Can you compel someone to disclose their password to gain access to encrypted evidence? In the civil litigation world, it's pretty clear you can, but it's been an open and contentious question on the criminal side. Now, with so many corporate clients and famous lawyer colleagues heading off to the slammer, we civil litigation types may need to give this some thought.
A federal magistrate in Vermont recently concluded that compelling the accused to reveal, or simply type in, his PGP password to unlock a laptop partition holding child pornography violates 5th amendment rights against self-incrimination. I saw the case blogged on CNET, but it turned up on The Volokh Conspiracy blog, too. The opinion, In re Boucher, notes that compelling disclosure intrudes into the contents of the defendant's mind and distinguishes between requiring a defendant to disgorge a key (permissible) from requiring a defendant to reveal a combination to a safe (impermissible). If a BitLocker password resides on a thumb drive in his pocket, seems a defendant has to give it up.
I'm not so sure this decision will stand, but it holds important lessons for computer forensic examiners to take to heart before they shut down a live system: Look for evidence of encryption before you pull the plug. If you find it, don't shut down, keep the screensaver from activating and get power to the machine pronto!