Hi All

First post here

I'm a bit of a security nut and am hyper paranoid about securing my Windows 8.1 x64 as best as possible. Currently I use a loooong password on my encrypted Windows (system) Bitlocker drive that I enter at the pre-boot screen. My other 3 data drives (ie: non-system) are also encrypted with Bitlocker and auto-unlock once I login.

I currently have an Asus motherboard that does NOT have a TPM chip and adding one isn't an option. Buying a new motherboard also isn't an option right now. I do use UEFI and SecureBoot is enabled.

I'll be rebuilding my machine in the coming weeks/months (possibly with Windows 10) but it got me thinking...how can I take this to the next level so that my machine is even MORE secure that it is now!

Here are some of my ideas:

  1. Use a startup key on a USB key to unlock the system/Windows drive that will be encrypted using Bitlocker. I can't find a better way or more secure way to do this? You can't password/PIN protect the startup key so when I'm not using the machine I'd have to take the USB key with me. What I'd also like to know here is, if someone gets my Bitlocker startup key and they manage to boot my machine, they WON'T be able to login as my Windows accounts will require a smart card but will they be able to plug my Windows drive into another machine and then use the Bitlocker startup key to decrypt the system drive? Also, if I encrypt all my other data (non-system) drives using a smart card, I'm assuming that the system drive startup key can NOT be used to decrypt these drives...is this correct?
  2. Buy a Gemalto smart card and encrypt the non-system fixed data drives. Can I auto-unlock all my data drives if they have been encrypted with Bitlocker using a smart card? I'd hate to enter my PIN in on all 3 data drives every single time if theres an easier way.
  3. Use the same smart card to login to Windows using EIDAuthticate - this works on a non-domain (ie:workgroup) machine so is perfect for me. EIDAuthenticate lets you login to Windows with a smart card in a workgroup setting (ie: no domain needed or CAs needed)

My main question is about auto unlocking encrypted drives if they have been encrypted using a smart card but I welcome all ideas, suggestions and thoughts on how to make my setup like fort knox! If I haven't explained myself clearly then please ask