1
My requirement is that my Windows 8 laptop should be encrypted (whole system drive) and ask for password on boot, except when it is docked in a specific docking station. If docked, it should boot automatically, without requiring any user input (think wake-on-LAN or similar).
Logically, the most straightforward way to achieve this would be to store the password (encrypted with some laptop-hardware-specific key) on a USB drive that's kept plugged in the docking station, so that the encryption software can read it and boot automatically; or ask for password if the key is not found.
Is there an encryption software with which it would be possible? So far I've looked at TrueCrypt and BitLocker (only Googled, not actually tested since I don't have a separate system to play with), and neither appear to be able to do this.
Modus Operandi
Posted 2014-01-09T15:47:19.573
Reputation: 109
Have you looked at something like the YubiKey? http://www.yubico.com/products/yubikey-hardware/yubikey/ I've used these when contracting to various places and it pretty much does what you're asking. Looks like it integrates with Truecrypt - http://www.yubico.com/applications/disk-encryption/disk-encryption-truecrypt/
– sgtbeano – 2014-01-09T16:00:12.057Bitlocker: AFAIR you can use multiple "locking mechanisms" like password and USB-stick at the same time is an "or" manner meaning you only need one of both. May be you have to use the command-line tools to set-it up this way but it should be possible. – Robert – 2014-01-09T16:32:36.720
I did, and it comes close, but unless I misunderstood something, it still requires a person to be present to push the button on the YubiKey to make it input the password. That's why I said "without requiring any user input (think wake-on-LAN or similar)". I need to be able to turn on the computer remotely. – Modus Operandi – 2014-01-09T16:32:58.813
@Robert According to Microsoft, this isn't possible. From http://technet.microsoft.com/en-us/library/ee424319(v=ws.10).aspx: "If you choose to require a startup option, the other startup options must be disallowed." Seems I can have PIN, USB or both, bot not either.
– Modus Operandi – 2014-01-09T17:20:43.747@Modus That is the group policy which is not relevant in your case. Anyway you always have multiple types active because there is always the recovery-password which is active anyway what you select in the GUI. – Robert – 2014-01-09T18:34:12.697