I do not have any answers for the original question, but based on my own experience, I would not be satisfied with any of the solutions so far suggested. That is probably because my bizarre approach to the issue too far off the beaten path to have been worth anyone's time to try an implement.
I have also done some work for others that requires some degree of data security, although so far not to the level described above, but I would also be tempted to mix in my own files of various types and degrees of privacy. What I have found in the past with this kind of system, files of different degrees of sensitivity, and worse, with different 'owners' of the data all on one workstation or server is that yes, you have some security until the encrypted drive is mounted, but after that all the walls tend to come down and accidental mixing may occur. I realize that it is the operator's responsibility to keep Company "A"'s trade secrets separate from Company "B"'s secrets, separate from my emails and downloaded music or videos, but the human is often subject to laziness and mental short cuts, and drag 'n drop and click to save can sometimes drop files in the wrong directory structure, just because I was a hair off or not checking the browse window title. Thus I start putting files where they do not belong, when it is still possible for the computer to have 'helped' me be more careful.
What I envision, is the already described 'hard' encryption of the entire volume so that if my computer is stolen, or someone hacks in, they will not be able to get any of the secured data. But once the volume password/phrase is verified and the volume decrypted and loaded, I would want 'internal' locks, barriers, and checking. So that if I am working on Company "A" data today, Company "B" data and directories remain locked and no accidental transfers can be made. Within the volume, I would want a second, fairly hard passcode/encryption to open the "NDA" covered items, a medium one on my personal financial data, and a mild one on my personal downloads. That way I can pick and choose which folders and files are even accessible at any one time.
But the real 'extra' I would like is that once I have unlocked the volume, then unlocked the Company "A" data to work on, and at the same time unlocked my music collection to listen to music while I work, and one or two personal folders where email attachments come from/go so that I can respond to that last email that came in. Now, I need help making sure that when I click and save an email attachment, it doesn't accidentally get stuffed in Company "A"'s data because that was the last directory that I saved to. So what I envision is a light weight 'garden fence' separating and isolating opened secure file structure. And that the OS, or some other program, watches when I access, move, copy, etc., files that if they go between garden plots, or in and out of secure areas, that I need a short, maybe 2 letter code that I have to stop and think about before allowing access, to make sure that I really wanted to cross those boundaries. To make that work, my private files might be configured to consider the email client to be 'in', but the secure data to have the email client 'out'. Also, all temp files opened by editors, viewers, etc should undergo the same checking, and default in some way to the same 'garden patch' as the parent program, which I think is the normal default anyway. But this way, if I drag and drop and the file hits a different window than I expected, a security dialog box would pop up and say "did you really want to transfer file xxxxx.xx from family photo album to Company "B" secure? And if so, enter the 2 digit code of the destination, or maybe a source directory code dash destination directory code to make sure that you weren't just moving files and clicking on 'autopilot'.
I would also like to have some overall security monitor that would remind me what sections I have current out and running in their 'garden patches', so that from time-to-time I can close ones I want to keep secure and clean if I find that I have started working elsewhere.
Like I said, I doubt that anyone has tried doing something like this, but at least in MY case, it would greatly reduce random files popping up in my folders where I did not expect them, and also provide a little more security on other files.
Mike |
--
But he lives on in a Horcrux named Siri