Bitlocker best practice

[hyphen]

Hello, I am about to setup a Hyper-V host with two VMs and I need to protect the data using Bitlocker.

Can you please advice what would be easier to manage for Veeam backups and restores?

Option 1: Encrypt the Hyper-V host drives with Bitlocker but leave the volumes in the VMs unencrypted

Option 2: Encrypt the volumes inside the VMs using virtual TPM without encrypting the host OS or the volumes that store the VMs

Thank you!

[HannesK]

Hello,
Option 1

If you want to protect the data, then you should enable Veeam encryption as the backup data would be unencrypted otherwise

Best regards,
Hannes

[nmdange]

If you go with Option 2, the data Veeam backs up will be encrypted even without Veeam encryption. Note that this means things like File-level recovery won't work because Veeam can't read the bitlocker encrypted volume. You can only restore the entire volume. It is definitely the most secure option though. Just make sure you create a Bitlocker recovery password and save it somewhere just in case

[HannesK]

fully agree. I chose option 1 because he asked for "easier".

For single file restore he could still use instant VM recovery / universal restore.

[hyphen]

Thanks! Yes, I am looking for balance between security and ease of management so I think I will go with option 1 as you recommend. File-level recovery is something I don't want to give up as it's so common users inadvertently delete files.

The server is physically secured. Just want to add a bit more protection by encrypting it.