For a recent project I had a technical requirement where all servers needed to be encrypted at the disk level.
There was no budget for any 3rd party solutions, so I was looking at open source or functionality already included in the Windows operating system.
BitLocker functionality was considered ideal, it was already approved for use by the business, however it uses a TPM chip which is not available to present to the guest virtual machines.
A workaround was to export the BitLocker key to a virtual floppy drive and then present the floppy to the guest at boot time. The trade-off however was functionality such as VMware HA wouldn’t present the disk automatically, so applications and servers would need manual intervention when starting at error time.
The following process met the technical requirement and allowed progress until a more production level solution was enabled. Please note, although this process works for me, I would please remember this is unsupported by VMware (See Vmware KB : 2036142)
Process to enable BitLocker in a VMware guest virtual machine.
Configure the guest VM boot order in the BIOS for the floppy drive to be lower than the hard Drive / CD Rom
Within the Windows OS – Install Bitlocker encryption from the add features menu.
Amend the guest VM GPO as shown below
Attach a floppy image to the VM (below assumed logical drive letter A:)
Start a CMD window as admin & change directory focus to C:\windows\system32\
Run the command manage-bde.exe on C: -rp sk A:
Restart the machine. Leave the floppy presented to the VM
Login to windows and wait for bitlocker to encrypt the drive – to check status use the command
manage-bde -status
The syntax above with encrypt the logical C drive and the key is saved to a BEK file written to the floppy drive.