iSCSI over Internet with Server 2012 R2 and an Encrypted Bitlocker Volume

In this blog post I would like to describe an opportunity to use Bitlocker for an easy Backup Solution on a Server, where you may not want to save Data without any encryption. In my case, I have one virtual Machine on a Hoster of my choice (of course, it would be Azure), where I do have a lot of storage unused, but paying for it. Currently more than 80GB is free space and I would be able to use it, and it would be more than I need for the data I want to backup. So lets go on to the virtual Server and install the iSCSI Target Role:
Install iSCSI Target Role

When this is done, I would suggest you that you configure the firewall for the iSCSI Target. To do this, you can open the firewall with advanced security and filter for “iSCSI Target group”, and only allow a specific IP Range or a single IP to connect on default Port 3260:
Configure Firewall for iSCSI

When this is done, go ahead in the Server Manager, and create an new iSCSI Target and its corresponding virtual hard disc, first you have to start with the hard disc:
Create Virtual hard disc
The wizard to create an virtual hard disc appears, I will not annoy you with all the screens of the wizard, but I will point out those, which might be a surprise when not correctly configured. The first is, where the new Virtual hard disc will be store, as Default it uses the “C:\iSCSIVirtualDisk” Path:
Create Virtual Disk
When it comes to select a iSCSI Target, you have to create a new one, and the name you give to the new target does not matter:
iSCSI Target Name
Afterwards you can select, which Initiator can access this iSCSI Target, thus it is easy to fake this, it does also not really matter what you enter in the lower section of the wizard. But to have it configured, you can select an IQN or something else:
iSCSI Initiator
If you would like to use the IQN as I did, go to the Client/Server where you would like to connect to the iSCSI Target, and open the iSCSI Initiator and go to the configuration tab, there you can see the Initiator Name (which you also can change if you like):
iSCSI Initiator Name
Thus I was already connected, I can use my stored IQN, and can now configure the CHAP and reverse CHAP. You need only configure the CHAP, setting reverse CHAP does not impact the usage through the iSCSI initiator:
iSCSI configure Chap
Before you finish the wizard by clicking on “Create”, you can review your settings, and if clicked, the process of creating the disk and the iSCSI Target will be started.
Create iSCSI Target finished
It is now time to go on to the client or server, where you want to connect the iSCSI Target, open the iSCSI Initiator, and open the Discovery Tab an click on “Discover Portal … “:
Discover iSCSI Portal
Type in the name of the target, and click on OK, and the Portal should be connected:
Discover iSCSI Portal
You can now switch back to the target tab and select the iSCSI target that you have created on your server and click on connect:
Connect to iSCSI Target
In the window that will open after your click on connect, click on advanced to configure the CHAP log in:
You can the close the connect windows by accepting the settings. Afterwards it is time to open the Disk management and initialize your new Disk:
Intialize disk
I think your a quite familiar in initializing Disks and format them properly, so I skip those Screenshots. From this point, you will mostly wait until the local System has send and received the correspoinding iSCSI packages, which is depending on your network speed between your localsystem and the iSCSI target which represents a remote target.
After the formatting of the Disk is done, you can go on to the Explorer, and select “Turn on Bitlocker”:
Turn on Bitlocker

Also this step is quite self-explaining, thus I don’t post the screenshots how to enable Bitlocker on a Disk Drive.
But when the Bitlocker is initialized, it is even possible to create another VHDX on this drive, attach it within the Disk management aswell and you can still turn on bitlocker on this nested hard disc.

Everything works fine, but those two points are unclear for me right now:
1. When I copy data to the Drive, the copy job is immediately done, but I know, that the data can’t already be copied to the iSCSI target. May a reader can give a point on this, or I will figure it out later.
2. Is this secure in some kind of ways? I don’t know, it is clear, that the encrypted VHDX on the remote Server is as secure as it can be when Bitlocker is used. Beside the encryption technology, I’m not sure, when and how the traffic sent through iSCSI (without IPsec) can affect the leakage of the Bitlocker Key or decryption opportunities. May a reader can point out something in the comments, or get in contact with me on twitter to share your knowledge.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.