StarWind VSAN HA devices. This can be implemented as an additional security layer for your already encrypted underlying logical volume or can be used as the single and more granular way of encrypting.

I’ve decided to use StarWind VSAN since it mirrors the storage inside the nodes, allowing to create a shared storage for my Failover Cluster.

Encrypting logical volumes on the underlying (physical) storage

1. First of all, we need to enable the BitLocker Windows Feature on each clustered node.

Note: The installation will require the reboot.

Enabling the BitLocker feature in Windows via PowerShell

2. The encryption of the local volume can be done through GUI or via PowerShell. To make it via GUI, right-click on the required volume and choose “Turn on BitLocker”.

Turn on BitLocker 3. Select “Use a password to unlock the drive” and specify the password.                                                                                      BitLocker Drive Encryption - Use a password to unlock the drive

4. Select any option you like. You can use a network share, USB or any other PC in the domain to store the recovery file.
Backup a recovery key

5. Select “Encrypt entire drive” and click “Next”.
Encrypt entire drive

6. Use the “Compatible mode” option and click “Next”.                                                                                                                   BitLocker Drive Encryption - Compatible mode

7. Click “Start encrypting” and wait until it ends.                                                                                                                              Start encrypting
Bitlocker Drive Encryption status

8. Repeat the same steps for each drive which you want to encrypt on the local and the partner nodes.                             Encryption status

Encrypting CSV based on StarWind HA devices

1. Windows can encrypt CSV only when a CSV is in the “Maintenance Mode”. So, to perform this operation you need to turn off all roles on the CSV gracefully. You can do it via Failover Cluster Manager or via PowerShell. Put the CSV to maintenance:

Enabling the Maintenance Mode for a specific Cluster Shared Volume via PowerShell

Enabling the Maintenance Mode on a specific CSV via Failover Cluster Manager

2. Now, we can encrypt the CSV.

Enabling BitLocker on the CSV device via PowerShell

NOTE: Please copy and save the recovery key to restore the access if it’s needed. Also, do not return the CSV from the Maintenance Mode until the next step is done.

3. As an addition, we need to provide the cluster with the access to our encrypted CSV.

Enabling access to the encrypted CSV for the Cluster via PowerShell

4. Now, we can turn off the “Maintenance Mode” for the CSV.

Getting cluster shared volume name and state. Turning off the Maintenance Mode via PowerShell
Disabling the Maintenance Mode on a specific CSV via Failover Cluster Manager

5. If you will open the Failover Cluster Manager, you will see that the CSV has been successfully encrypted.                     Checking Failover Cluster Manager to make sure that the CSV has been encrypted

Conclusion

As you can see, we have encrypted the physical (local) logical volume and the CSV inside the Failover Cluster. If you need to encrypt all CSVs in your Failover Cluster, I would recommend encrypting only the local volume. In this way, it will be much easier to manage security keys. However, if you need to encrypt some of the CSVs, you can simply encrypt those without local volume encryption. Ultimately, thanks to BitLocker, we can increase the safety of our data from an unauthorized access to the physical and clustered logical volumes.

Related materials:

Views All Time
13
Views Today
31

Please rate this

To download the software products, please, make your choice below. An installer link and a license key will be sent to the e-mail address you’ve specified. If you consider StarWind Virtual SAN but are uncertain of the version, please check the following document Free vs. Paid. The recent build of Release Notes. A totally unrestricted NFR (Not For Resale) version of StarWind Virtual SAN is available for certain use cases. Learn more details here.



Return to all posts

5 useful tips to work with VMware vCenter Server Appliance 6.5
What’s Split Brain and how to avoid it like the plague?
The following two tabs change content below.
Ivan Ischenko
Ivan works as a Technical Support Engineer at StarWind. Has a deep knowledge of virtualization, storage technologies, and clustering.