Using bitlocker to isolate users' data

Discussion in 'Windows Vista Security' started by Roof Fiddler, Sep 5, 2006.

  1. Roof Fiddler

    Roof Fiddler Guest

    I have a machine that has no TPM hardware. The machine needs to run Vista.
    Multiple users each need to be able to power up and shut down the computer
    by themselves, and store their data on the machine's hard drive. Also, each
    user wants assurance that if any other user pulls the hard drive and reads
    it in another machine, then that latter user can't read the former user's
    data. If a user forgets his password (and loses his backup recovery keys,
    etc), all of the data which he has stored on the machine should be
    unrecoverable.
    The problem of a user pulling the hard drive, installing a trojan horse into
    Vista, and then putting the hard drive back in the machine for other users
    to continue using is a threat which I'm explicitly _not_ trying to solve at
    the moment. Neither am I trying to solve the problem of other users planting
    any kind of hardware bugs in/on the machine.
    If I use bitlocker to encrypt everything, then all users need to know the
    bootup password, so all users have the ability to pull the hard drive and
    read all data, which is unacceptable.
    If each user uses EFS, then all users would have the ability to pull the
    hard drive and at least get directory listings of other users' data even if
    users' private EFS keys weren't stored on the hard drive, which is also
    unacceptable.

    So how do I accomplish this user isolation?
     
    Roof Fiddler, Sep 5, 2006
    #1
    1. Advertisements

  2. This would be achievable if you had TPM hardware on the machine. We can
    hopefully address this scenario in the near future, but pondering over this,
    I can't see a BitLocker and/or EFS combination that would address all of the
    requirements below.
    -
    Jamie Hunter [MS]
     
    Jamie Hunter [MS], Sep 8, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.