[Also posted @ CipherShed]
I provide a db app to several large organisations. I would really like to defend my users' data against system administrators. On a company system the administrators can bitlocker their own drives or do whatever they want, but I don't want them to be able to look inside the folder that my 2-3 users share. A bad habit of sys admins is to move volumes around, clone them, back them up on removable media, or store them offline. They can also uninstall my app for several years at a time without telling me. Still, one of my databases went live in 1997 and has been running ever since. (I kid you not.) The expected future lifespan is 20 more years at a minimum. In the mean time, the Windows OSs that it runs on have come and gone. I can't even remember what they were all called. They will also will go on changing. In the past 18 years, who knows what the backup media have been or even where they physically are today - perhaps in a pile of e-waste in Nigeria. What I want to make sure is that my folder(s) are unintelligible to anybody other than me and my users.
With Truecrypt, as with other system resources, an administrator could mount a file as a system wide volume (e.g. X:), but this made it visible to everyone that the administrator gave permissions to. My users and I can't rely on the system administrator to do this - or trust them - because in the last 18 years this would have meant retraining a new one every 12-18 months given the likely rate of staff turnover.
Only one user at a time could mount a Truecrypt file volume (stored somewhere on the network) such that only they saw it as a drive letter.
I wonder if it is feasible to allow multiple users, given an appropriate mount/login protocol, to mount a file as a private volume only they can see?
In the first scenario, users are treated as friends of the administrator but strangers to one another. In the second scenario, users are strangers to the administrator, but friends to one another. If the administrator clones the drive or offlines a copy in the second scenario, who cares - the administrator was never allowed in anyway.
My wish anyway