SQL Server Performance

SQL 2008 and Bitlocker

Discussion in 'SQL Server 2008 General DBA Questions' started by Kentril, Apr 5, 2011.

  1. Kentril New Member

    Hello, I've installed SQL 2008 R2 with all updates on C: but databasis have been installed on 2nd partition (drive E:) WIN 2008 R2. This partition was encrypted by Bitlocker. I set automatic unlock drive. Now I'm having trouble after restart Windows SQL won't start automaticaly :( There is nothing in LOG
    Even if all parameters are set to AUTOSTART. Even in services I've tried setting in envelope "Recovery" First Failure Restart Service....
    I guess drive E: is unolcked after SQL tried start
    EDIT1: I found logs in Event Viewer. Windows Logs:
    The SQL Server (SIM) service failed to start due to the following error: The system cannot find the file specified.
    I think system cannot write error log, because it is on encrypted partition (E:) which hasn't been yet unlocked
    I've also tried write scripts in Powershell or CMD commands witin local computer policy startup scripts. These scripts should have admin rights. If I run these scripts services start up. There is no option in Task Scheduler "Run these program after windows start up" Job scheduler doesnt work also :( run script every 2 mins doesnt turn service on until admin is logged in :(
    I'm thinking about install some app to run these scripts after 1 min reboot.
    Thanks for any advices!
  2. satya Moderator

    How often do you restart the Windows Server?
    Is there any specific reason to use BitLocker on the drives?
    IS SQL Server behind a firewall?
    The other option can to set SQL Server services to manual and use a Windows Scheduler job to restart SQL services once the Windows is restarted fully.
    Also see http://msdn.microsoft.com/en-us/library/cc278098(v=sql.100).aspx this article for information.
  3. Kentril New Member

    Well, I hope it won't restart often. But if this happened, SQL wouldn't start.
    Our customer require encryption. That's why is on another partition encrypted by BitLocker.
    Yes SQL is behind HW and built-in OS Firewall.
    SQL Enterprise is quite expensive solution, if we need only encryption.
    Yesterday I found the solution:
    BitLocker doesn't unlock (not meant decrypt) the drive E: after system start up. That's why SQL couldn't start. So I manually put the script into the policy to unlock the drive. Problem is in security, because anyone who can log in to the system can see drive unlocked. Then I decided to use Domain Group Policy startup scripts. Only Domain Admins can see the scripts in Domain Controller. Restrict access has been used on computer (only 3 users can log in). So if someone "steal" the system, break the admin password and turn it on without domain controller, the drive E: remains locked and encrypted.
    Thanks anyway!
  4. satya Moderator

    True, in terms of what your fear is when passwords are compromised for DOMAIN admins.
    If the encryption is required why not look at Database encryption than implementing it on hardware level.

Share This Page