Locking down a Virtual Machine with BitLocker

BitLocker is Microsoft’s volume encryption solution built into several versions of Windows since Windows Vista. (There is an excellent Open Source alternative in TrueCrypt, but it just has that 3rd party feel to it. That and this particular task is easier with TrueCrypt so you wouldn’t need my help)

Normally, BitLocker use the TPM (i.e. Trusted Platform Module – see Wikipedia) to use your physical hardware as a factor in the encryption key, and leverages the key-toting abilities of the TPM at boot time. So long as your hard drive remains inside your machine it can boot. Take it out, and it’s just a mess of encrypted junk (Although your backup key can still unlock it).

I’m guessing that if you landed here, you are keenly aware of Bitlocker and it’s uses. You may have already tried to use BitLocker on a Virtual Machine and failed. This article is for you. – read on!

What you need:

Virtualization software capable of passthrough USB

This demonstration is performed using VirtualBox 4.1.20 (the latest as of writing). You can get VirtualBox for free right here: https://www.virtualbox.org/wiki/Downloads I would recommend also downloading and installing the Oracle VM Extension Pack, as it provides better USB support.

A copy of Windows that supports BitLocker installed as the Guest OS

You can use any virtualization software that allows for passthrough USB. Unfortunately, this excludes Hyper-V. I am using Windows ThinPC for this demo. If you have a TechNet or MSDN subscription you can download it (to use according to Microsoft’s License agreement), otherwise you will need to use one of the Windows 7 versions that support BitLocker for your guest OS.
Get it installed ahead of time.

Enough disk space for the full size of your virtual disk

If you don’t have enough disk space for the full size of the virtual disk, don’t bother. If you used a dynamically expanding disk, BitLocker will fill up the free space and expand your disk during the initial encryption.

A USB Thumb Drive with a little free space, and a place to store the encryption key

BitLocker will only install the encryption key on a flash USB device, so you must have one available with a couple megs of free space. This is used temporarily.
You will also need a place to store the virtual disk that will permanently house the BitLocker key. I would recommend placing this on a USB drive, or some kind of removable media. It will need to be accessible whenever the VM is running, but should not be kept on your computer, or you are really wasting your time…

 

Procedure Overview

This would all be quite simple if VirtualBox supported booting to USB… but it does not. USB drives are not available to the Windows bootloader on VirtualBox, so it cannot read the keys from a passed-through USB flash drive. BitLocker will only allow you to write them to a USB drive, but it turns out the BitLocker boot code doesn’t care what kind of device it reads them from. So:

You change the Group Policy settings in windows to allow BitLocker to work without a TPM. You mount a USB drive to your Virtual Machine, and have BitLocker write the Key and Backup key to it. You additionally create a tiny virtual hard drive that is stored on a usb key and mounted to your VM. After BitLocker writes the keys, you copy them over to the virtual disk (you will need to show system files in Windows Explorer), unmount first USB drive and allow BitLocker to reboot. It should start encrypting after it boots back up.

 

Step By Step

Step 1: Add new VHD

First, we must provide a permanent location for the BitLocker files. Shut down your VM, and add a new disk to your Sata controller

image

Note: I use VHDs because I can easily mount them in the OS, but you can use any disk format. The keys are only a few kb, but I use 10megs to be safe.

image

When you reach the size / name screen, make sure you specify the path on your intended removable location.

Boot up the Virtual Machine, open Disk Management (diskmgmt.msc from run / start)

You should be prompted to Initialize the disk – do so:
image

Then right-click the Unallocated space and select New Simple Volume
image

I would recommend selecting FAT or FAT32 for the File System
image

 

Step 2: Enable BitLocker without TPM

The steps to do this are all over the internet, but for reference, run gpedit.msc (either from run dialog or Start menu)

Browse to Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operating System Drives, then open “require additional authentication at startup”

image

Enable the policy, and make sure “Allow BitLocker without a compatible TPM” is selected.

image

 

Step 3: Mount the temporary USB Drive

Hopefully you are using different brands of USB drive… Select Devices from the VirtualBox menu – USB Devices, and select the temporary USB drive (NOT THE ONE YOU USED IN THE PREVIOUS STEP)

image

 

In your Virtual machine, you should now have 3 disks. The Main Hard Disk, the small hard disk, and the USB drive:

image

 

Step 4: Setup BitLocker on the system drive

Open the BitLocker control panel, and Click Enable BitLocker for your system Drive

image

At the next window select the only available option (require a startup key at every startup): image

then at the next window select the mounted USB drive (it should be the only option) and click Save.

When prompted, Choose to save the recovery key to the same USB drive for simplicity:

image

 

At the last step, stop! Do not close the window!!

image

 

Step 5: Copy the BitLocker Keys to the small drive

Open the mounted USB Drive in windows explorer. If you do not see two files, Change the folder properties to display hidden as well as system files (you should know how to do this…)

Copy the two files from the USB drive to the small drive:

image

You can now unmount / remove the temporary USB drive. we are done with it. Actually, we are pretty well done…

 

Step 6: Allow the BitLocker Wizard to continue (AKA DONE!)

Click continue on the wizard, and make sure to allow it to Run the BitLocker system check. Click Restart Now.

A minute or so after the system boots back up, you should see a notification popup like so:

image

And you are good to go!

 

So long as you do not keep the drive containing that VHD attached to your machine, that VM will never boot, nor can it be read in any way. Virtual BitLocker.

5 thoughts on “Locking down a Virtual Machine with BitLocker

  1. Genius – thanks for this post!! I got through the TPM and many USB issues, but couldn’t get the VM to see the BL key on the USB upon boot. Adding the extra small drive did the trick.

Leave a Reply