|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
09-05-2006
| #1 (permalink) |
| | Using bitlocker to isolate users' data I have a machine that has no TPM hardware. The machine needs to run Vista. Multiple users each need to be able to power up and shut down the computer by themselves, and store their data on the machine's hard drive. Also, each user wants assurance that if any other user pulls the hard drive and reads it in another machine, then that latter user can't read the former user's data. If a user forgets his password (and loses his backup recovery keys, etc), all of the data which he has stored on the machine should be unrecoverable. The problem of a user pulling the hard drive, installing a trojan horse into Vista, and then putting the hard drive back in the machine for other users to continue using is a threat which I'm explicitly _not_ trying to solve at the moment. Neither am I trying to solve the problem of other users planting any kind of hardware bugs in/on the machine. If I use bitlocker to encrypt everything, then all users need to know the bootup password, so all users have the ability to pull the hard drive and read all data, which is unacceptable. If each user uses EFS, then all users would have the ability to pull the hard drive and at least get directory listings of other users' data even if users' private EFS keys weren't stored on the hard drive, which is also unacceptable. So how do I accomplish this user isolation? |
My System Specs |
|
09-08-2006
| #2 (permalink) |
| | Re: Using bitlocker to isolate users' data This would be achievable if you had TPM hardware on the machine. We can hopefully address this scenario in the near future, but pondering over this, I can't see a BitLocker and/or EFS combination that would address all of the requirements below. - Jamie Hunter [MS] --- "Roof Fiddler" <fiddler@roof.com> wrote in message news:O2pfz0S0GHA.2072@TK2MSFTNGP06.phx.gbl... >I have a machine that has no TPM hardware. The machine needs to run Vista. >Multiple users each need to be able to power up and shut down the computer >by themselves, and store their data on the machine's hard drive. Also, each >user wants assurance that if any other user pulls the hard drive and reads >it in another machine, then that latter user can't read the former user's >data. If a user forgets his password (and loses his backup recovery keys, >etc), all of the data which he has stored on the machine should be >unrecoverable. > The problem of a user pulling the hard drive, installing a trojan horse > into Vista, and then putting the hard drive back in the machine for other > users to continue using is a threat which I'm explicitly _not_ trying to > solve at the moment. Neither am I trying to solve the problem of other > users planting any kind of hardware bugs in/on the machine. > If I use bitlocker to encrypt everything, then all users need to know the > bootup password, so all users have the ability to pull the hard drive and > read all data, which is unacceptable. > If each user uses EFS, then all users would have the ability to pull the > hard drive and at least get directory listings of other users' data even > if users' private EFS keys weren't stored on the hard drive, which is also > unacceptable. > > So how do I accomplish this user isolation? > |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Data recovery of Bitlocker drive. | General Discussion | |||
| Backing up Bitlocker encrypted data | Vista security | |||
| can bitlocker protect my data from someone accessing it online? | Vista security | |||
| So much for Bitlocker/EFS. MS supplies law enforcement with usb key to extract data | System Security | |||
| How Do I Isolate What's Trigging DEP? | Vista General | |||
