Using BitLocker for Windows VPS disks

Introduction

Data security is a priority for any business, especially when it comes to virtual servers. One of the most effective ways to protect information on Windows VPS is to use BitLocker, Microsoft’s built-in disk encryption tool.

It prevents unauthorized access to data, even if an attacker gains physical access to the virtual storage.

In this article, we’ll look at how BitLocker works, how to set it up on a VPS, and what features to consider when using it in a virtual environment.

What is BitLocker and how does it work?

BitLocker Drive Encryption is an encryption technology that first appeared in Windows Vista and later became a standard feature in professional and server editions of Windows. BitLocker uses the AES (Advanced Encryption Standard) algorithm with a key length of 128 or 256 bits and can use TPM (Trusted Platform Module) for key storage.

The main purpose of BitLocker is to protect data on the disk in case of theft, hacking, or loss of access to the device.

BitLocker provides:

• Full encryption of the entire volume;
• Transparent operation for the user;
• The ability to unlock with a password, recovery key, or TPM;
• Integration with Active Directory or Azure AD (in an enterprise environment).

Features of using BitLocker on Windows VPS

Virtual servers differ from physical machines in that they do not have TPM and a controlled hardware environment. However, BitLocker supports modes that do not require TPM.

Supported encryption modes:

For VPS, we recommend using a password or recovery key that is stored separately.

How to enable BitLocker on Windows VPS: step-by-step instructions

Why is this a special case?

BitLocker usually works in conjunction with a TPM module, which is not available in a virtual environment (e.g., on KVM, Hyper-V, VMware, or other hosting platforms). However, Microsoft has provided the option to encrypt without TPM — this requires configuring BitLocker via group policy and using a password or key file to unlock the volume.

Step 1: Check your Windows version

BitLocker is available only in professional and server editions:

• Windows Server (starting with 2008 R2)
• Windows 10/11 Pro, Enterprise

Check via PowerShell:

				
					systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
				
			

If you have Windows Home, BitLocker is not available, and you need to upgrade to Pro or Server.

Step 2: Install the BitLocker component (for servers)

On Windows Server, BitLocker may not be installed by default.

Installation via PowerShell:

				
					Install-WindowsFeature BitLocker -IncludeAllSubFeature -Restart
				
			

Installation check:

				
					Get-WindowsFeature -Name BitLocker
				
			

If everything is correct, you will see the status Installed.

Step 3: Allow BitLocker to work without TPM

Open the Local Group Policy Editor:

				
					gpedit.msc
				
			

Follow this path:

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System

Find and enable the option:

“Require additional verification at startup”

Set:

• “Allow BitLocker without a compatible TPM (password or key required)” = Enabled

⚠️ If you don’t do this, the system won’t let you turn on encryption on the VPS.

Step 4: Preparing the disk

Check the status of the system volume (usually C:):

Open PowerShell as an administrator:

				
					manage-bde -status
				
			

Ensure that:

• The drive is not encrypted.
• There are no active errors.
• There is at least 10–15% free space (for temporary encryption files).

Step 5: Start encryption

1. Start via the graphical interface:

• Go to Control Panel → System and Security → BitLocker.
• Click “Turn on BitLocker” on the desired drive.
• Select the unlock method: password or key file.
• Save the recovery key (outside the VPS!) — you will need it in case of failure.
• Select the encryption method (preferably entire drive, especially if the server is not new).
• Confirm the start.

1. Or via the command line:

				
					manage-bde -on C: -Password
				
			

The system will prompt you to enter and confirm your password.

Save the recovery key:

				
					manage-bde -protectors -get C:
				
			

To export the key:

				
					manage-bde -protectors -get C: > D:BitLockerKey.txt
				
			

Step 6: Wait for encryption to complete

Check the status:

				
					manage-bde -status
				
			

Full encryption can take anywhere from a few minutes to several hours, depending on the amount of data and the performance of your VPS.

You can continue working during encryption, but it is best to wait until it is complete before rebooting or shutting down your server.

Decrypt or disable BitLocker (if necessary)

				
					manage-bde -off C:
				
			

The system will begin the reverse conversion. Do not interrupt the process.

Additional recommendations

• Do not store your password and recovery key on the same VPS.
• Use a long, unique password (12+ characters).
• Backup before enabling encryption — mandatory.
• Check that your VPS provider supports encryption and does not prohibit it in the SLA.

Potential threats and protection against hacking

Although BitLocker is reliable, there are a number of attacks to be aware of:

• Cold Boot Attack: an attack in which the key is extracted from memory if the device has not been shut down correctly.
• Bootkits: if the system is not protected by UEFI Secure Boot, the boot code can be replaced.

Recommendations:

• Do not store the recovery key on the same VPS.
• Shut down the VPS when not in use for long periods of time.
• Use complex passwords and do not share them with VPS providers.

Advantages of BitLocker for VPS hosting

✔ Data protection during physical access to storage.

✔ Compliance with GDPR, ISO, PCI DSS, and other standards.

✔ No need for third-party solutions.

BitLocker is a built-in tool that does not require an additional license or software, making it ideal for cloud solutions.

Conclusion

BitLocker is a powerful tool for ensuring data security on Windows VPS. Its proper configuration eliminates the risk of information leaks, meets corporate security requirements, and does not depend on third-party software.

It is especially important to organize key storage correctly and take into account that there is no TPM in a virtual environment, which requires additional steps during setup.

Use BitLocker as part of a comprehensive information security policy, and your data will remain securely protected.

Table of Contents