On Fri, Oct 08, 2010 at 04:27:57PM -0400, Perry E. Metzger wrote: > I have a client with the following problem. They would like to > encrypt all of their Windows workstation drives, but if they do that, > the machines require manual intervention to enter a key on every > reboot. Why is this a problem? Because installations and upgrades of > many kinds of Windows software require multiple reboots, and they > don't want to have to manually intervene on every machine in their > buildings in order to push out software and patches. > > (The general threat model in question is reasonably sane -- they > would like drives to be "harmless" when machines are disposed of or if > they're stolen by ordinary thieves, but on the network and available > for administration the rest of the time.) > > Does anyone have a reasonable solution for this?
Commercial products have a mode in which you can drop the requirement for a key for one reboot. Presumbly the key is then erased. This may a reasonable compromise. The devil is in the details. -- Viktor. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com