bitlocker smartcard support

Will BitLocker ever support keys stored on Smartcards to encrypt the VMK?
This would be a more secure way to carry the startup key around than by USB, since the .BEK file is simply a hidden file, easily copied if the USB key is used to share everyday data.
(Note that Federal Agencies have HSPD-12 to contend with, and will be adverse to managing both USB keys and PIV cards at the same time!)
It also provides a way to uniquely identify and account for startup on a user-by-user basis, whereas currently there is only one startup key per machine, so multiple users of one laptop must carry the same startup key.
It would seem that storing keys on someone's smartcard isn't a big deal, until you realize what is necessary to track who has which startup key for which laptop, scaled across the enterprise of laptops.
And could an actual audit log be securely managed in the pre-boot environment, tracking who actually started up the machine and when, and somehow making this log available to the event logs on the running OS?
I did notice some interesting things about manage-bde - I can actually make several startup-key protectors for a single machine. For a multi-user machine, this could be used to assign a different startup key to each user. If one user no longer requires access to the machine, their key protector metadata could be deleted, leaving the others unchanged. Seems like an enterprise management nightmare, though...
Thanks!

You are correct that Smart Cards is more ideal then a USB key. We have to provide universal pre-boot Smart Card support (unlike specific 3rd party solutions, we cannot have hard-coded support for a limited set of providers), but we are working on this for a future version. You've identified frequent requests, but there is a limit on what we can provide for the first version.
The WMI interface is very rich in it's capabilities. I'm sure we'll see some custom administration solutions coming out that takes advantage of it, such as the multiple key support.
- Jamie Hunter [MS]
"tavis" wrote in message

Will BitLocker ever support keys stored on Smartcards to encrypt the VMK?
This would be a more secure way to carry the startup key around than by USB, since the .BEK file is simply a hidden file, easily copied if the USB key is used to share everyday data.
(Note that Federal Agencies have HSPD-12 to contend with, and will be adverse to managing both USB keys and PIV cards at the same time!)
It also provides a way to uniquely identify and account for startup on a user-by-user basis, whereas currently there is only one startup key per machine, so multiple users of one laptop must carry the same startup key.
It would seem that storing keys on someone's smartcard isn't a big deal, until you realize what is necessary to track who has which startup key for which laptop, scaled across the enterprise of laptops.
And could an actual audit log be securely managed in the pre-boot environment, tracking who actually started up the machine and when, and somehow making this log available to the event logs on the running OS?
I did notice some interesting things about manage-bde - I can actually make several startup-key protectors for a single machine. For a multi-user machine, this could be used to assign a different startup key to each user. If one user no longer requires access to the machine, their key protector metadata could be deleted, leaving the others unchanged. Seems like an enterprise management nightmare, though...
Thanks!