G
Guest
Will BitLocker ever support keys stored on Smartcards to encrypt the VMK?
This would be a more secure way to carry the startup key around than by USB,
since the .BEK file is simply a hidden file, easily copied if the USB key is
used to share everyday data.
(Note that Federal Agencies have HSPD-12 to contend with, and will be
adverse to managing both USB keys and PIV cards at the same time!)
It also provides a way to uniquely identify and account for startup on a
user-by-user basis, whereas currently there is only one startup key per
machine, so multiple users of one laptop must carry the same startup key.
It would seem that storing keys on someone's smartcard isn't a big deal,
until you realize what is necessary to track who has which startup key for
which laptop, scaled across the enterprise of laptops.
And could an actual audit log be securely managed in the pre-boot
environment, tracking who actually started up the machine and when, and
somehow making this log available to the event logs on the running OS?
I did notice some interesting things about manage-bde - I can actually make
several startup-key protectors for a single machine. For a multi-user
machine, this could be used to assign a different startup key to each user.
If one user no longer requires access to the machine, their key protector
metadata could be deleted, leaving the others unchanged. Seems like an
enterprise management nightmare, though...
Thanks!
This would be a more secure way to carry the startup key around than by USB,
since the .BEK file is simply a hidden file, easily copied if the USB key is
used to share everyday data.
(Note that Federal Agencies have HSPD-12 to contend with, and will be
adverse to managing both USB keys and PIV cards at the same time!)
It also provides a way to uniquely identify and account for startup on a
user-by-user basis, whereas currently there is only one startup key per
machine, so multiple users of one laptop must carry the same startup key.
It would seem that storing keys on someone's smartcard isn't a big deal,
until you realize what is necessary to track who has which startup key for
which laptop, scaled across the enterprise of laptops.
And could an actual audit log be securely managed in the pre-boot
environment, tracking who actually started up the machine and when, and
somehow making this log available to the event logs on the running OS?
I did notice some interesting things about manage-bde - I can actually make
several startup-key protectors for a single machine. For a multi-user
machine, this could be used to assign a different startup key to each user.
If one user no longer requires access to the machine, their key protector
metadata could be deleted, leaving the others unchanged. Seems like an
enterprise management nightmare, though...
Thanks!