VeraCrypt / Forums / General Discussion: Need help: I want to create an easy-to-use solution with multi-system-encryption / Single-Sign-on

Moin Moin (as we say "Hi" in Hamburg & northern Germany),

maybe i am over-complicating or dont see the normal/easy way... maybe you can help to encrypt multiple systems, with minimal password entering? I an bot sure about posting here, but i have no idea where else to ask or what alternative/additional software i should look at...

i am an IT professional for the last 20 years, but besides the occasional bitlocker laptop i had little to no contact or experience with file- & disc-encryption in the past...
Now i plan to renew my private hardware quite soon - but i have some trouble finding a solution that will suffice or satisfy my needs.
I hope someone here can help me, or direct me to additional infos / products / hardware that helps me to achieve the following:

I want to encrypt multiple PCs:
(System=Raid1 & Data=(Raid1 + noRaid), and some external Data=Raid1)
● Sys1+2= Win7x64
● Sys3= Server2012R2
● External data is connected via USB3
● Maybe Sys1-3 will have a shadow-system for plausible deniability
● i am uncertain if its necessary, so maybe later follows:
1x Laptop Win7x64
2x Android Tablet

Sounds easy enough, but her are the tricky parts:
1.) Sys3 is headless (no display, no keyboard, no mouse - RDP only)
... and so i really would like to automate the login...
2.) Since my girlfriend and i dont want to daily login:
+ to 2-3 SystemEncryptions
+ to 2-3 WindowsPasswords
+ to 0-10 DataEncryptions
... so we REALLY like to automate ALL encryption logins :-)
3.) To conserve power and minimize costs - we dont want let systems run 24/7
4.) To automate decrypton, i need to use keyfiles- i am fine with that!
5.) The Keyfile used by ALL systems schould be on a smartcard/stick/token or on a central network-location, ... so it can be removed swiftly and easily to secure all devices

Ok i can hear the scream of outrage :-)
Yes i know, on 1st glance this defeats the encryption purpose.
But we like to create some kind of Single-Sign-On, with keyfiles/smartcards/fingerprintreader etc.

Here is my wild idea :-)
● All encryptions have no passwords, but use a keyfile
● The keyfile is stored on one central location, like on a smartcard/stick/token or it is solely stored on a networkshare like on our PFsense, maybe even on a ramdisc...
-> so if i cut power -> keyfile is gone! -> after restoring power, no system can be accessed without me restoring the key first...
-> With a backup-keyfile the ramdisc can be easily rebuild, voilá auto-decryption works again
● Possible procedure:
- if we leave our apartment for vacation
- or are in fear of intrusion
- or are in fear of unwanted access
we can (if keyfile is on a smartcard/stick/token):
- remove/destroy the smartcard (a copy would be hidden somewhere in the cloud) and turn off all systems / cut the power
or we can (if keyfile is only on a ramdisc):
- cut the power -> keyfile is gone -> no system can reboot automatically -> unwanted access prevented

Well problem is, systemdisc-encryption does not support keyfiles!
So how can i secure our systems and data without a password-horror each day?

Background Info: Against what do i want to protect?
● System-discs need to be encrypted because:
Systems will contain sensitive and private data, password or similar data- to strictly divide all sensitive data is a possibility, but i dont really see how it will be practical
Protect against: Break-ins, theft and intrusions
● Data needs to be encrypted because:
Well obviously data will contain sensitive and/or private data which we want to protect!
Protect against: Break-ins, theft and intrusions
& External drives may be transported - so protection against loss & theft

Ok i am not sure how we can build an solution that is working. I would prefer only to work with VeraCrypt, but i dont see how we can protect system-discs without a passphrase and on sys3 this will be impossible. bummer

So please, i you have any idea how to achieve this please help me to find a solution - i am pretty sure that would even be a very interesting solution for a widespread audience :-)

● Alternative 1 (not favored):
- DataEncryption only - decryption can be automated
- SysEncryption maybe only on Sys1
- Separate Sys from Data -> winnow all Data -> all sensitive Data is on encrypted discs (very hard to achieve, to control and to maintain i think... )
- Sys3 needs to be reevaluated entirely
● Alternative 2:
?
● Alternative 3:
?

lovely greetings from Hamburg (Germany)
Sascha

PS:
Sorry i tried to tidy ou this post - but ... wow this Forum-Text-Editor ... i have ever seeen :-O
... so i hope you can still understand :-))))

Last edit: Sascha 2019-03-30

Hi,
sorry for the late response - it seems to achieve an OS-encryption with a keyfile - might be quite an effort - i will look into this :-)

Regarding "single sign on":
Sorry, i should not have used this word - with single-sign-on i meant that:
I only have to enter one "normal" password on windows, and all the different encryption-containers are decrypted "automatically" via auto-use of keyfiles :-)

I did not mean the real SSO - to login to multiple accounts in networked environments :-) Sorry for the confusion!

New Question:
Does anyone know a different free or commercial software that can encrypt the OS and can use only a token/smartcard/usb to decrypt it?
(no i dont mean Bitlocker :-) - but a trustworth, secure 3rd-Party tool...)

Need help: I want to create an easy-to-use solution with...

Open source disk encryption with strong security for the Paranoid

Forums

Help

Need help: I want to create an easy-to-use solution with multi-system-encryption / Single-Sign-on