What would be some of the best options for implementing TrueCrypt on all external devices so if any are lost or stolen that the data is not readable to another person but could be managed in a way that users wouldn't accidentally forget their entire hard hard drive by losing an encryption key?
Each machine and user doesn't necessarily need to be encrypted from each other, however if that would be manageable obviously the more security is better always.
This would be for a Windows domain that is primarily Windows XP / Server 2003. However there are future plans to migrate to Windows 7 and Server 2008.
How would you script the install for Active Directory?
Best Answer
One suggestion could be to encrypt the volume with a encryption key only (no passphrase), but keep the key always encrypted on laptops/workstations with EFS (Windows only), so that in reality both the users password (optionally backup agent key) and the encryption key is used by Truecrypt.
This way, access to the encrypted devices will be "transparent" to the users, and you can manage passwords, EFS backup keys etc centrally without having to worry about lost keys etc