Using Microsoft BitLocker In a VMware guest Virtual Machine

For a  recent project I had a technical requirement where  all servers needed to be encrypted at the  disk level.

There was no budget for any 3rd party solutions, so I was looking at open source or functionality already included in the Windows  operating system.

BitLocker  functionality was considered   ideal,  it was already approved for use by the business,  however it uses a TPM chip which is not available to present to the guest virtual machines.

A workaround was to export the BitLocker key to a virtual floppy drive and then present the floppy to the guest at boot time. The trade-off however was functionality such as VMware HA wouldn’t present the disk automatically, so applications and servers would need manual intervention when starting at error time.

The following process met the technical requirement and allowed progress until a more production level solution was enabled.  Please note,  although this process works  for me,  I would please remember this is unsupported by VMware (See Vmware KB : 2036142)

Process to enable BitLocker in a VMware guest virtual machine.

Configure the guest VM boot order in the BIOS for the floppy drive to be lower than the hard Drive / CD Rom

Within the Windows OS – Install Bitlocker encryption from the add features menu.

Amend the guest VM GPO as shown below










Attach a floppy image to the VM  (below assumed logical drive letter A:)

Start a  CMD window as admin & change directory focus to C:\windows\system32\

Run the command  manage-bde.exe –on C: -rp –sk A:

Restart the machine.  Leave the floppy presented to the VM

Login to windows and wait for bitlocker to encrypt the drive – to check status use  the command

manage-bde -status

The syntax above with encrypt the logical C drive and the key is saved to a BEK file written to the floppy drive.

Leave a Reply

Your email address will not be published. Required fields are marked *