As you (hopefully) know, Windows Vista ships with a component we call Bitlocker - at least some of the Windows Vista versions do. Now, Bitlocker can be run with different way of protecting your keys: a TPM chip (basically a smartcard on your motherboard), a normal USB-stick, the TPM chip with a password and the TPM chip with a USB-stick. If we look into these options, we have certain advantages and dis-advantages:
So, out of the box, I would try to use the TPM with PIN or (if you happen not to have a TPM 1.2) use the USB-solution and try to educate the users (ever tried to do that????)
Now, I used a kind of am additional option: I am using Bitlocker with a USB-stick but I am using a USB-stick that is protected with my fingerprint. This is a pretty smart device as the fingerprint-reader is part of the USB-stick meaning that the notebook does not even see the USB-stick until I am authenticated with one of my fingerprints. If you have this, the following scenario works:
I know that the point withthe recovery screen is not too nice but this is the only way it works. Beforehand, there is no power on the USB port and therefore the stick cannot be unlocked and then it takes only a fraction of a second until Bitlocker sees that it has no USB stick attached and this is simply not enough time for the USB stick to recognize that I have my finger on the stick. With this limitation, I think that this is a really nice setup. If you now get hold of my notebook bag, you even have the USB stick but not my finger (I hope). You will therefore not have access to my disk nor boot my machine.
Cool, isn't it?
What USB Biometric stick do you use that can run without the OS? i've looked and can't find one anywhere.
I am using one of a company called Veridicom (http://www.veridicom.com/). There is at least one other vendor but I cannot give you the names (as I do not have them :-))
Yeah, that does seem to be a big problem. The Veridicom sticks are about $130 US as opposed to $50 or so for vendors such as Axiom...so what seems like an inexpensive solution ends up being close to what one could maybe do with a more comprehensive biometric solution. The $100 or so for Software Assurance to even get BitLocker for a new machine us $130 a piece for bio readers makes a practical BitLocker deployment rather spendy.
Anybody else know of any less-expensive BL-compatible bio USB sticks? Gonna have to go PIN if I can't find one soon.