[146002] in cryptography@c2.net mail archive
Re: Disk encryption advice...
daemon@ATHENA.MIT.EDU (Victor Duchovni)
Fri Oct 8 18:21:36 2010
Date: Fri, 8 Oct 2010 18:20:23 -0400
From: Victor Duchovni <Victor.Duchovni@morganstanley.com>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <20101008162757.17705320@seasnet-6-11.cis.upenn.edu>
On Fri, Oct 08, 2010 at 04:27:57PM -0400, Perry E. Metzger wrote:
> I have a client with the following problem. They would like to
> encrypt all of their Windows workstation drives, but if they do that,
> the machines require manual intervention to enter a key on every
> reboot. Why is this a problem? Because installations and upgrades of
> many kinds of Windows software require multiple reboots, and they
> don't want to have to manually intervene on every machine in their
> buildings in order to push out software and patches.
>
> (The general threat model in question is reasonably sane -- they
> would like drives to be "harmless" when machines are disposed of or if
> they're stolen by ordinary thieves, but on the network and available
> for administration the rest of the time.)
>
> Does anyone have a reasonable solution for this?
Commercial products have a mode in which you can drop the requirement
for a key for one reboot. Presumbly the key is then erased. This may
a reasonable compromise. The devil is in the details.
--
Viktor.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
