Recommended DR Configuration for Servers with TPM Bitlocker

[YouGotServered]

Hey all.

We are starting to run into a new challenge more and more. We have customers that are enabling TPM security on their ESXi hosts and using Microsoft Windows Bitlocker to encrypt their servers within the guest, and then the keys are stored within the host TPM / vCenter. This all works fine, until they replicate their servers to another set of hardware for DR.

The replication works, but all of the bitlockered servers boot to a Bitlocker recovery screen, requiring you to 1) have all of your Bitlocker keys documented and accessible in a disaster, and 2) manually enter in several 30+ character Bitlocker unlock codes every time the virtual machine starts up.

Obviously the technology is doing it's job - Bitlocker with TPM is supposed to stop a malicious actor from being able to put your data on new hardware and just "use it", but it really hampers legitimate DR scenarios. Other than investing tens of thousands of dollars into a mobile key provider system that can follow your servers in a DR scenario, is there a better way to do this? It seems that the only scenario would be encrypting the datastore at the VMWare level instead so that the VMs themselves are replicated over unencrypted since the datastores are unlocked at the VMWare level at the time of replication; but it is my understanding that licensing is fairly expensive if you have a small customer on something like VMWare Essential licensing.

Is this the world we are in now where we have to shell out that much money if we want easy to use, portable encryption?

Thanks for any insight.

[HannesK]

Hello,
from my point of view: 1 & 2 are acceptable compared to the other challenges one gets by doing in-guest encryption (no item level restore with VM-based backup).

is there a better way to do this

"better" is a strong term, but every product that does not rely on TPMs should work with replication. Of course, one has to enter the password at every boot. By doing that every time, one probably knows it also in DR situations

One always had to invest money for a a secure environment. The whole ransomware industry just made it more attractive to invest in security.

Best regards,
Hannes

[YouGotServered]

I just confirmed and unfortunately it's actually a randomized 48 character key, per server - so no one is going to remember that, no matter how many times we type it in!

So essentially, the recommendation for DR is no guest-level OS encryption?

Thanks again.

[HannesK]

Hello,
yes, "nobody" can remember Bitlocker recovery keys

I was talking about "other solutions".

The recommendation is to implement the business requirements... I cannot imagine anyone except your company can decide what's best in your situation.

Best regards,
Hannes