Enable Bitlocker on iSCSI SAN Volumn

hswag1 · Fri Sep 19, 2014 2:19 am

Hello -

I am trying to achieve data encryption at rest. Does Starwind support enabling Bitlocker? Here is the setup:

There are two Starwind storage servers setup in an HA configuration. They create an iSCSI SAN. Replication and availability of data is controlled completely within this Starwind 2-node Cluster. They present iSCSI targets to the Hypervisor’s.
The Hypervisor’s have their own high availability setup via Windows Cluster Shared Volumes. All the VM’s are created in the CSV’s.

Can I encrypt the system drive and the ISCSI SAN array on each of the starwind storage servers?

Thanks!

Fri Sep 19, 2014 12:20 pm

Sure you can (one of the reasons we prefer to place "containers" on a file system rather then dealing with raw disks).

However you need to understand because of the performance reasons we sync raw data so anybody who's sitting in the interception point BETWEEN StarWind nodes (somehow captures sync data) he'll have all the content UNENCRYPTED.

To be 100% protected you need to enable BitLocker INSIDE virtual machines or on CSV where they are stored. That's all kind of supported (with some restrictions). See:

http://blog.jbrown.ca/2010/11/using-bit ... rt-in.html (BitLocker inside a VM w/o TPM)

http://technet.microsoft.com/en-us/libr ... 83585.aspx (BitLocker protection for CSV)

So per-VM protection will give you more secured solution (but opens can of worms in terms of mgmt) and per-CSV is much easier to manage (and fully supported by MSFT) but leaves many VMs protected with a single key.