A. You can enable BitLocker on all volumes with Windows Server 2008, if you want. With virtualization, you place your virtual hard disks (VHDs) on the file system, which may contain sensitive information or be running on a server that isn't physically secure, so the question often comes up if BitLocker can be used on volumes that hold VHDs. Using BitLocker on a volume with VHDs is a fully supported configuration and one you are very likely to use in branch or remote offices or any location where you can't physically secure the servers.

Before virtualization was available as part of the Server 2008 OS, the best practice for branch and remote locations was to roll out a server with Server Core, encrypted with BitLocker, and run the Read-Only Domain Controller role (and possibly others). With virtualization, you probably want to place a Hyper-V server running on Server Core and use BitLocker to encrypt all the drives, including your VHDs, thus protecting your virtual machines (VMs) at a disk level. You then run your services on VMs on the Hyper-V server. Because you can't pass through the physical Trusted Platform Module to the VM, you can't easily perform BitLocker encryption inside the VM.

In terms of overhead caused by encrypting the disk with BitLocker, you'll only see the normal BitLocker overhead, which is minimal in most situations. There's no additional performance penalty caused by virtualization running on BitLocker.

Related Reading

Videos:

Audio:


Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.