I just ordered a new machine.
The old one is not encrypted, but before I now receive the new one I wanted to ask about a strategy for the new encryption. My main fear is loosing the password and making the system inaccessible for myself.
So, what I have is my main machine, which will run Windows 8, the backup HDDs (currently my main machine is a laptop, so those are USB), and my android device.
I also own a yubikey, but I don’t use it at the moment.
I want the main machine asking the disk password before I can boot. How I would do this is not decided yet, but I think it doesn’t play a role for my question. Second one is a password for the user accounts. This usually will only be my account, but maybe there will be a guest account. Then the backup HDDs have to be encrypted too. And lastly, the android device needs another password.
So, there are several passwords that should be long and cannot be forgotten. The yubikey could store one static password, and the second slot could be used for a 2-factor-auth for my windows-account, but how can I safely store the other passwords? They should be long, but I don’t want to type in the password for the external disks every time.
My current idea is the following: The machine starts, and I let the yubikey enter a static password to decrypt the main disk (maybe for truecrypt or something). Windows boots, I can now use 2-factor-authentication to login. A script started after login could then enter the password for the external disks and mount them. (Which would, the password would be stored on the main HDD.)
Is this safe, or is there a better way to do?
(I hope I explained this well and the question fits here.)
There are several issues here.
Firstly, I don’t believe that TrueCrypt will work with Windows 8.1. Rather, it does work but cannot be used to encrypt the boot partition due to issues with the UEFI BIOS. If you have W8.1 Pro or Enterprise, you can use Bitlocker. Otherwise, you will need another, paid for, tool.
@JKM has already mentioned the issue with a script.
A better way would be to use something like Keepass to keep passwords. You would still need to sort out the boot disk password and the Windows password and a Keepass password. But you can use Keepass to run scripts that can be passed the user id/password securely. So Keepass would keep your USB disk passwords and be able to mount the drives.
I use something similar. I have a number of Truecrypt files that I mount as virtual drives when I need them, Keepass has entries that will automatically mount the files as drives when I need them. I only need to remember the password for Keepass.