1

I'm renting an unmanaged dedicated (physical) server, running Windows Server (currently 2012 R2, but it can be changed to another version of the Standard edition). I have a custom Windows service that accesses a database. I'm running the Web edition of SQL Server, so I can't protect data at rest. I tried encrypting the C drive with BitLocker, but since the server doesn't have a TPM chip, and thus requires entry of a password before the OS loads, since I don't have KVM access, and since the server can't be accessed via Remote Desktop before the OS loads, I had to have the OS reloaded.

I'd be happy to create a D drive for the data, and encrypt that, but I want it so that when the server reboots, the Windows service starts running, and has access to the data on that D drive, without a person having to type a password. I think that would require some configuration that uses Windows authentication of the user which the Windows service runs under to access the D drive.

Is there some way to configure BitLocker to work like that, or if not, is there 3rd-party software that would solve this problem?

uncaged
  • 111
  • 3

1 Answers1

0

Be aware that anything but using a TPM and encrypt the whole machine is considered rather clumsy and/or insecure. So the best advice is to see whether your server hardware can be armed with a TPM chip. The mainboard would have to have a so-called "TPM header". Name the mainboard if you need assistance. Newer hardware, say 2016 and newer, has even a pseudo TPM implemented in the intel management engine ("intel PTT"), so it could be emulated by the system firmware - it would need to be enabled in the bios. AMD has an equivalent of that: "Firmware TPM".

See if your hardware offers that.

If it does not, what you could do (we did that already a decade ago), is -encrypt d: -set the startup type of the service that needs d: to be present to "manual" -create a scheduled task that runs at system startup and launches a batch that goes:

manage-bde -unlock d: -rp 111111-222222-....youRecoveryPassword…
net start yourservice

then place the batch on a share of a different server (accessible by the system account of your machine), so that in case the server is stolen and separated from your network, d: won't be unlocked.

That works. But encrypting the whole thing is better. You could combine both for best security: A encrypt c: using the TPM B unlock d: using the script.

Bernd Schwanenmeister
  • 482
  • 2
  • 5