Bitlocker VHD drives mount as Document Library
Can a VHD be Bitlocker Encrypted? Yes.
Should you use Bitlocker Encryption on a VHD drive and store that VHD on a non-Bitlocker enabled drive?
Well that was the question I had, I understand that Bitlocker is based on “At Rest” drive encryption and that’s exactly what I needed. My VHD drives that are not mounted are “At Rest” on a drive that can be accessed over the local network. I wanted to make sure my VHD drives were locked down without having to configure folder and file permissions each time I added a new VHD.
Searching around I found many articles offering bits and pieces of what I was looking for. I needed to mix and match Bitlocker encryption on different physical and virtual hard drives.
I use Document Libraries to organize my projects.
Let’s say you have been working in Visual Studio 2010 on a project called, “Mobile App to Millions” and you have a few around you that you just don’t need touching that new application of yours. You also want to make daily backups or just to be safe you want to take it home with you each night on a freshly burned DVD disk.
I like you also want to keep my projects safe when I am not using them. I’ve found that an encrypted drive sometimes helps keep viruses out of your documents.
Ok Here’s the Project Overview.
I have 4 Physical Drives and 20 VHD on a Windows 7 Ultimate workstation.
I have 2 or the 4 physical drives enabled with Bitlocker and 2 without.
I store 20 VHD on the physical drive without Bitlocker enabled and share that on my local network.
My 20 VHD drives are all Bitlocker Enabled and not mounted at boot and the encryption is not disabled or active at boot. These drives are designed as Document Library Holders and are assigned to specific Libraries. The Library drives are mounted on a “As Needed” bases which adds additional security to my project folders by not bringing online any drives and data that is not needed to accomplish the task at hand. (Kind of sounds like a HIPAA rule to me.)
The first image shows one of my simple workstations with only one additional library.
- DVDENCP1-BIT (standards for DVD Encrypted P1 folder Bitlocker) my small transport VHD to DVD.
- Drive size is under 4GB so I can burn the VHD to DVD.
The DVDENCP1-BIT Library by default is not active. The VHD drive does not connect during normal startup of the workstation. I have to manually mount the VHD drive that is assigned to this library.
The image below shows the DVDENCP1-BIT library empty and the drive letter assigned to it.
The first thing we will need to do is to mount our VHD drive.
We can manually do this by exploring over to the VHD drive and mounting our M:\ drive VHD or we can use scripts to make the job easier.
Jason Faulkner at SysAdminGeek.Com has a nice little BAT file script you can use to mount and dismount VHD drives. (It takes me forever to find things so I'm reprinting the script here.)
1. To Mount your VHD via SendTo works best.
@ECHO OFF TITLE Mount VHD ECHO Mount VHD ECHO Written by: Jason Faulkner ECHO SysadminGeek.com ECHO. ECHO. SETLOCAL SET DiskPartScript="%TEMP%\DiskpartScript.txt" ECHO SELECT VDISK FILE="%~1" > %DiskPartScript% ECHO ATTACH VDISK >> %DiskPartScript% DiskPart /s %DiskPartScript% ENDLOCAL
To Unmount your VHD using SendTo
@ECHO OFF TITLE Unmount VHD ECHO Unmount VHD ECHO Written by: Jason Faulkner ECHO SysadminGeek.com ECHO. ECHO. SETLOCAL SET DiskPartScript="%TEMP%\DiskpartScript.txt" ECHO SELECT VDISK FILE="%~1" > %DiskPartScript% ECHO DETACH VDISK >> %DiskPartScript% DiskPart /s %DiskPartScript% ENDLOCAL
Bitlocker VHD should be created so you can unlock them with a password. I do not use the mount on boot options.
Now I need to mount the drives. In this image below I have two VHD drives which are both Bitlocker Protected and Enabled drives. I'll use the BAT script that is carefully installed on my SendTo Menu to mount these drives below.
As soon as the Drive is Mounted Bitlocker Drive Encryption will prompt me to enter the password to unlock the drive. See image below.
Notice the Drive Letter: J:\ which was my first VHD drive I mounted.
The custom Library I have setup using drive M:\ which is the next drive I'll mount.
Below is an image of what a Library looks like when the Drive or Directory is not attached. (Empty)
The Next image shows the VHD drive M:\ Locked by Bitlocker.
This is my Library Container DVDENCP1-BIT which the VHD drive is mounted but the Bitlocker drive not unlocked.
Quick review of drives.
- C:\ Physical drive Bitlocker Not Enabled
- E:\ Physical drive Bitlocker enabled, drive mounted but drive is not unlocked with current user. (Backup drive)
- G:\ Physical Drive no encryption stores VHD drives that are encrypted.
- J:\ VHD Bitlocker Encrypted active and mounted as hard drive.
- M:\ VHD Bitlocker Encrypted still locked and assigned to Library DVDENCP1-BIT as seen in the image above.
The next image is of the M:\ drive mounted and Bitlocker password entered. This shows the VHD drive assigned to drive letter M:\ as well as the contents of the Bitlocker VHD.
Now that we have the custom Library drive mounted and opened we can start using it.
And there you have it, Bitlocker Enabled VHD drives mounted as Document Libraries for easy access and it works great with Visual Studio projects storage.
This process was developed while I was setting up a secured workstation for a local medical office. The HIPAA rules clearly state limit access to those that need to have access and encrypt the drives.
In this case, I encrypted the drives, created VHD containers for custom libraries for each login account, created Bitlocker passwords to each and added the simple mount drive on startup to the start folder.
Now if someone had access to the computer but didn't know the Bitlocker Password folders or in this case the VHD holding protected information cannot be accessed.
You can also transfer the VHD files via DVD.
I've been asked if you can mount a VHD from a DVD which to my knowledge you cannot. But, with that question why wouldn't you just copy the VHD over to your physical drive? Use the DVD as a backup or transport.
I'll make 2 additional articles covering
- How to make custom libraries with VHD mounted drives.
- How to encrypted Medical Records to Mail via USPS on DVD. Then how to have the person extract and read them.
I hope this pictorial article helped answer your questions. Have fun creating as many VHD as your system can handle. Remember the limits on mounting hard drives.
Notes and Questions: 2-4-2015
- Have you tested creating a VHD on a Non-Bitlocker enabled computer then transfer the VHD to a bitlocker enabled computer for encrypting? (May not work)
- Does the VHD have to be Initialized on the Bitlocker Host before transfering?
- If your VHD is created on a bitlocker enabled computer and initialized, formatted can another bitlocker computer encrypt it?
- If 3 is No can you encrypt a VHD transport it via USB3 or SATA and mount it on another bitlocker enabled computer?
- Have you found it works on your system but not on others?
When I first started with encrypting VHD drives for my Windows 2008 Server I found that working between identical systems was never a problem. But, at times a glitch would occure when working with a system not the same.
I would like to share a blank VHD in the following environment settings to find out if is possible.
- If I create the VHD on a None BitLocker computer can you Encode it on a BitLocker computer?
- If above is true in many tests then we can stop.
- But, if you can not encrypt a VHD created on a Non-BitLocker computer can you then create the encrypted VHD if it were initialized by another system?
- If no, can you then mount a full VHD with known password on ??
I have a few tests this year to see if it's possible to stream a backup of a mounted VHD Encrypted. Stream a network backup of unmounted VHD's alternating mounting to valdiate backups.
The process should if valid allow you to backup your VHD's on a drive that is not secured by any encryption. I'd like to to test this with a few people. Contact me, I have the servers, VHD's and the testing process ready.