BitLocker: SmartCard support?

Will BitLocker ever support keys stored on Smartcards to encrypt the VMK?

This would be a more secure way to carry the startup key around than by USB,
since the .BEK file is simply a hidden file, easily copied if the USB key is
used to share everyday data.

(Note that Federal Agencies have HSPD-12 to contend with, and will be
adverse to managing both USB keys and PIV cards at the same time!)

It also provides a way to uniquely identify and account for startup on a
user-by-user basis, whereas currently there is only one startup key per
machine, so multiple users of one laptop must carry the same startup key.

It would seem that storing keys on someone's smartcard isn't a big deal,
until you realize what is necessary to track who has which startup key for
which laptop, scaled across the enterprise of laptops.

And could an actual audit log be securely managed in the pre-boot
environment, tracking who actually started up the machine and when, and
somehow making this log available to the event logs on the running OS?

I did notice some interesting things about manage-bde - I can actually make
several startup-key protectors for a single machine. For a multi-user
machine, this could be used to assign a different startup key to each user.
If one user no longer requires access to the machine, their key protector
metadata could be deleted, leaving the others unchanged. Seems like an
enterprise management nightmare, though...

Thanks!

You are correct that Smart Cards is more ideal then a USB key. We have to
provide universal pre-boot Smart Card support (unlike specific 3rd party
solutions, we cannot have hard-coded support for a limited set of
providers), but we are working on this for a future version. You've
identified frequent requests, but there is a limit on what we can provide
for the first version.

The WMI interface is very rich in it's capabilities. I'm sure we'll see some
custom administration solutions coming out that takes advantage of it, such
as the multiple key support.

-
Jamie Hunter [MS]

"tavis" <tavis@discussions.microsoft.com> wrote in message
news:CA83F735-56EE-4FE9-91CE-C6B1DD06A5AD@microsoft.com...
> Will BitLocker ever support keys stored on Smartcards to encrypt the VMK?
>
> This would be a more secure way to carry the startup key around than by
> USB,
> since the .BEK file is simply a hidden file, easily copied if the USB key
> is
> used to share everyday data.
>
> (Note that Federal Agencies have HSPD-12 to contend with, and will be
> adverse to managing both USB keys and PIV cards at the same time!)
>
> It also provides a way to uniquely identify and account for startup on a
> user-by-user basis, whereas currently there is only one startup key per
> machine, so multiple users of one laptop must carry the same startup key.
>
> It would seem that storing keys on someone's smartcard isn't a big deal,
> until you realize what is necessary to track who has which startup key for
> which laptop, scaled across the enterprise of laptops.
>
> And could an actual audit log be securely managed in the pre-boot
> environment, tracking who actually started up the machine and when, and
> somehow making this log available to the event logs on the running OS?
>
> I did notice some interesting things about manage-bde - I can actually
> make
> several startup-key protectors for a single machine. For a multi-user
> machine, this could be used to assign a different startup key to each
> user.
> If one user no longer requires access to the machine, their key protector
> metadata could be deleted, leaving the others unchanged. Seems like an
> enterprise management nightmare, though...
>
> Thanks!