*Cube-Host– full cloud services!!

get a consultation
WhatsApp Telegram
EN

Using BitLocker for Windows VPS disks

Using BitLocker for Windows VPS disks

Encrypt data at rest on a Windows server without third‑party tools

BitLocker is built into Windows Pro/Enterprise and Windows Server and is one of the fastest ways to protect data “at rest” — especially if you store customer data, internal documents, backups, or database files on a VPS disk.

On a Windows VPS running on VPS hosting, BitLocker helps reduce the impact of storage compromise scenarios and supports compliance requirements where encryption is mandatory.

Important VPS nuance: OS disk vs data disk

Before enabling BitLocker, decide what exactly you encrypt:

  • Data disk (recommended first): encryption is easier to manage and usually doesn’t break reboot automation.
  • System disk (C:): on many virtual servers there is no TPM, so OS-disk encryption can require manual unlock during boot. This can be inconvenient without an out-of-band console.

Best practice for many VPS setups: encrypt the disk(s) that store application data, backups, exports (D:, E:), and keep a tested recovery plan.

Pre-flight checklist (do this before you turn it on)

  • Confirm your edition supports BitLocker (Windows Server / Pro / Enterprise).
  • Make a backup (snapshot + file-level backup if possible).
  • Make sure you have console access for emergencies (hosting panel / VNC / KVM).
  • Prepare a safe place for the recovery key (NOT on the same VPS).
  • Ensure you have enough free disk space (encryption needs working room).

Step 1: Install BitLocker on Windows Server

On Windows Server, BitLocker is often not installed by default. Run PowerShell as Administrator:

Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart

After reboot, verify:

Get-WindowsFeature BitLocker

Step 2: Allow BitLocker without TPM (common on VPS)

Many virtual servers don’t expose a TPM. BitLocker can still work, but you must allow startup authentication without TPM.

  • Run gpedit.msc
  • Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
  • Enable Require additional authentication at startup
  • Check Allow BitLocker without a compatible TPM

If you skip this step, Windows may refuse to enable encryption for the system drive in a non‑TPM environment.

Step 3 (recommended): Encrypt a data volume with PowerShell

Example for drive D: with XTS‑AES‑256 and “Used Space Only” (faster on new volumes). Run PowerShell as Administrator:

$pwd = Read-Host -AsSecureString "Set BitLocker password for D:"
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -PasswordProtector -Password $pwd

# Add a recovery password protector (store the recovery key OFF the server!)
$kp = Add-BitLockerKeyProtector -MountPoint "D:" -RecoveryPasswordProtector
$kp.RecoveryPassword

Check encryption progress:

manage-bde -status D:

List protectors (to confirm recovery protector exists):

manage-bde -protectors -get D:

Auto-unlock: what to know (and why it may not work on VPS)

BitLocker can auto‑unlock data drives after the OS drive is unlocked. In practice, Windows often requires the OS drive to be BitLocker‑protected to enable auto‑unlock for fixed data drives — otherwise you may see an error like “The operating system drive is not protected…”.

If your VPS must reboot unattended, you have 3 realistic options:

  • Encrypt OS + data drives and ensure you can unlock after reboots (console access is required).
  • Encrypt only specific sensitive files/app data at the application level if full-disk unlock is operationally hard.
  • Use provider-level encryption (if your hosting stack supports it) and keep BitLocker for data-only scenarios.

GUI method (Control Panel) for admins who prefer clicks

  • Control Panel → System and Security → BitLocker Drive Encryption
  • Select the drive → Turn on BitLocker
  • Choose password (common for VPS)
  • Save the recovery key outside the VPS
  • Select encryption scope: “Used space only” (new disk) or “Entire drive” (existing data)

How to disable BitLocker (if needed)

Disabling decrypts the drive — don’t interrupt the process:

manage-bde -off D:

Operational best practices for Windows VPS encryption

  • Never store recovery keys on the same VPS you encrypt.
  • Document: which disks are encrypted, where the recovery keys are, who can access them.
  • Test a reboot scenario and a recovery scenario before production rollout.
  • Expect a performance hit during initial encryption; schedule it off-peak.

If you need consistent disk performance for encryption + workloads, choose a plan where storage I/O is stable — that’s one of the key factors when selecting a Windows VPS on VPS hosting.

Prev

More articles:

Menu